Lack of Healthcare Security Awareness

            For week #2’s blog post I decided to write about the state of cybersecurity awareness in the medical field. I chose this topic because I have seen a lack of knowledge about security personally from a medical professional. In this instance, I was at the hospital while the nurse was checking my vitals. We were making small talk, and she asked what I did for a living. I told her I was a cybersecurity operator. She being to make comments about how worried she was about things like the Equifax hack that may personally affect her. We discussed how lucrative that information is to a hacker. I then asked her what she thought the most lucrative files were to a hacker. She mentioned her financial records. I pointed out to her that it was actually our health care files. According to the FBI, electronic health records can sell for $50 on the black market compared to just $1 for a stolen social security number or credit card (Ackerman, 2018). She then asked me: “Why would anyone want my healthcare records?”

            This I find is a major problem. Someone who works in the healthcare industry should know what valuable information your medical record contains. While it is just a record of our health or medical history there is more to it than that. Looking at the image below, you can see what sections are in your file (Hicks, 2019).

            As you can see, this is a wealth of valuable information for an attacker. The first section is something that hackers are always trying to acquire, since they can use them to steal your identity and create a lot of damage. However, the other information can provide even more vital information about you. Look at the medical history portion. The first thing mentioned is allergies. If you are a high valued target think about what a nefarious attacker could use it for. For example, I am highly allergic to bee venom. If someone wanted to cause me damage, they could make it look like a completely natural death. Albeit, this is an extreme case, and I am not valuable enough for someone to use that against me. However, if you have a pacemaker it would be included in this section. For example, doctors disabled former U.S. Vice President Dick Cheney’s pacemakers with the concern that someone could target him via the device (Ackerman, 2018).

Figure 2 (Ackerman, 2018)

          
       It has been proven that a pacemaker can be hacked. I have mentioned this is a previous blog a few years ago. Yet, it is still occurring. Two researches have proven that they can remotely control implanted pacemakers by installing malware on the device itself to deliver shocks that the patients don’t need or without the ones they do need (Newman, 2018). They debated brining a live pig and killing it using an application on their iPhone, of course they chose not to. There are several other dangerous medical devices that can be hacked. Drug infusion pumps, MRI systems, heart rate monitors, even hospital networks. A perfect example of the last one is the WannaCry attack. This locked health care providers from their own systems, preventing medical providers for getting any patient information. It was estimated that 19,000 appointments were cancelled including 139 people potentially with cancer, and ambulance diversions (BBC News, 2017). For example, the allergies I discussed above. If you have an allergy to latex and are rushed to a hospital, it would be dangerous to your health if the doctor used latex gloves. Thus as you can see security awareness in the health care industry should be taken seriously.

            The easiest fix is just training to make the employees aware of exactly what they are protecting. There was no excuse for the nurse not knowing that my medical records were attractive to hackers. “The security level of a medical care facility is directly related to the extent to which employees participate in the security effort” (Ashraf, 2016). This made me sceptic of the security at my hospital when the nurse did not know that information. The similar concept applies to patching and updating systems. This could have prevented the impact that WannaCry created.

            Hospitals need to create security programs too. These should focus on exposing the hospital workforce to the threats that their patients and their patient’s records face. These include cyber awareness training to prevent things like phishing emails. They could open these emails which of course could infect their system with malware like WannaCry. In fact, hospitals face the same threats that other companies face. Just now, they are a higher valued target. Nurses, doctors, and administrators need to understand this face. Typically, I know I currently get annual training for cyber awareness, yet I am always aware of current threats. I personally believe that the medical field should have to go through training twice a year. They should also receive notifications about any breaches just to let them understand the importance of the information and the value of that information they protect is. It has been found that employee training on cyber security reduced the risk of an attack by 25 percent (Fahey, 2016).

