In the days since Community Health System announced a data breach affecting 4.5 million patients, the security community has responded by telling healthcare organizations to stay the course. At its essence, that message means two things: Remain vigilant and don't fall asleep at the switch.
"Nothing observed would suggest existing defenses, countermeasures or compensating controls are not sufficient," Daniel Nutkis, CEO of the Health Information Trust Alliance (HITRUST), says of the Community Health breach, which investigators have blamed largely (but not entirely) on the Heartbleed vulnerability first disclosed in April. "This is not something that's new."
It wasn't new. But it was news. Speculative though reports may have been, Nutkis says the news left boards of directors and executives at many a healthcare organization "want[ing] an absolute answer" from IT and security staff about whether their organizations and, by extension, their shareholders were vulnerable to such attacks.
"They want to know, 'Will we have a breach? Can we protect against the same attack that hit Community [Health]?'" says Roy Mellinger, vice president and CISO at managed care provider WellPoint, who spoke during a HITRUST briefing on the breach and the healthcare IT security landscape at large. He says he can't promise that a breach won't happen, but he can promise to act quickly if it happens.
Mellinger says the flow of communication between the government and the healthcare community can pose a challenge. The sooner the government communicates what it knows to the healthcare industry, he sooner, the sooner it can "affirmatively respond to executive and board members that we're getting information from the government ... on what the incident du jour might be." Even if the message is to stay the course, it will calm everyone down, he adds.
Michael Rosanova, a supervisory special agent with the Federal Bureau of Investigation, describes the partnership between the agency and the healthcare industry as "emerging." He adds: "We're going to try our best to get you that information in a more timely manner."
The FBI issued a "Flash" alert on Wednesday, Aug. 20 warning that hackers are targeting healthcare firms. That warning came two days after Community Health disclosed in a Securities and Exchange Commission filing that it had been the victim of a hack between April and June 2014.
The FBI and other government agencies want to issue cyber threat information to healthcare faster, but there are limits on what specific institutions can receive depending on the government security clearances of their personnel, Rosanova says. "We could do a better job in making sure we are aware of things that ... are about to break and get those threat advisories out to you."
Patients Are Biggest Losers in Healthcare Data Breaches
Much of the response to the Community Health breach criticizes the industry at large for failing to safeguard patient data against a threat as highly publicized as Heartbleed. Healthcare security is lax, partly because so much data resides in legacy systems that don't receive patches and updates and partly because security and privacy provisions are largely unenforced and unaudited.
The biggest losers in all this, though, are 4.5 million patients affected by the breach. They don't know what was taken, or why, says Christine Arevalo, vice president of healthcare fraud solutions at ID Experts, which offers software and services to mitigate data breach risks.
"It's very difficult to say with absolute certainty what was and was not compromised. It's hard to provide that level of granularity" for individual patients, she says. (Community Health's SEC filing says the hackers obtained "non-medical patient identification data" such as names and Social Security numbers.)
Mellinger says healthcare has made "great progress" in improving its security, particularly when it comes to sharing data about breaches, compromises and other hacks. "I'm very passionate about doing healthcare security right," he adds.
One obstacle he sees is the number of intersection points between healthcare and its customers. In industries such as banking and retail, it's a 1:1 relationship. In healthcare, on the other hand, it's more like 9:1, he says; various payers, providers and government agencies all hold data on the same person.
That, Arevalo says, is why "patients need to be the first line of defense" when it comes to data security. It's especially true as a result of healthcare reform: Increased coordination among a patient's care team as well as higher-deductible health plans both depend on accurate data that hasn't been "polluted."
The acquisition of medical records is "intentional and deliberate," Arevalo says, and "we're not done" seeing hacks. As institutions respond, shoring up defenses and meeting compliance requirements, they can't forget that "there's human beings on the other end of the data."