Healthcare became the most hacked industry in 2015, surpassing financial services. It now accounts for almost 27% of all data breaches, and 72% of those breaches occurred on the networks of healthcare providers.
A recent two-week period saw six different network breaches reported to the Department of Health and Human Services, compromising the electronic protected health information (ePHI) data of over 70,000 individuals. To make matters worse, cyber attacks against the healthcare industry have increased 40% year-over-year every year since 2009.
The financial incentives for stealing ePHI data are growing dramatically.
With the black market glutted with credit card information, many criminal syndicates have shifted to more lucrative healthcare data. Because the medical reimbursement system currently lacks the controls found in the financial services industry, healthcare records are highly monetizable. Often the stolen ePHI data allows these groups to commit Medicaid/Medicare fraud by submitting fraudulent claims.
Such attacks threaten HIPAA compliance in a couple different ways, and the paths to recovery from an attack are also beset with HIPAA compliance risks. Healthcare organizations must devise a recovery plan accordingly.
When healthcare organizations are hit with an attack, how can they balance a quick recovery with the care needed to maintain HIPAA compliance? It’s not as simple as you might think.
What Makes HIPAA Compliance So Difficult?
While HIPAA requirements are similar to other regulations and standards, there are two unique aspects to compliance: First, healthcare organizations must have access to their ePHI data at all times, no exceptions.
The importance of this is understandable, as the information in an ePHI record can save lives. If a hospital cannot access your patient record that shows you are allergic to a certain medication that could kill you. Note that it is not enough to have the data safely stored; it has to be accessible by the doctors and others who need it. That means that both the applications and the data must be available.
The second unique HIPAA requirement is to keep ePHI data secure at all times. If a healthcare organization is in the midst of a disaster and it has failed over to servers stashed in a small closet down the street, all the same rules about data protection still apply. If ePHI data is lifted from a secondary or tertiary location, it is still a full-blown HIPAA violation, regardless of whether Hurricane Sandy has flooded the entire neighborhood or there is a cyber attack in progress.
In other industries, organizations have the option to delay coming back online 24 or 48 hours later, when they’re ready. With these two unique requirements, healthcare providers cannot do that.
Signs Your Security is Weak
With ePHI data now becoming the most monetizable type of sensitive data, and with different nation states and anarchist groups trying to create havoc, healthcare organizations must look at cyber security differently.
There are lessons to learn from other breaches outside of healthcare. The 2014 hack of Sony Pictures Entertainment in particular offers a gauge for how vulnerable an organization can be. Based on media reports of the attack, Sony likely had what is called a “flat network,” where everything was connected to everything else on the same network segment. Once the hackers gained access to the network, they had access to literally everything. Undermining Sony’s backup system and access to existing backups compounded the problem. The damage might have been mitigated with good production environment design and disaster recovery planning.
Many healthcare organizations’ network architectures leave them susceptible to similar attacks. Ransomware uses cryptolocker techniques to move through a network, much like a virus, and block access to everything that can be found. If you have a recovery site that’s completely separate, managed by a different team and monitored through a careful replication process, then you can wipe your primary site clean and just recover from backup. However, if your recovery site isn’t isolated from production, the attack can often compromise the secondary site as well.
When ransomware or malware is combined with insider access, it’s even more important that the recovery site is truly separated from the core IT team. Most hospitals have a lean staff, so they don’t have true two-person integrity and separation of duties. The same individual is managing a huge number of systems, both on primary and secondary sites.
Building a HIPAA-Compliant Recovery Program
So what policies and procedures should healthcare providers have in place in case of an attack? How can they develop a plan that prioritizes a quick recovery while following HIPAA to the letter? It is not something you can decide in a conference room. Your cyber attack recovery plan should be tested thoroughly, exercising the infrastructure and all of the people, processes, and systems involved. Only then will the organization know if it has a viable recovery plan.
Here are four steps toward making that happen:
1. Conduct a business impact analysis in disaster recovery planning to identify the key sensitive data governed by HIPAA and what systems help deliver them to the end user and customer.
2. Build out a fully redundant secondary or tertiary site with, ideally, very rapid replication through cloud-based recovery.
3. Maintain this second or third site separately from the primary production environment. If it is maintained the exact same way as the production site, ransomware can eat through the production environment and be replicated to the secondary site, corrupting your backup data. The same holds true if you have insiders go rogue and destroy the production site — they should not have access to the secondary site to do even more damage. Ideally, that secondary site should be run by a totally different group, and that’s where a managed recovery provider can assist. Using an outside service provider offers a totally separate active directory structure, separate access controls, and separate personnel who are completely independent from whoever is managing the production environment.
4. Implement a thorough security program. This is more than just technology but involves the right processes and procedures for your business requirements. Put security controls in place both at your production and recovery sites, and add incident response capabilities to face any issue. Perform regular security testing of both the production and the secondary and tertiary sites, and, most importantly, conduct regular cyber disaster drills to ensure your recovery procedures still work exactly as planned.
Recovery Best Practices
Maintaining HIPAA compliance during any type of disaster, especially during a cyber attack, is challenging. The threats are increasing, even as information systems grow ever more complex. More day-to-day work is happening online, and an attack can easily put essential systems such as MRI scanners out of action and send the entire organization back to managing patients with paper and hand-written notes.
Cyber security disaster recovery works best when the overall resilience of both the production and the recovery networks are considered as a whole. The best approach is to build the resilience into every level, making it less likely that the systems will go down in the first place. Harden the production environment and make sure it is resilient. Certainly, invest in replicating critical systems to a secondary or tertiary site so they are recoverable in case of a disaster, but the goal is to never need the disaster recovery plan because the active-active production systems have been hardened in a way that enables them to take a hit and respond to it.
Matthew Goche is a vice president in Sungard AS’ consulting business, responsible for security services. He spends his days educating organizations on the risks to their business, brand, data, employees, and customers posed by security vulnerabilities. He can be contacted at firstname.lastname@example.org.