A new report states that healthcare's mission of saving lives, its goal of sharing patient data in order to improve treatments, and its largely low investment in cybersecurity makes it attractive to hackers.
The two big breaches of 2015 reveal that the industry still has a lot to learn in regards to improving its cyberdefense, according to a new report by the Institute for Critical Infrastructure Technology, a Washington, D.C., think tank.
Breaches at insurance giant Anthem and the federal Office of Personnel Management left nearly 100 million individuals vulnerable.
The attacks were caused by “social engineering,” a polite way of saying that information technology employees at both organizations were punked into opening the door for the hackers. And it could have been the result of something as simple as clicking on a link that led to a virus, said James Scott, senior fellow at the institute and a co-author of Hacking Healthcare IT in 2016: Lessons the Healthcare Industry Can Learn From the OPM Breach. (PDF)
“Your in-house health information security guy should have a training program on what a spear-phishing attack looks like and how to understand the basics of social engineering,” he said.
Scott also recommends that healthcare organizations separate their security and IT operations departments. Most IT people simply don't have the specialized training in security to be effective, he said.
Both breaches were ultimately traced back to hackers operating out of China because the tools used in both exploits were linked to a group known as Deep Panda, Scott said.
Scott said the tools used to cause the Anthem breach, which came first, had the same signatures at the one at OPM.
Cybercriminals do that after a major project, such as the Anthem hack, Scott said.
“They just want to confuse the point so much no one can absolutely finger point to them.”
Scott said sufficient security technology needs to be deployed. Devices need to be tested for security before implementation, he said. “We need more encryption rather than less.” Data should be encrypted in motion and at rest, with different algorithms for each data field on an electronic medical record.