IoT
IoT
Healthcare // Security & Privacy
News
9/6/2014
09:06 AM
50%
50%
RELATED EVENTS
Core System Testing: How to Achieve Success
Oct 06, 2016
Property and Casualty Insurers have been investing in modernizing their core systems to provide fl ...Read More>>

HealthCare.gov Breach: The Ripple Effect

Hackers breached a HealthCare.gov test server, reportedly affecting no records, but the repercussions could spread across many medical organizations.

10 Ways To Strengthen Healthcare Security
10 Ways To Strengthen Healthcare Security
(Click image for larger view and slideshow.)

Thursday's disclosure that hackers breached a HealthCare.gov test server this summer sparked more concern about the overall vulnerability of healthcare organizations and hope that the growing number of publicly disclosed hacks will encourage those organizations to expend more resources on securing data, networks, and systems.

A hacker installed malicious code on a device that had kept its default manufacturer's password. As a test server, it was not supposed to be hooked to the Internet, said Patrick Peterson, founder and CEO of security developer Agari in an interview. Either keeping the server unconnected or using tools that automatically change pre-set passwords would have prevented this vulnerability, he said. Because it shared the breach, HealthCare.gov should be lauded for its transparency, said Peterson.

This type of error is easily preventable, but is the kind of mistake that can occur at most organizations without proper training and IT management, said Ashley Leonard, president and CEO of Verismic Software:

I am sure it is unnerving for the public when our government's own systems get compromised by hacking. This, on top of the recent celebrity hacking, creates a distrust in cloud. However, if you look more closely at what has actually happened, systems are being penetrated by a combination of bad IT management and poor end-user training. I believe IT managers and software vendors need a better way to share information on vulnerabilities and how to patch them. The second concern is passwords; though passwords are set to protect our most sensitive data, we have a real issue today of using technology much older than most of us. At the very least we should be moving to pass phrases, two-factor authentication, or biometrics to protect our data.

Although federal officials were quick to reassure the public that no personal, financial, or health data was stolen, a chorus of dissent arose immediately given the amount of information HealthCare.gov houses and the number of alarms raised about the site's security weaknesses.

[Is your organization losing money on outdated storage techniques? Read Healthcare Storage Makeovers: Execs Share Secrets.]

"IT experts have long warned about the lack of security built into the federal Obamacare website," said Congressman Diane Black (R-Tenn.), in a statement. "The vast amount of personal information that Americans are required to put into this site is an open invitation for hackers. That is why designing a secure website should have been a top priority for this Administration."

HealthCare.gov
HealthCare.gov

While politicians battle it out in Washington, D.C., CIOs and chief security officers might find it easier to wrest security funds from reluctant boards and CEOs. That can't happen soon enough, based on the industry's ongoing poor performance when compared with other sectors.

Last year, there were 276 breaches in healthcare, the largest number from five verticals that the Identity Theft Resource Center reviewed, said John Pescatore, director of Emerging Security Trends at SANS. "Driven both by attempts to reduce cost and rushing to meet deadlines to meet federal requirements, the healthcare industry has failed to sufficiently build security into their systems -- the healthcare exchange websites are just one example," he said. "Security has been seen as increasing cost and slowing down schedule. CISOs' recommendations have been ignored, or postponed in attempts to "sprinkle security on," post deployment. This has largely been the case over the past several years, leading to this growing trend of breaches in healthcare systems."

In light of recent hacking attacks at HealthCare.gov, JP Morgan & Chase, Home Depot, and Community Health Systems, business leaders are more aware of risks -- and the impact that breaches could have on their organizations, many security executives agreed. To date, many have spent more on electronic medical records (EMRs) and meeting Meaningful Use mandates than on security, but that must change, they noted.

"Healthcare needs to re-evaluate the resources they've allocated to EMR security. The last few years have seen most hospital systems deploy significant technology for EMRs, consumer technology to support clinical staff, patient portals, and much more," Eric Cowperthwaite, vice president of Advanced Security and Strategy at Core Security, said via email. "In fact, for large hospital systems, an EMR project can be on par with HealthCare.gov in terms of cost, resources, and project scope and scale. They will need to look at whether they have done at least as well as [the Department of Health and Human Services] on security, if not better."

This latest incident at HealthCare.gov could give IT executives more ammunition in their quest for better funding and resources.

"It is too early to tell specifically about HealthCare.gov, but when seen as part of the overall trend, this is without a doubt raising awareness and forcing a reordering of priorities and budgets," Gilad Parann-Nissany, CEO and co-founder of  cloud developer Porticor, told InformationWeek.

Added Todd Feinman, CEO of Identity Finder: "CIOs should be using this as justification for much higher budgets to manage sensitive information and prevent data breaches proactively. Their job is at risk and this is a difficult problem to solve. They can now point to real evidence, instead of fear/uncertainty/doubt, that shows there is a need within their organization. We are seeing an increase in spend around sensitive data management due to the recent wave of data breaches."

The goal, however, is not perfection. No technology, no team or individual can assure total security, cautioned Agari's Peterson. Rather, CSOs and CIOs must improve healthcare security, reduce risk, and work together, just as financial institutions do, he said.

Many healthcare organizations already have implemented many standards and tight security capabilities, said Wes Wright, senior vice president and CIO of Seattle Children's, via email. "Most good healthcare organizations have been concentrating on security since the beginning of HIPAA back in the early 2000s and then with the HITECH act. I think the HIT community is running as hard as they can to catch up, keep up with security," he said. "We may see more emphasis and interest, from the CEO and board levels, on an organization's security posture [although] not necessarily more activity, since I think we've actually reached a human resource-limited pace."

Consumers might not yet be as quick to switch doctors as they are to switch retailers (think Wal-Mart instead of Target), but that day could come if healthcare providers are complacent about security, executives warned. Patients also are becoming more critical of how and to whom they hand over their data, said Feinman.

Ultimately consumers will vote with their pocketbooks, even in healthcare, said Peterson. "At the end of the day, if you cross the consumer enough, you will not win the marketplace," he said.

Today's endpoint strategies need to center on protecting the user, not the device. Here's how to put people first. Get the new User-Focused Security issue of Dark Reading Tech Digest today. (Free registration required.)

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/11/2014 | 10:35:55 AM
Re: Just a test server, but ...
You're right, in that it could -- no, probably WOULD -- be difficult to do. I'm thinking it would be modeled on the credit reporting agencies in a way, which use formulas (which I'm not totally clear on, to be honest!) to determine consumers' (and companies') credit-worthiness. In the same way, you could have a neutral, third-party determine business (and government agency) privacy worthiness, based on public information (such as reporting mandates - like HHS' Wall of Shame, for example) and any confidential information these organizations opt to share. It would be in their self-interest to share information about their processes, technologies, and other relevant things because their 'privacy meter' would improve, thereby providing consumers with more trust in their organization. 

The clearinghouse itself should not store this data, thereby avoiding any allure to external (or internal) cyber thieves -- and further assuring businesses/agencies of the sanctity of their data. I don't know if this would work, but it's one way of bolstering consumer confidence in private and public security. Any others?
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
9/11/2014 | 7:13:06 AM
Re: Just a test server, but ...
Given the fact that little information is released when a retailer is compromised how would that clearing house work to notify victims of data loss?   I'm not saying that such a process couldn't happen I'm just wondering how this third party is going to get clear, truthful and accurate reports on data loss when consumers have a hard time getting this when it is their personal information on the line.  I think that the third party is a good idea and it falls into the checks and balances of any sane security program but I feel like they may end up fighting on many fronts and being overwhelmed or stalled to the point of being largely ineffective. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/10/2014 | 4:58:47 PM
Re: Just a test server, but ...
Oh absolutely, @SaneIT! But I want an additional third-party, independent place where I can get unbiased news about all breaches, large and small; updates on arrests or other criminal penalties; impact on consumers (such as news that records are for sale), etc. You can sometimes find that information if you dig around but it's time-consuming and you have to do it on a case-by-case basis. 
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
9/10/2014 | 7:34:19 AM
Re: Just a test server, but ...
I think we are going to need more than a clearing house. When very large retailers are losing millions of records at a time what we need is an industry shift toward customer protection both from the retail side and from the finance side.  Anyone issuing me an ATM card should bend over backward to get my information secured otherwise they are losing a customer and gaining a very vocal opponent. 
Ed Telders
50%
50%
Ed Telders,
User Rank: Apprentice
9/9/2014 | 10:57:19 AM
Re: 276 Breaches
I couldn't agree more ! There is the reality of what the rules and regulation dictate but to me clearly the right thing to do is to notify the individuals whose information has been breached.  I think the genesis of this kind of provision is that it reflects the reality that there are probably so many small breaches that it would clog the available enforcement resources as they are currently structured.  They will focus on the "big" ones as a natural consequence.  The problem with that reality is that the focus of many organizations will also follow suit and only focus on preventing "big ones". 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/9/2014 | 9:05:51 AM
Re: Just a test server, but ...
One thing I've heard is the need for some kind of clearinghouse -- an Experian-type place, if you will -- where consumers can determine if their data has been breached. This is for all kinds of data -- credit, health, other personal info (such as address, phone, etc.). I think we can usually figure out when our emails or phone numbers have hit the black market; we suddenly see an influx in spam calls and emails. But it can be more difficult to ascertain whether our other information is out there. 
SaneIT
50%
50%
SaneIT,
User Rank: Ninja
9/9/2014 | 7:35:57 AM
Re: Just a test server, but ...
That is an excellent point but there were multiple failures there that I'm sure more than one person/department knew about. "A hacker installed malicious code on a device that had kept its default manufacturer's password. As a test server, it was not supposed to be hooked to the Internet, "   I don't know how many people are afraid of stepping up and speaking out against doing dumb things but I suspect that number is pretty high when a manager/supervisor tells them to do it.  I think we're starting to see the need for some checks and balances in the security realms, especially when they are dealing with this much sensitive data.   
PaulS681
50%
50%
PaulS681,
User Rank: Ninja
9/8/2014 | 8:12:24 PM
Re: 276 Breaches

Who makes these rules? 60 days after the end of the calendar year in which the breach occurred could be over a year after the breach happened. Shouldn't the patients potentially affected be the #1 concern when a breach happens? Clearly they are not.

Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/8/2014 | 4:56:43 PM
Re: Just a test server, but ...
One thing that concerned one exec is that, in the future, IT folk may not fess up but will instead conceal these mistakes because they don't want to deal with all the furor. In turn, that will weaken the system further, making it easier for breaches to occur -- and data to actually get stolen. Not sure of the legalities at play here but if there are situations when IT is voluntarily disclosing mistakes, I don't think they should be excoriated for it. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
9/8/2014 | 4:54:42 PM
Re: 276 Breaches
Thanks for clarifying, Ed. You're right. 
Page 1 / 2   >   >>
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.