Hospital security in the 21st century – from cybertheft to bio-terror

Hospitals straddle a unique crossroads in terms of cybersecurity, crime and potentially, terror. In spite of a rapid shift to computerized prescriptions and electronic records, the hospital business is inherently complex, marked by privacy constraints as well as legacy IT infrastructure. In an era of cost cuts, hospital managers have also been tempted more by imaging scanners and surgical robots, rather than (invisible) firewalls and encryption systems.

by Ashutosh Sheshabalaya and Antonio Bras Monteiro

UCLA 2014: six years after Britney Spears, access still unhindered
As recently as 2014, after a massive hack, one of the world’s most prestigious hospitals, at the University of California Los Angeles (UCLA), acknowledged that its patient data was not encrypted.
At stake was data on 4.5 million patients, some dating to 1990. Six years previously, UCLA had paid out $865,000 ( Euro 778,000) after an employee stole medical data on celebrities including singer Britney Spears and actress Farah Fawcett, and put them up for sale.

Situation challenging in both US and Europe
Many hospitals are accepting they have a serious cybersecurity problem on their hands. This follows mounting public concern – especially in the US – about growth in hospital data theft.
Although American politicians have called for emulating some of Europe’s medical data security practices, the European situation hardly justifies complacence, as we shall see.

Data on 80 million patients hacked, 9.3 million offered for sale
In the broadest terms, healthcare lags other economic sectors in terms of information security. In the US, healthcare accounted for three of the top seven security breaches in 2015. During the year, just one hacking incident at insurer Anthem Inc. potentially compromised medical data on 80 million Americans.
The situation has since worsened. In June 2016, Baltimore-based privacy monitor Protenus reported a staggering 11 million patient records stolen in 29 incidents (24 at hospitals).
During the month, one hacker made two back-to-back online sale offers – for 655,000 medical records, followed a few weeks later by 9.3 million records. The numbers are of course impressive. However, as the hacker underlined to DarkNet news aggregator DeepDotWeb, this was only a start. ‘A lot more,’ he said, was still ‘to come.’

Identity theft – from drugs, explosives and insurance claims to duplicated you-and-me
One of the biggest risks is identity theft. Data on patients, including names, birth dates, social security and insurance policy numbers, diagnostic, treatment and credit card information, can be misused in several ways. Criminals also have an easy choice. If a target refuses to pay ransom, hackers can still sell the data.
Stolen IDs are used to buy drugs and equipment for resale, or to make insurance claims. Certain prescription medicines can be converted into synthetic addictive drugs, or especially potent explosives.
A basic identify kit sells for $1,500 ( Euro 1,350), though certain medical data can raise the price dramatically. This compares to the couple of dollars sought for basic credit card information. Identity kit data can be used to professionally forge follow-on credentials such as new credit cards and lines of credit, insurance and social security subscriptions, driving licenses, marriage certificates (for illegal immigrants) and passports.
Giving criminals the luxury of time, medical identity theft is seldom noticed quickly, again unlike credit cards. Personal medical information, moreover, can be tailored to follow up with blackmail and other kinds of demands.

A fast-growing and expensive problem
A February 2015 study by Ponemon Institute, a think-tank on data protection, shows US identity theft rising annually at about 20% since 2012. An estimated 2.3 million adults were affected by medical identity theft in 2014, up from 1.4 million in 2009.
The cost to patients is substantial. Ponemon found medical identity theft costing an average of $13,500 ( Euro 12,150)in out-of-pocket legal expenses and financial losses.

Endangering patients
Beyond costs lie other dangers. These are often exacerbated by delays in hospitals informing patients about medical data theft. As we shall see, such a lapse is hardly rare, and victims can end up with a thief’s health data incorporated into their own. A patient record may show a diabetic as being diabetes free, with other misinformation about allergies or blood type being potentially fatal.
Reversing this is not always straightforward.
In summer 2015, the Wall Street Journal’ reported an identity theft at Centerpoint Medical in Independence, Missouri, leading to erroneous billing about a non-existent injury. Although the error was pointed out to the hospital in January 2014, the hospital and a collections agency remained in hot pursuit until the year end for payments – and interest.
The intervention by the influential US newspaper led to Centerpoint dropping the bills and charges. However, when the (real) patient’s record was found to contain wrong information about an allergy, a review was not permitted, in order to protect the thief’s health information – covered by the privacy provisions of HIPAA (Health Insurance Portability and Accountability Act).

USBs, laptops – physical theft remains a major problem
In spite of such growing threat awareness, the risk management spectrum remains immature. Most hospitals lack protocols to prevent data transfer to small, high-capacity USB sticks and CD-ROMs, or control access for laptops. Indeed, Department of Health and Human Services (HHS) data show that over 40% of US medical data breaches involve portable media devices.
One good example is Chicago’s Advocate Medical Group where a laptop theft from an unmonitored’ room in 2013 led to the loss of data, including social security numbers, on 4 million people. Advocate Medical took one month to notify patients, although many faced a clear risk of identity theft.

