Healthcare organizations feeling cyberattacks growing

Healthcare organizations feeling cyberattacks growing
Healthcare organizations feeling cyberattacks growing 

By Ellen Messmer

Healthcare organizations feel under increasing attack from the Internet, 
while security incidents involving insiders and disappearing laptops 
with sensitive data are piling up. On top of that, there's now the 
prospect of a surprise audit from the federal government agency in 
charge of overseeing the Health Insurance Portability and Accountability 
Act security and privacy rules.

Healthcare organizations are stepping up efforts to protect electronic 
patient information as they witness increased attacks against hospital 
networks, mindful how a data breach could hurt patients and their own 

There is definitely an uptick in attacks, says Dr. John Halamka, CIO at 
both Beth Israel Deaconess Medical Center and Harvard Medical School in 
the Boston area. Privacy is the foundation of everything we do. We dont 
want to be the TJX of healthcare. TJX is the Framingham, Mass-based 
retailer which last year disclosed a massive data breach involving 
customer records.

Dr. Halamka, who this week announced a project in electronic health 
records as an online service to the 300 doctors in the Beth Israel 
Deaconess Physicians Organization, acknowledges computers in healthcare 
are sometimes compromised as spam relays or to host unauthorized content 
such as porn.

It gives attackers a means to distribute it, says Halamka. While he has 
seen no evidence of attackers targeting healthcare networks to steal 
patient data for financial gain, other security experts say that 
dangerous trend is well underway.

Healthcare organizations store a lot of valuable personal, identifiable 
information such as Social Security numbers, names, addresses, age, in 
addition to banking and credit-card information, says Don Jackson, 
researcher at Atlanta-based security services firm SecureWorks.

SecureWorks has recorded an 85% increase in the number of attempted 
attacks directed toward its healthcare clientele by Internet hackers, 
with these attempts jumping from 11,146 per healthcare client per day in 
the first half of 2007 to an average of 20,630 per day in the last half 
of last year through January of this year.

SecureWorks believes that some of the most sought-after information is 
from patients who are members of preferred medical network plans, which 
hackers turn around and sell as credentials to criminals specializing in 
illegal immigration.

Credentials information is usually stolen via targeted cyber attacks, 
says Jackson, adding hes seen several cases where health insurance 
credentials were sold to criminals in the counterfeit document racket, 
especially in Central and South America.

Insider attacks, too, are also a worry.

Tenet Healthcare, which owns more than 50 hospitals in a dozen states, 
last month disclosed a security breach involving a former billing center 
employee in Texas who pled guilty to stealing patient personal 
information. He got nine months in jail.

And in an identity fraud case in Sarasota, Fla. last month, an office 
cleaner who gained access to the patient files of an anesthesiologist 
who rented an office at HealthSouth Ridgelake Hospital pled guilty to 
fraud for ordering credit cards on the Internet with stolen patient 
personal information. He got two years jail time.

Lost and stolen laptops have also been a problem, with disclosure of 
missing personal information related to patients or employees at Duluth, 
Minn.-based Memorial Blood Center; Mountain View, Calif.-based Health 
Net; Sutter Lakeside Hospital at Lakeside, Calif.; and the West Penn 
Allegheny Health System revealed just within the last three months.

The HIPAA surprise audit

Besides the loss of confidence such security incidents provoke, the 
specter of government regulatory probes is looming related to the 
federal security and privacy rules in HIPAA.

The U.S. Department of Health and Human Services (HHS), which oversees 
HIPAA compliance, has contracted with the firm PricewaterhouseCoopers 
(PWC) to conduct surprise audits of hospitals this year, says Gartner 
analyst Barry Runyon.

Its complaint-driven, says Runyon, noting that Tony Trenkle, director of 
the Centers for Medicare & Medicaid Services at HHS, last month publicly 
said the first 10 or so reviews will be at hospitals where CMS received 
complaints about security.

In visiting the healthcare organization, the government regulatory probe 
will focus on security risks associated with remote access to data and 
portable storage concerns, with security managers expected to answer a 
lot of questions.

CMS plans to publish the results of these audits on its Web site but not 
the organizations name, unless it uncovers major lapses, which could 
result in fines or other penalties as defined under the HIPAA 
guidelines. Last month, Atlantas Piedmont Hospital was revealed by HHS 
to be the first unannounced HIPAA security audit.

Healthcare, heal thyself

Information-technology managers indicated theyre taking proactive steps 
to secure external network access while also ensuring that authorized 
network users are limited to seeing only what they rightfully should.

At Mount Sinai Medical Center in New York City, the policy there is very 
strict about employees even looking at patient records without reason.

Its the curiosity factor, says Jack Nelson, CIO at Mt. Sinai, who notes 
that employees are told when hired they can be fired for online peeking 
-- and some have been.

Its one strike and youre out -- and thats [for] clinicians as well, says 
Nelson, noting that the hospitals systems are generally role-based and 
keep track of every single access to a record.

Nelson says his biggest concern is not hackers trying to break in but 
sensitive data flying out over the network, including Mt. Sinais 
voluminous clinical-lab test documentation. So Mt. Sinai recently 
installed Symantec data-loss prevention software on client computers to 
monitor outbound traffic.

HIPAA isnt the only set of security and privacy regulations that Mt. 
Sinai cares about. When you have a data loss of about the magnitude of 
10 patient records, you have to report that to the New York State Dept. 
of Health, says Nelson. Thats a serious violation.

Like Mt. Sinai Medical Center, Miami-based health benefit company AvMed 
Health Plans is also making use of data-loss prevention monitoring 
equipment to make sure sensitive data related to health claims is 
transferred appropriately.

Some e-mail communications with physicians offices and hospitals must be 
encrypted under the HIPAA guidelines, notes Charles Hibnick, chief 
systems security architect at AvMed. The Palisade Systems PacketSure 
monitoring equipment deployed since last October provides a way to 
determine that policy is being followed since it flags errors that might 
occasionally occur, such as someone forgetting to encrypt an e-mails 

People sometimes say thank you when we catch this, says Hibnick. The 
monitoring is increasingly important since about 80% of health claims at 
AvMed are electronic, rather than predominantly fax, as they were just 
five years ago.

The prospect of an unannounced HIPAA audit by the government is an event 
that could shake anyone up, but in the final analysis, the federal 
probes are probably good for the healthcare industry, says Mark Jacobs, 
director of technology services in the data-center operations at 
Pennsylvania-based WellSpan Health.

HIPAA did help in some regard, getting the health information community 
to do audit, logging and secure messaging and encryption," Jacobs notes, 
adding HIPAA has propelled his healthcare organization into new 
practices, such as adopting a security governance framework, single 
sign-on and password provisioning.

All contents copyright 1995-2008 Network World, Inc.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods