In an age where healthcare data is becoming more accessible and valuable, Security Specialist at network security firm Fortinet, Jonas Thulin, discusses why cyber criminals are more interested in your healthcare data than your credit card details and how to counteract the risk by effectively planning, managing and developing a secure healthcare IT infrastructure.
What is Fortinet’s presence in the local healthcare sector?
Fortinet is a worldwide provider of network security hardware and unified threat management solutions whose customers include enterprises, service providers and government entities. Fortinet entered the SA market over ten years ago and secured its first deal in the local healthcare sector in 2005.
In the healthcare sector, we specialise in providing security hardware to protect our clients – ranging from medical schemes and hospital groups to big pharma retail chains – from risks associated with the internet.
What trends have you seen in healthcare IT infrastructure?
There have been a number of drivers for the uptake of our services in the healthcare sector over the last two years, and first on the list is the need for facilities to offer WiFi access to meet consumer expectations. Consumers expect a certain experience when dealing with the healthcare industry and access to the internet is central to that, but providing that sort of access brings with it a host of security challenges.
Secondly, the migration of the industry to complex ecosystems with numerous stakeholders collecting and sharing vast amounts of patient data means that the more patient information is opened up to entities outside the traditional hospital setting, so the chance that these systems can be compromised, either intentionally or accidently becomes much greater. On one hand administration and business processes have largely transitioned from paper-based tools and processes to internet based solutions that improve efficiencies and profitability. From a clinical perspective on the other hand, moving towards personalised medicine and decentralised patient monitoring means that providers, patients and payers need to access and connect information from various points within the healthcare delivery chain.
The need for providers to deliver seamless integration with its stakeholders together with the change in information flows and explosion of digital content that needs to be stored and shared have highlighted gaps in workflows that make it easier for criminals to gain access and carry out fraudulent activity using patient data. In our current healthcare ecosystem, security risks become mounting to say the least and with the advent of the Protection of Personal Information (POPI) act, ensuring a secure IT architecture is crucial for everyone’s safety.
What are some of the security concerns that the healthcare industry should be aware of?
It is fundamental that everyone understands that security threats are real. Healthcare security breaches in particular are a global threat and everyone from big enterprises to smaller organisations to individuals are at risk of hacks by organised crime groups.
Primary threats in the past were spam and viruses sent out at random to millions of users in the hope that they would be successful in defrauding people but these days security threats are becoming increasingly more sophisticated and highly targeted. It makes sense to be efficient when you’re running a business defrauding people so cyber criminals want to be undiscoverable and keep the channels to their targets open. This is what we call ”advanced persistent threats” and they are proving to be very effective in defrauding people.
One of the scariest realities of advanced persistent threats is what’s called “zero-day vulnerabilities” which are vulnerabilities in operating systems and application websites that have not yet been exposed. Because no one knows about them they can remain vulnerabilities for several years without a patch being provided. And even once a patch is made available, consumers and staff using eHealth systems can still be targets for attacks if they’re not using the latest operating systems or regularly downloading security upgrades that contain patches. This opens up a huge window for attack and is the cornerstone of advanced persistent threats.
Just how common are advanced persistent threats?
According to figures from Fortinet’s FortiGuard Labs, our in-house threat research team, over the first six months of 2014, 24% of attacks were on vulnerabilities that were disclosed in 2003, in other words vulnerabilities that are over ten years old are still effective because people aren’t patched and haven’t upgraded their systems. Over 50% of attacks were vulnerabilities disclosed prior to 2009. In addition, according to Net Applications in September 2014, as of August 2014, 24% of PC users are still running Windows XP, which is no longer supported by Microsoft and patches aren’t made available. Surprisingly only 12% of PC users are using Windows 8, the latest operating system.
This is one of our biggest challenges, not only with companies but with end users too. It’s vital that people understand the danger of using old, unpatched technology and getting users to understand how upgrading can protect them from attack.
What value is healthcare data to cyber criminals?
Stealing money directly from banks is the best return on investment for cyber criminals, but the next best thing is stealing any type of personal information and medical records contain vast amounts of personal information. The healthcare industry is high on the list of targets to attack for these organised crime groups not only because of the volumes of personal data it contains but also because of the gaps I previously mentioned in the flow of information between stakeholders.
Cyber criminals use the information contained within medical databases to make their attacks more personal and “credible” to the individuals they are trying to exploit. By knowing who your doctor is and what hospital you go, it makes it easier for them to impersonate the healthcare provider and lure a patients to a website to buy a certain product or enter their financial information.
It’s important to remember that the most important tool to a cyber criminal today is still social engineering. We can talk to users about preventative tools and vulnerabilities but the quickest way to get someone’s password is to ask for it. And if a cyber criminal is impersonating healthcare personnel and contact you to alert you of a problem and offer to help by asking you for your ID and password most people are likely to give them that information. So it’s crucial to factor in the social engineering aspect and understand that in today’s society where we have contact with many people we’ve never met that are representing organisations it’s very easy to impersonate someone.
Where can healthcare organisations start in ensuring secure internet architecture?
There are a number of factors to consider when implementing controls to protect yourself and it is essential to start by conducting a risk assessment to understand what action you might need to take.
When conducting a risk assessment it’s important that you ask questions like “what are you protecting?” and “what do you need to spend to protect it?” In order to answer those you must understand who the stakeholders are and what the risks are for every level of user.
Once you’ve done a risk assessment you will know: who has access to your information and who is managing that information; the systems and technology that enable this; the processes that support your workflow and the structures within the organisation that use that workflow.
Talk us through some of the practical steps that need to be taken once a risk assessment is complete.
The next step is to review your security policies. It’s surprising how many of these policies are antiquated and talks about things like modems and updating your password every 30 days with a password that is at least eight characters long, etc. They often don’t mention social networking or cloud computing which are common practices in today’s working environments so it’s imperative to review these policies and rewrite them to align with your risk assessment but also to the new business requirements and drivers and where you want to take your business.
Once you’ve completed a risk assessment and reviewed your security policies it is much easier to decide how to re-architect your IT infrastructure and implement controls to protect you from attacks, breaches and leaks, etc. You would likely implement technology separation as previously discussed, adopting no trust models,wireless management technology together with traffic shaping technology to ensure that the appropriate information is always the top priority and most importantly, implementing encryption so data is encrypted when at rest and when being transmitted between the different stakeholders.
Can you comment on the legislation that needs to be implemented in SA to protect healthcare data?
I think regulatory requirements are essential because of the increasingly sensitive data handled by the healthcare industry. POPI will soon be implemented in SA, and is a far-reaching piece of legislation that will affect the business practices of any company that keeps or processes the personal data of any citizen, and so it will have a big impact on healthcare organisations. POPI will give individuals full control over their own information, which would force companies to respect privacy and not collect and sell user data to third parties.
However at this point, a regulator has not yet been appointed so while it’s been signed into legislation it’s not being enforced because there is no regulatory body or formal guidelines to follow. We are expecting that to change in 2015 and we will most likely start to see penalties and recourse for organisations that don’t comply with the act. Fortunately for the healthcare industry, the Health Professions Council of SA (HPCSA) already offers guidelines for handling patient data and although POPI is more rigorous, there is a starting place to work from for the industry. I would advise all healthcare organisations to familiarise themselves with the new requirements and plan their IT and security needs accordingly.
Do you have any final messages for eHealthNews readers?
The entire healthcare industry is undergoing a dramatic shift designed to enhance the level of care provided to patients. The sensitivity of patient information has created the need for end-to-end security solutions throughout the entire healthcare network – from doctor’s offices all the way to the hospital data centre.
I can’t stress enough that advanced persistent threats are real and healthcare providers can no longer afford to take security lightly; they have to go through the process of risk management, review their system and then re-architect to protect themselves. Only with security as the foundation can healthcare organisations build IT services and applications that meet the requirements of business and healthcare mandates.