No encryption, not even passwords
One year previously, Howard University Hospital notified 35,000 patients that their medical data had been compromised, after a contractor at the hospital downloaded files onto a personal laptop, which was then stolen. The data, included names, addresses, Social Security numbers and medical information. It was password-protected but unencrypted.
Several non-technical hospital staff, unfortunately, remain unaware about this crucial difference.
For example, at the end of 2013, Kaiser Permanente’s Anaheim Medical Center reported a breach of 49,000 records from an unencrypted, missing USB drive. A similar situation occurred again in May 2016 after 29,000 emergency room patient records were compromised at Indiana University’s Arnett Hospital, after being accidentally’ downloaded to a USB drive. This time the data was neither encrypted nor password protected.

Europe has similar problems as US
The situation in Europe, too, is hardly encouraging. As far back as 2007, Britain’s Nottingham University Hospitals Trust faced the theft of a USB stick with patient data from a doctor. The theft came to light after a whistle-blower wrote to the British Medical Journal’ and noted that it was common for doctors to carry patient data around on USB sticks in order to permit patient hand-overs. Although the Trust’s policy required confidential data storage on USB sticks to be limited to 128-bit encryption and be used solely on hospital computers, only the naive (continue to) believe that enforcing such a policy is possible.
One year later, a manager at Colchester Hospital in Essex was sacked after his laptop containing medical data was stolen by thieves who broke into his car while he holidayed in Edinburgh. At the time, the hospital’s CEO said the sacking was a clear endorsement about ‘how seriously’ he took ‘security and patient confidentiality.’ However, there was no explanation about why private medical data was present, and then too in an unencrypted form, on the laptop of a holidaying executive, when it could well have been accessed via a secure online network.

Theft of laptop with 8.3 million (unencrypted) UK records
The quantity of physical data theft from UK hospitals also continues to grow, even as security practices remain stuck. In 2011, an (unencrypted) laptop was stolen from an (unlocked) office in the headquarters of Central London NHS (National Health Service). The laptop contained hospital records of 8.3 million identifiable patients.
Overall, according to an investigation by Pulse’ magazine, 55 UK hospitals have reported breaches, including records dumped in public places, or provided to the wrong patients.
The lack of a risk management policy was demonstrated emphatically in April 2014. In spite of claims that the (massive) UK national records database ‘has never been compromised,’ Freedom of Information disclosures showed four serious medical data security breaches since 2009.

French hospitals: laconic about cybercrime

France, too, is in a similar quandary. It is implementing a single national medical database with information on 66 million residents. This complements an electronic medical record (known as DMP 2) with open architecture to make it easier for sharing data among hospitals and healthcare professionals.
In May 2016, the journal Le Nouvel Observateur’ noted though several French hospitals had been targeted by cybercriminals, there was a deafening silence about the issue. In addition, it said, there was little clarity about whether patients would be informed in case of a data breach. What was especially alarming was that only 50 experts were responsible for computer security at 1,000 French hospitals.

US Senate tightens the screws at end of 2012
In the US, meanwhile, although the privacy of medical health data is codified by HIPAA and reporting rules from 2009 require hospitals to notify both the authorities and the media if a data breach affects 500 or more patients, there are no requirements for criminal prosecution.
Until November 2012, in spite of more than 22,000 complaints about HIPAA privacy violations, the US government imposed just one fine. During that month, after a particularly feverish spell of attacks, the US Senate took HHS to task in a public hearing. By June 2013, HHS had made fines of over $1.5 million ( Euro 1.35 million).

Howard University hospital attacked twice in 2012
2012, the year of the Senate hearings, was clearly a turning point in US attention to medical data safety.
In May, prosecutors charged Laurie Napper, a technician at Howard University Hospital for using her position at the hospital to gain access to patients’ names, addresses and Medicare numbers and selling this information. This was barely a few months after the same hospital had notified 35,000 patients about their medical data being compromised.

US military medical records compromised
In November 2012, TRICARE, the health insurer for the US military, announced the theft of backup computer tapes with 5 million names, Social Security numbers, and, in some cases, clinical notes and lab test results. The fact that these records also contained the home addresses of military personnel added another category of security risk to the theft.

Whether due to larger fines for medical privacy violations and/or a fast-growing number of cybercriminals, Ponemon Institute found that 40% of US healthcare organizations reported a criminal cyber attack in 2013, twice the level of 20%
in 2009.