References

Ackerman, R. (2018, August 9). The healthcare industry is in a world of cybersecurity hurt. Retrieved from Tech Crunch: https://techcrunch.com/2018/08/09/the-healthcare-industry-is-in-a-world-of-cybersecurity-hurt/

Ashraf, A. (2016, September 27). Security Awareness for Healthcare Facilities. Retrieved from INFOSEC: https://resources.infosecinstitute.com/category/healthcare-information-security/security-awareness-for-healthcare-professionals/security-awareness-for-healthcare-facilities/

BBC News. (2017, October 27). NHS 'could have prevented' WannaCry ransomware attack. Retrieved from BBC News: https://www.bbc.com/news/technology-41753022

Fahey, R. (2016, September 8). Top Cyber Security Risks in Healthcare. Retrieved from INFOSEC: https://resources.infosecinstitute.com/category/healthcare-information-security/healthcare-cyber-threat-landscape/top-cyber-security-risks-in-healthcare/

Hicks, J. (2019, January 21). The Basic Components of a Complete Medical Record. Retrieved from Verywell Health: https://www.verywellhealth.com/importants-parts-of-a-medical-record-2317249

Newman, L. H. (2018, August 9). A New Pacemaker Hack Puts Malware Directly on the Device. Retrieved from Wired: https://www.wired.com/story/pacemaker-hack-malware-black-hat/

Security or Privacy? What is the meaning of this?

Summary: This blog discusses the difference between privacy and security. Security is what is used to protect your privacy.

So, for this week one blog I wanted to focus on the difference between security and privacy in the healthcare industry. I actually started this blog about healthcare information security when I took CIS608 in 2017. I chose the topic because in 2006 my personal health information was possibly compromised. I saw possibly because they had no idea what was actually taken, only that there had been a breach. So of course, the fix was monitor your credit information, except back then they did not offer the funds to do so. If you read my blogs dating back to CIS608 you will see that not much has changed and in fact, breaches are still quite common. So, what is the difference between privacy and security?

              The way I tend to think about it is security helps to defend your privacy. One way to look at this is when looking at a fence like the image above retrieved from http://cyntell.com/blog/privacy-versus-security/. The fence provides security from intruders entering your property. It serves as a barrier. However, outsiders can still see inside your fence. Thus, perhaps they see you when you sunbathe. This is something you probably prefer your neighbors or strangers to see. Thus you would install a privacy fence. This fence is typically slatted from both sides such that you cannot see through the gaps the fence normally provides. This is privacy, it allows you to do what you want without being seen, or what you may have in your yard. Security programs are designed to protect the informational assets an organization collects and maintains, whereas a privacy program is focused on the personal information those assets contain (Siegel, 2016). So how does this apply in a medical field?
              The Health Insurance Portability and Accountability Act of 1996 (HIPPA), Public Law 104-191, is the way privacy and security are addressed in law. In fact, from that law the U.S. Department of Health & Human Services (HHS) established several different rules. Two of those rules that are applicable to this blog were the Privacy Rule of December 2000 and the Security Rule which was published in February 2003.

You can find a lot of information on the privacy rule directly from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. According to their site the information that is protected includes “demographic data that relates to an individual’s past, present, or future physical or mental health or condition”, “the provision of health care to the individual”, and even payments. So, therapist notes or your medical records are considered and can’t be released without your information with the exception of a few special cases. For example, if you are a serious threat to health or safety.

The HHS Security Rule can also be found at https://www.hhs.gov/hipaa/for-professionals/security/index.html. It “establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity”. As this comment states it only applies to electronic health data. It aims to protect the CIA triangle (confidentiality, availability, and integrity). This rule protects all personal information that could be associated with you. It requires several different types of safeguards. These are administrative, physical, and technical. Some of the administrative safeguards include assigning a security official and conducted evaluations (audits) that they are meeting the requirements. Physical safeguards primary deal with physical access to facilities and systems. Technical controls include measures to protect data like encryption.

Both of these rules have pages of information about them. I just highlighted some of them to help explain the difference between the two. So, to break this down, things I am allergic to is my private information. Security is what protects that information. Making sure that medical personnel have to use some sort of authorization to access those files. Also, when transferring that information, they must protect it in transit. This is also a reason the medical offices typically ask if you are willing to share your information. You can deny this option; however, a good reason to allow it is quick access to those files. For example, if you were to get injured in another state, your medical provider could send them your files if you had signed allowing them to do that. They have the responsibility to protect that information when they do send it.

