Lack of Healthcare Security Awareness

            For week #2’s blog post I decided to write about the state of cybersecurity awareness in the medical field. I chose this topic because I have seen a lack of knowledge about security personally from a medical professional. In this instance, I was at the hospital while the nurse was checking my vitals. We were making small talk, and she asked what I did for a living. I told her I was a cybersecurity operator. She being to make comments about how worried she was about things like the Equifax hack that may personally affect her. We discussed how lucrative that information is to a hacker. I then asked her what she thought the most lucrative files were to a hacker. She mentioned her financial records. I pointed out to her that it was actually our health care files. According to the FBI, electronic health records can sell for $50 on the black market compared to just $1 for a stolen social security number or credit card (Ackerman, 2018). She then asked me: “Why would anyone want my healthcare records?”

            This I find is a major problem. Someone who works in the healthcare industry should know what valuable information your medical record contains. While it is just a record of our health or medical history there is more to it than that. Looking at the image below, you can see what sections are in your file (Hicks, 2019).

            As you can see, this is a wealth of valuable information for an attacker. The first section is something that hackers are always trying to acquire, since they can use them to steal your identity and create a lot of damage. However, the other information can provide even more vital information about you. Look at the medical history portion. The first thing mentioned is allergies. If you are a high valued target think about what a nefarious attacker could use it for. For example, I am highly allergic to bee venom. If someone wanted to cause me damage, they could make it look like a completely natural death. Albeit, this is an extreme case, and I am not valuable enough for someone to use that against me. However, if you have a pacemaker it would be included in this section. For example, doctors disabled former U.S. Vice President Dick Cheney’s pacemakers with the concern that someone could target him via the device (Ackerman, 2018).

Figure 2 (Ackerman, 2018)

          
       It has been proven that a pacemaker can be hacked. I have mentioned this is a previous blog a few years ago. Yet, it is still occurring. Two researches have proven that they can remotely control implanted pacemakers by installing malware on the device itself to deliver shocks that the patients don’t need or without the ones they do need (Newman, 2018). They debated brining a live pig and killing it using an application on their iPhone, of course they chose not to. There are several other dangerous medical devices that can be hacked. Drug infusion pumps, MRI systems, heart rate monitors, even hospital networks. A perfect example of the last one is the WannaCry attack. This locked health care providers from their own systems, preventing medical providers for getting any patient information. It was estimated that 19,000 appointments were cancelled including 139 people potentially with cancer, and ambulance diversions (BBC News, 2017). For example, the allergies I discussed above. If you have an allergy to latex and are rushed to a hospital, it would be dangerous to your health if the doctor used latex gloves. Thus as you can see security awareness in the health care industry should be taken seriously.

            The easiest fix is just training to make the employees aware of exactly what they are protecting. There was no excuse for the nurse not knowing that my medical records were attractive to hackers. “The security level of a medical care facility is directly related to the extent to which employees participate in the security effort” (Ashraf, 2016). This made me sceptic of the security at my hospital when the nurse did not know that information. The similar concept applies to patching and updating systems. This could have prevented the impact that WannaCry created.

            Hospitals need to create security programs too. These should focus on exposing the hospital workforce to the threats that their patients and their patient’s records face. These include cyber awareness training to prevent things like phishing emails. They could open these emails which of course could infect their system with malware like WannaCry. In fact, hospitals face the same threats that other companies face. Just now, they are a higher valued target. Nurses, doctors, and administrators need to understand this face. Typically, I know I currently get annual training for cyber awareness, yet I am always aware of current threats. I personally believe that the medical field should have to go through training twice a year. They should also receive notifications about any breaches just to let them understand the importance of the information and the value of that information they protect is. It has been found that employee training on cyber security reduced the risk of an attack by 25 percent (Fahey, 2016).

References

Ackerman, R. (2018, August 9). The healthcare industry is in a world of cybersecurity hurt. Retrieved from Tech Crunch: https://techcrunch.com/2018/08/09/the-healthcare-industry-is-in-a-world-of-cybersecurity-hurt/

Ashraf, A. (2016, September 27). Security Awareness for Healthcare Facilities. Retrieved from INFOSEC: https://resources.infosecinstitute.com/category/healthcare-information-security/security-awareness-for-healthcare-professionals/security-awareness-for-healthcare-facilities/

BBC News. (2017, October 27). NHS 'could have prevented' WannaCry ransomware attack. Retrieved from BBC News: https://www.bbc.com/news/technology-41753022

Fahey, R. (2016, September 8). Top Cyber Security Risks in Healthcare. Retrieved from INFOSEC: https://resources.infosecinstitute.com/category/healthcare-information-security/healthcare-cyber-threat-landscape/top-cyber-security-risks-in-healthcare/

Hicks, J. (2019, January 21). The Basic Components of a Complete Medical Record. Retrieved from Verywell Health: https://www.verywellhealth.com/importants-parts-of-a-medical-record-2317249

Newman, L. H. (2018, August 9). A New Pacemaker Hack Puts Malware Directly on the Device. Retrieved from Wired: https://www.wired.com/story/pacemaker-hack-malware-black-hat/

Security or Privacy? What is the meaning of this?