After Chinese attack, FBI heightens attention to hospital cybersecurity
One key development has been the FBI’s entry in 2014 into hospital cybersecurity. One of the trigger events was a theft by Chinese hackers of data on 4.5 million patients held by one of the US’ largest hospital operators, Community Health Systems Inc.
Soon after, as noted previously, US health insurance giant Anthem Inc. reported what may be the biggest medical record hack in the world. Anthem holds data on 80 million Americans, including names, dates of birth, Social Security numbers, Medicare and health plan identification numbers as well as diagnostic and medical/surgical procedural data. Ironically, only a few weeks before, Anthem’s CEO announced that his company and the health insurance industry ranked at the end of the list in customer service.
The risk of attacks by hostile foreign interests was, however, not new. Indeed, in the tipping point year of 2012, Utah’s Department of Health reported that hackers from eastern Europe had stolen medical information on 800,000 people, or almost 25% of the State’s residents.

Shutting down a hospital: the problem of ransomware

Beyond medical identity theft lies ransomware, which may be the fastest growing security risk. Rather than stealing data, ransomware locks down systems and encrypts files. Typically, a pop-up screen then demands ransom in exchange for a key to decrypt files and return access to a user.
Ransomware offers one of the best risk-reward portfolios for criminals who target hospitals. The technology is relatively unsophisticated and versatile, and hackers can make money quickly via extortion rather than seeking to sell data on the black market.
In February 2016, Hollywood Presbyterian Medical Center called in the FBI after ransomware forced its IT systems offline. Physicians could not access electronic records or communicate via email. Some emergency patients were diverted to other hospitals while outpatients missed treatments. Although reports about a $3.6 million ( Euro 3.24 million) ransom payment were reduced to $17,000 ( Euro 15,300), the fact that ransom money was paid is likely to increase the risk of copycat cybercriminals. The FBI recommends organizations do not pay ransom.
At the end of March, MedStar Health, a ten-hospital group in Maryland with over 100 outpatient facilities and 30,000 staff, became the largest medical entity to be successfully attacked by ransomware. Though MedStar stated there was ‘no evidence of compromised information,’ the bulk of its electronic operations was shut down. This time too, the FBI, was called in.
By June 2016, at least a dozen US hospitals had been targeted by ransomware. The number is likely to grow.

Ransomware forces German hospital to use pen and paper, postpone surgeries
The threat of ransomware is also serious in Europe.
In February 2016, the respected German publication Deutsche Welle’ (DW) reported that a number of hospitals in the country had fallen prey to ransomware, disrupting core healthcare services and internal systems. DW named several leading hospitals, including the Lukas Hospital in Neuss and the Klinikum Arnsberg hospital in North Rhine-Westphalia.
The Lukas Hospital was forced to revert to phone calls, fax and pen-and-paper records for several weeks, with high-risk surgeries postponed until handwritten notes had been filed.
On the other hand, Klinikum Arnsberg fared far better. A quick response saved it after the ransomware, entering via email, was detected on one server. All other servers, some 200 in total, were switched off to prevent contagion.

From IP to terror: other cyber-risks associated with healthcare
The healthcare threat spectrum extends beyond hospitals.
In October 2013, the US Food and Drug Administration (FDA) reported an alarming security breach at its Center for Biologics Evaluation and Research. The hack compromised 14,000 accounts, including proprietary pharmaceutical company data.
Issues of intellectual property (drug formulae, manufacturing processes etc.) and trade secrets are of evident interest, to competitors, both at home and abroad. This is not a trifling matter, given the billions of dollars spent in developing and marketing a drug, and the billions more expected from its sale.
The interest in biologics in particular, shown by the hack at the FDA, has been of concern since several biologic products have recently begun to come off patent, while many more are expected to do so in the future.
Last but not least, biological products include vaccines – with all their attendant implications for terrorist attacks. At the end of May, one of France’s biggest hospitals, the Pitie-Salpetriere at Paris, was subject to a break-in at a laboratory storing bacteria. In November 2015, just after the Paris terrorist attacks, another city hospital, Necker, had reported the theft of Hazmat suits – which can be used to protect against bacteria/biowarfare agents. Whether there is a connection between the two is something one can only speculate about.
There will no doubt be other risks. For example, we know of one case of theft of a hospital’s fire safety plans. These identified storage areas for radioactive substances and hazardous waste. Here again, the authorities seem to be at a loose end.
Until hospitals and other actors in the healthcare industry develop and implement security best practices, the threat of disruptions, caused by petty criminals and ranging through to foreign corporate spies and terrorists, will clearly persist.

The authors
Ashutosh Sheshabalaya and Antonio Bras Monteiro
SolvX Solutions

SolvX provides security and risk consulting services out of offices in Europe, the Middle East and Asia.