So, you may be asking why would these rules even matter. As I mentioned in the beginning my medical records were potentially compromised. Do you know what kind of information is in these files? These contain social security numbers, home addresses, and your health histories, including family history. Thus, there is very lucrative information there. In fact according to https://www.cnbc.com/2014/05/29/hackers-are-coming-after-your-medical-records.html, medical records were selling for $20 on the black market. It also does not help that the medical providers have weak security. Just like the WannaCry virus that targeted older operating systems that Windows no longer supported like XP. Most health companies use these older systems. In fact looking at the chart below, it is projected that medical breaches will impact 1 in 13 patients over 5 years (https://www.computerworld.com/article/3090566/hackers-are-coming-for-your-healthcare-records-heres-why.htmlv). 

              In conclusion, knowing the difference between security and privacy is important with regards to medical information. Knowing what is important to protect and how to protect it is crucial to protecting everyone’s health information. Hopefully laws like HIPPA force medical providers to do a better job securing our privacy.

1.4 Million Patient Records Breached

Once again, a company has been breached not only once, but twice. Not has this occurred twice, but twice in the same year!!!!! In April, a phishing attack compromised the records of 16,000 patients. This time, however, 1.4 million patients are at risk. “The hacked accounts included protected health information, including names, addresses, medical data, treatment information, lab results and/or insurance information. For some of the 1.4 million patients, their payment card and Social Security number were included in the breach” (Davis, 2018). This has been the largest breach in the U.S. this year.

            I don’t quite get why this keeps happening. I think that there needs to be a solution that maybe separates vital information such as social security numbers out of patient files. Maybe they should come up with a unique number to identify their patients that doesn’t lead to as many issues as having a social security number compromised. They also need to increase their training for employees, and actually discipline employees who break the rules. Making penalties harsher should make employees pay closer attention to their actions.

Bibliography

Davis, J. (2018, July 31). 1.4 millio patient records breached in UnityPoint Health phishing attack. Retrieved from Healthcare IT News: https://www.healthcareitnews.com/news/14-million-patient-records-breached-unitypoint-health-phishing-attack

Mental Health with Regards to HIPAA week #11 post

The last topic I want to discuss relates to mental health with respect to the HIPAA rules and regulations. Mental health has been a popular topic in the news. Any time there is a mass shooting there seems to be talk about the lack of mental health issues. Or people ask were there mental issues related to the incident. Or another question you tend to hear relates to actual discussions with the therapist. People may wonder “what I cansay without other people finding out?”. This always made me wonder with regards to HIPAA, what can be released by mental health professionals. According to U.S. Department of Health and Human Services the privacy rule applies to all protected health information. They do make an exception with regards to psychotherapy notes. 

“The Privacy Rule defines psychotherapy notes as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record.Psychotherapy notes do not include any information about medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, or results of clinical tests; nor do they include summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.  Psychotherapy notes also do not include any information that is maintained in a patient’s medical record.” (U.S. Department of Health & Human Services, 2014)

This means that the mental health provider must get a patient’s permission to release information. There is one exception, and that is in the judgement of the provider whether or not to release information. This would include if a patient is about to harm himself or others or mandatory abuse reporting. 

Release without patient approval is solely based on the judgement of the doctor as to whether or not they feel as though the patient is a threat to ones’ self or others. 

Something else that comes into play are state laws with regards to PHI information. “The privacy regulations do not preempt state law that is ‘more stringent than’ federal law.” (Malek & Krex, 2002). This is something that mental health care providers must also take into account when dealing with patient notes.

For the most part federal law maintains the same privacy with regards to mental and health records. The difference is with the notes the mental health provider keeps. They contain no info related to medical treatment, just notes about the actual therapy sessions. This should make patients feel safer to open up and talk about their issues, thus allowing them to get the help and care they need without judgement. 

References

Malek, L. A., & Krex, B. (2002, November). HIPAA and Mental Health Information: Know the law. Retrieved from AHIMA: http://bok.ahima.org/doc?oid=58560

U.S. Department of Health & Human Services. (2014, February 20). HIPAA Privacy Rule and Sharing Information Related to Mental Health. Retrieved from HHS.gov: https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/

'WannaCry' ransomware damages UK National Health Services organizations ability to conduct business Week #10 Blog Post

This blog is going to focus on an incident last week that provides an example of some things that I have talked about in previous blogs. A ransomware attack, “WannaCry”, hit Friday afternoon and spread rapidly. One of the groups affected by this was the National Health Service organizations in the UK. The ransomware is malware that affects a vulnerability in Windows XP or Windows Server 2003. Both of these are operating systems that Microsoft had stopped supporting. So what exactly does this do?

WannaCry gets passed through emails or fake ads. It creates encrypted copies of files on the victim's computer, and deletes the originals, leaving the victim with only the encrypted copies, which cannot be accessed without a decryption key (Curtis, 2017). It then demands a ransom, which has been small thus far, in the $300-$600 range. This caused major issues with the NHS.

Barts health NHS Trust In London had to cancel routine appointments and ambulances were diverted to other hospitals. It also affected their referral system. It recommends patients for treatment with specialists and cancels the treatment if the referral isn’t made within two weeks (Veselinovic & Hilary, 2017). Organizations were not able to access any health records. In fact Dr Emma Fardon told the BBC that they couldn’t tell what drugs patients were on and what allergies they had (Health, 2017). So why did this happen and could it have been prevented?

Microsoft knew of the vulnerability and actually released a patch for it in March (Graham, 2017). Unfortunately, many people do not regularly update their software as recommended. For example, whenever I turn on my computer the first thing I do is update my Anti-virus software, and then check for updates from Microsoft. Thus, my system was protected from this exploit. Another issue that affected the hospitals however was that many of them are using outdated software; software that Microsoft no longer updates. Microsoft, however is pushing out updates to older systems to prevent spreading to older systems (Johnson, 2017). This issue in part addresses my previous blog, the fact that the health community doesn’t have adequate training and resources to operate securely. The most important thing to prevent this was to update the software in the first place. This, however, requires funding since systems must be maintained including switching from Windows XP or 2003 to the current OS, Microsoft 10.

What this incident shows is that governments need to invest more resources into healthcare, in particular, with regards to the IT aspect. Look at how much damage this incident has created, rerouting ambulances, preventing access to patients’ records, and preventing referrals. All of these impacts can cause people their lives.

References

Curtis, S. (2017, May 15). Who is behind the WannaCry ransomware attack crippling NHS hospital trusts across the UK? Retrieved from Mirror: http://www.mirror.co.uk/tech/who-behind-nhs-cyber-ransomware-10410865

Graham, C. (2017, May 13). NHS cyber attack: Everything you need to know about 'biggest ransomware' offensice in history. Retrieved from The Telegraph: http://www.telegraph.co.uk/news/2017/05/13/nhs-cyber-attack-everything-need-know-biggest-ransomware-offensive/

Health. (2017, May 13). NHS cyber-attack: GPs and hospitals hit by ransomware. Retrieved from BBC: http://www.bbc.com/news/health-39899646

Johnson, A. (2017, May 15). 'WannaCry' Malware Attack Could Just Be Getting Started: Experts. Retrieved from NBC News: http://www.nbcnews.com/news/us-news/blockbuster-wannacry-malware-could-just-be-getting-started-experts-n759356

Veselinovic, M., & Hilary, M. (2017, May 12). UK prime minister: Ransomware attack has gone global. Retrieved from CNN: http://www.cnn.com/2017/05/12/health/uk-nhs-cyber-attack/index.html

Lack of Cybersecurity Personnel in the Healthcare Industry Week 9 post

With the emergence of the cyber threats to medical providers, you would think that hiring employees with cybersecurity skills would be plentiful. However, according to ISACA Chief Innovation Officer Frank Schettini, there is a huge skills gap. He “found that nearly one in three organizations take six months or more to fill an open cybersecurity role. Additionally, 37 percent of organizations said that basically 1 in 4 candidates are qualified.” (Schettini as quoted in Snell, 2017). In fact looking at the chart below you can see that most cybersecurity jobs are being posted in the professional, scientific, and technical field.

