CHAVA: Security officials warn this could be the year we see more cyber security attacks in the healthcare sector.
CAMILLE: In February, the health insurance provider Anthem announced that nearly 80 million medical records were compromised after its database was hacked.
CHAVA: Arianna Skibell reports the healthcare industry is behind the times when it comes to protecting its data.
__
Don Jackson is the director of threat intelligence with the cybercrime protection agency PhishLabs. He says the healthcare world is in the business of saving lives, not necessarily protecting data.
Jackson: As an industry sector as a whole, security has not been a part of the culture.
The healthcare sector is made up of a network of players: doctors, insurance providers, hospital administrators. They exchange a lot of data, and there are a lot of ways to get at it.
Jackson: Healthcare networks have enormous numbers of doors and windows and very few people patrolling.
The guys after social security numbers are called black hat hackers. Jackson says if they manage to jimmy a lock or bust through a firewall, a treasure trove of information awaits.
Jackson: Healthcare is one of those industries that has a very rich number of data fields and very rich information on individuals, usually all in one place. So rather than breaking into 3 different systems using triple the number of techniques, it’s very attractive to be able to find all of that information in one place.
Once our bad guy gets his hands on all that data, he can sell it on the black market for a pretty penny.
Krehel: I just want to show you a few examples of how these records are sold.
Ondrej Krehel is a cybersecurity detective. We’re sitting in a conference room as he pulls up tabs on his computer. His screen is hidden by a tinted Plexiglas sheet.
Krehel: Alright, so let’s take the privacy screen off. So one of the forms that’s very well known is called Pastabin. And here you actually can see literally, the list and the pricing for the various datasets. These are credit card numbers. So what hackers do, they chop them into the pieces. So you can buy the whole set, you can buy a subset.
Skibell: So right here it says ICCUS Fullz $18 …is that a full record?
Krehel: That would be a full record. Correct.
Skibell: So what kind of information goes into that?
Krehel: Generally that would include social security, date of birth, maybe the drivers license, some of the relatives information that could be bundled with it. Might have an email, might have credit card data for that individual. So for $18 you could have complete lock on that person.
The good news is the law that governs the medical industry, known as HIPAA, now provides incentives for data encryption. The bad news, it’s not required. When a breach happens, companies with encrypted data won’t be fined and won’t have to publicize the breach. Anthem did not encrypt its data, so it had to come clean and pay up. But this incentive is not always enough. Jackson of PhishLabs says companies are reluctant to encrypt because processing that data slows down transactions and can be a hassle, sometimes it doesn’t feel worth it.
Jackson: If you’re not required to encrypt any of that other information, you’re probably not going to, it just doesn’t make sense.
Some companies will encrypt select data, usually medical records. But that’s not what cybercriminals are after.
Jackson: They really don’t care if you broke your toe or if you’ve been in drug treatment. They’re really more after the personal information and the payment information.
And encryption isn’t actually the ultimate safeguard. In the Anthem breach, cybercriminals sidestepped those controls by gaining access to a privileged account, basically finding a key and slipping right through the back door. Avivah Litan, a security analyst with the firm Gartner, says encryption wouldn’t have helped.
Litan: It doesn’t do you any good to encrypt data if the bad guy takes over an account that can read decrypted data. So certainly encryption is a good thing but it’s only one piece of the puzzle.
And if black hat uses the back door approach, encryption does nothing. It’s like wearing a life vest to run a marathon. But companies are still rewarded by HIPAA for wearing the life vest. They aren’t required to tell their clients of the breach. And Jackson from PhishLabs says in some cases, they may not even know themselves.
Jackson: So if somebody takes my doctor’s paper file, and steals it, you notice. The paper file is not there anymore. When someone steals data, they don’t actually take it. Generally, they just make a copy and there’s no sign that it’s been stolen.
When Anthem was breached, a staff member happened to notice to breach. But Litan says there is technology out there than can automatically detect these stealthier back door black hacks.
Litan: And that’s been happening in the fraud world for years, like your credit card company. I’m sure you’ve gotten a call once and a while. Someone’s using your credit card in a strange way. And that’s behavioral analytics.
Behavior analytics profiles normal user behavior and then compares all transactions to that original profile. Litan says she has not seen this technique implemented in the healthcare world yet. Dale Nordenberg, the director of a medical safety and security consortium, says there has movement on this front.
Nordenberg: There’s clear policy evidence that the government is taking this seriously, nearly every major department or agency in our government are all implementing programs around cyber security for both privacy and safety.
But outside of government, in the medical sector, implementation has been uneven. The National Institute of Standards and Technology issued a security framework intended to build on HIPAA’s base guidelines. The American Medical Association has not laid out best practices. But the American Hospital Association has.
Cyber security experts say best practices aren’t much good, if people aren’t using them.
Arianna Skibell, Columbia Radio News