Summary: This blog discusses the difference between privacy and security. Security is what is used to protect your privacy.

So, for this week one blog I wanted to focus on the difference between security and privacy in the healthcare industry. I actually started this blog about healthcare information security when I took CIS608 in 2017. I chose the topic because in 2006 my personal health information was possibly compromised. I saw possibly because they had no idea what was actually taken, only that there had been a breach. So of course, the fix was monitor your credit information, except back then they did not offer the funds to do so. If you read my blogs dating back to CIS608 you will see that not much has changed and in fact, breaches are still quite common. So, what is the difference between privacy and security?

              The way I tend to think about it is security helps to defend your privacy. One way to look at this is when looking at a fence like the image above retrieved from http://cyntell.com/blog/privacy-versus-security/. The fence provides security from intruders entering your property. It serves as a barrier. However, outsiders can still see inside your fence. Thus, perhaps they see you when you sunbathe. This is something you probably prefer your neighbors or strangers to see. Thus you would install a privacy fence. This fence is typically slatted from both sides such that you cannot see through the gaps the fence normally provides. This is privacy, it allows you to do what you want without being seen, or what you may have in your yard. Security programs are designed to protect the informational assets an organization collects and maintains, whereas a privacy program is focused on the personal information those assets contain (Siegel, 2016). So how does this apply in a medical field?
              The Health Insurance Portability and Accountability Act of 1996 (HIPPA), Public Law 104-191, is the way privacy and security are addressed in law. In fact, from that law the U.S. Department of Health & Human Services (HHS) established several different rules. Two of those rules that are applicable to this blog were the Privacy Rule of December 2000 and the Security Rule which was published in February 2003.

You can find a lot of information on the privacy rule directly from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. According to their site the information that is protected includes “demographic data that relates to an individual’s past, present, or future physical or mental health or condition”, “the provision of health care to the individual”, and even payments. So, therapist notes or your medical records are considered and can’t be released without your information with the exception of a few special cases. For example, if you are a serious threat to health or safety.

The HHS Security Rule can also be found at https://www.hhs.gov/hipaa/for-professionals/security/index.html. It “establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity”. As this comment states it only applies to electronic health data. It aims to protect the CIA triangle (confidentiality, availability, and integrity). This rule protects all personal information that could be associated with you. It requires several different types of safeguards. These are administrative, physical, and technical. Some of the administrative safeguards include assigning a security official and conducted evaluations (audits) that they are meeting the requirements. Physical safeguards primary deal with physical access to facilities and systems. Technical controls include measures to protect data like encryption.

Both of these rules have pages of information about them. I just highlighted some of them to help explain the difference between the two. So, to break this down, things I am allergic to is my private information. Security is what protects that information. Making sure that medical personnel have to use some sort of authorization to access those files. Also, when transferring that information, they must protect it in transit. This is also a reason the medical offices typically ask if you are willing to share your information. You can deny this option; however, a good reason to allow it is quick access to those files. For example, if you were to get injured in another state, your medical provider could send them your files if you had signed allowing them to do that. They have the responsibility to protect that information when they do send it.

So, you may be asking why would these rules even matter. As I mentioned in the beginning my medical records were potentially compromised. Do you know what kind of information is in these files? These contain social security numbers, home addresses, and your health histories, including family history. Thus, there is very lucrative information there. In fact according to https://www.cnbc.com/2014/05/29/hackers-are-coming-after-your-medical-records.html, medical records were selling for $20 on the black market. It also does not help that the medical providers have weak security. Just like the WannaCry virus that targeted older operating systems that Windows no longer supported like XP. Most health companies use these older systems. In fact looking at the chart below, it is projected that medical breaches will impact 1 in 13 patients over 5 years (https://www.computerworld.com/article/3090566/hackers-are-coming-for-your-healthcare-records-heres-why.htmlv). 

              In conclusion, knowing the difference between security and privacy is important with regards to medical information. Knowing what is important to protect and how to protect it is crucial to protecting everyone’s health information. Hopefully laws like HIPPA force medical providers to do a better job securing our privacy.