HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Hacking: How Severe is the Threat to the Healthcare Industry?

Retail, financial, entertainment, healthcare. It would appear that no industry is safe from hackers. The volume of incidents reported over the past 12 months, and the sheer scale and complexity of some of the attacks indicate that the threat level is currently at critical.

The healthcare industry in particular appears to be under attack. Two hacking incidents on health insurers resulted in the perpetrators obtaining 78.8 million records from Anthem and approximately 11 million records from Premera Blue Cross, the latter including healthcare data.

There were numerous smaller incidents reported where hackers had gained access to PHI according to data from the Office for Civil Rights.

The OCR requires all HIPAA-covered entities to report data breaches affecting more than 500-individuals within 60 days of discovery. Between March 1st 2014 and February 28th 2015, the OCR received 31 breach reports that were attributed to hacking/IT incidents.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

However, the data only includes hacking incidents involving data covered under HIPAA and in many cases data breaches are not noticed until sometime after the attack has succeeded. It took Anthem and Premera many months to identify that there security controls had been breached. It is therefore difficult to gauge how severe the cybersecurity problem is.

How Severe is the Threat from Hackers?

HITRUST – The Health Information Trust Alliance – has asked that question and has not been able to come up with an answer, but the Organization – best known for its Common Security Framework – is determined to find it. It has devised a study which it calls “Cyber Discovery” and will soon start recruiting participants, which it hopes will eventually number in the hundreds.

In order to identify the current cybersecurity risk, the study needs to look beyond the breach report statistics and see what is actually happening in real time. The study should not only uncover the volume of attempts made by hackers to gain access to healthcare databases, but also their pervasiveness and the methods the hackers are using to obtain PHI.

How will the Cyber Discovery Study Monitor Threats and Attacks?

All participants must agree to monitor their systems and servers for a period of 90 days using the Trend Micro™ Threat Discovery Appliance. HITRUST CEO, Dan Nutkis, told Information Security Media Group that the software is “like a big sandbox that works in a passive mode and collects everything and tries to analyze everything that comes into the sandbox,”

The data collected will be analyzed during the study, while participants can also use the information to assess threat levels and develop strategies to manage cybersecurity risk. Any data that the software collects will be collected and de-identified to protect the privacy of participants. The data will only be supplied under a category: clinic; hospital etc. HITRUST is planning to start recruiting participants in May, when it hopes to have amassed the necessary hardware and software to run the survey and analyze the data.

Initially, HITRUST is looking to recruit 210 volunteers from a wide range of organizations in the healthcare industry and the survey will be extended to organizations that are not HITRUST members.

Participants will benefit from free use of the Trend Micro threat detection software, and Nutkis confirmed that training will be provided on its use; including how to analyze the data it generates and conduct a forensic analysis.

Some of the questions that HITRUST is hoping to have answered are “Are these actors targeting health plans or are they targeting specific types of equipment or types of data? Are they after PHI or PII? What’s the level of persistence? What’s the duration of them trying to get in? Do they keep coming back?”

It is hoped that patterns will emerge and that the survey will also discover some of the more sophisticated methods currently being used by hackers to break through IT security controls.

Provided that HITRUST can recruit enough volunteers – for which it will have to guarantee de-identification of the data and therefore anonymity – the survey has potential to provide an important and highly valuable insight into the severity of the cybersecurity problem and how healthcare providers can improve their defenses against hackers.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.