Figure 1. Cybersecurity Jobs posted in 2014. Retrieved from: http://www.modernhealthcare.com/article/20151024/MAGAZINE/310249962

Right now there is a large job market for cybersecurity workers, thus it makes sense that not only healthcare, but all markets are finding it hard to find employees. “The supply is 10% of the demand—from the Defense Department to banks to cybersecurity companies.” (Inbar as quoted in Conn, 2015). “Demand is expected to rise to 6 million globally by 2019, with a projected shortfall of 1.5 million” (Brown as quoted in Morgan, 2016).

That is why ISACA created the Cybersecurity Nexus Training Platform. They created it in order to assist employees gain that technical on hands training. Of course they are not the only source of training, but this is one example in which healthcare can aid in making sure they are ensuring security of their information and information systems. With the shortfall of skilled employees as the previous paragraph highlighted, organizations must take matters into their own hands to ensure their staff is trained as much and as feasible as possible. Establishing policy and training to cover the basics would be a huge asset to every organization. Until supply meets demand, hospitals and medical companies must be doing everything in their power to ensure their employees know how to protect valuable information.

References:

Conn, J. (2015). Healthcare struggles to recruit top cybersecurity pros. Retrieved from: http://www.modernhealthcare.com/article/20151024/MAGAZINE/310249962

Morgan, S. (2016). One Million Cybersecurity Job Openings In 2016. Retrieved from: https://www.forbes.com/sites/stevemorgan/2016/01/02/one-million-cybersecurity-job-openings-in-2016/#277bf10d27ea

Snell, E. (2017). Addressing the Cybersecurity Skills Gap with Improved Training. Retrieved from: http://healthitsecurity.com/news/addressing-the-cybersecurity-skills-gap-with-improved-training

Interoperability in the Healthcare Network Blog Post Week 8

This week I am going to focus on interoperability. Currently this is a big issue not just for health care as a whole but including the armed forces. “Interoperability means the ability of health information systems to work together within and across organizational boundaries in order to advance the effective delivery of healthcare for individuals and communities.”(Healthcare Information and Management System Society, 2017). Basically, different systems need to be able to communicate to each other. Say for example you visit a hospital in Florida, and then later in the year you go to a hospital in Nebraska that is on a different healthcare network, there needs to be a system in place that can allow the Nebraska hospital to pull those records.

Interoperability is not easy. The Office of the National Coordinator for Health Information Technology (ONC), created an interoperability roadmap in 2015. This April, they released a proposed interoperability standards measurement framework and are requesting feedback “to evaluate progress so far by healthcare sector stakeholders - including health IT vendors, healthcare providers and health information exchange organizations - in implementing and using standards facilitating health information exchange now that electronic health record use is widespread.” (McGee, M. 2017). Being able to do create interoperability makes access to patients’ records for healthcare much simpler.

The ONC is also creating a competition to create an algorithm for patient matching. Patient matching describe the techniques used to match the data about you held by one health care provider with the data about you held by another (or many others). (Posnack, S. 2017). They are awarding 6 cash prizes worth a total of $75,000. First place would gather $25,000. If you are interested you can enter at: https://www.patientmatchingchallenge.com/challenge-information/challenge-details.

Interoperability is a must. In the military you need all services to be able to communicate with each other. The same should apply to medical records in my opinion. With that being said it does bring another risk to security. By gaining access to one network, the perpetrator would be able to access any medical information from anywhere. In my opinion though, the benefit of having an interoperable healthcare network is much greater than the risk of compromise.

References:

Healthcare Information and Management System Society. (2017). Retrieved from: http://www.himss.org/library/interoperability-standards/what-is-interoperability

McGee, M. (2017). ONC Seeks Help Measuring Interoperability Progress. Retrieved from: http://www.healthcareinfosecurity.com/onc-seeks-help-measuring-interoperability-progress-a-9879

 Posnack, S. (2017). Demystifying Patient Matching Algorithms. Retrieved from: https://www.healthit.gov/buzz-blog/interoperability/demystifying-patient-matching-algorithms/