Hackers used malware to penetrate Community Health Systems' firewall, and once inside, they made off with some 4.5 million medical records — a staggering but not surprising number to cyber security professionals.
While the uninformed may ask how such a thing could happen, the probable cause is user error. And with so many malicious apps on the market, it’s no wonder.
“The most likely path for the malware to get in is via the usual phishing attack that tricked someone into going to a compromised website,” said John Pescatore, a senior analyst at the SANS Institute. Pescatore said he has no inside information but that this is the most frequent explanation.
And that puts EHRs at risk. If one mobile device is compromised, the EHRs on the server are going to be vulnerable, according to Armando Orozco, mobile security expert and senior malware intelligence analyst for Malwarebytes.
Hackers use mobile devices “as a launch pad,” Orozco added.
Fake apps everywhere
Unlike the old days - the early to mid-'90s - when software was either purchased at a store or sent via the IT department, users today go to the Apple App Store or Google Play Store and download. For very few dollars every kind of application imaginable is available.
Unfortunately, unlike the old days, what users don’t know is where the software came from and where it is really going. No matter how much security is layered into the end-point application, EHRs at the other end, sitting behind elaborate firewalls created by the best security experts money can buy, are still seeing millions of medical records stolen annually.
The latest estimate since reporting became a requirement is that about 30 million records are at risk due to theft, data loss, hacking and unauthorized access, according to the Department of Health and Human Services.
[Commentary: Is healthcare a right or a responsibility?]
A 2014 report from Trend Micro on mobile applications, “Fake Apps,” found that “as of April this year, of the 890,482 sample fake apps discovered from serious sources, 394,263 were detected as malware.”
While 77 percent of the 50 most popular mobile applications had fake versions, 40 percent of the applications categorized as medical were also phony applications made to look just like the real thing. Of that 40 percent, half were deemed “malicious.”
What to know
Anti-virus software is the most commonly faked application category for mobile devices. Virus-Shield, which had been in Google’s Play Store until it was recently removed, saw 10,000 downloads and was given a 4.7-out-of-5 star rating system. Sold for only $3.99, it quickly became one of the top paid-for applications on Google’s site.
Until, that is, it turned out that all of its protection claims were bogus.
Games and Instant messaging applications are also popular to hackers, according to Trend Micro. And here even BlackBerry, which typically gets high marks for stopping cyber attacks, was a victim. BlackBerry Messenger (BBM) IM fell victim to a “Trojanized” version when an early, unreleased version was hacked and offered to users before its official release on Google’s site.
What you need to do
The first line of defense for hospital administrators is to ask vendors whether their solutions are “HiTrust” (Health Information Trust Alliance) certified. HiTrust, made up of executives from the tech and healthcare industries, is responsible for developing and constantly updating its Common Security Framework.
The framework is designed for any organization that creates, accesses, stores or exchanges medical or financial information and, as such, includes a “prescriptive set of controls” prior to certification.
Beyond certified security
Mobile devices should include a second level of security to create another line of communication into the EHR. Multifactor authentication can take the form of requiring a PIN number when the user first logs in. In this two-step process, once the user signs in, he or she is asked for an e-mail address, to which a PIN number will be sent. The user must retrieve the PIN and then return to the site before entry.
Another two-step design requires every user to have a “mobile” token on his or her device, which is registered with the system. When the user logs in, the system checks for the token before allowing entry.
Unauthorized access via malware alone, however, isn't the only way mobile data is inherently insecure. The biggest security issue with mobile devices occurs when they are lost or sold.
“Mobile devices are more frequently replaced, and then they show up on eBay with all the info on them,” Pescatore said.
Cloud options
Desktop-as-a-Service (DaaS) is yet another security model that hospital administrators are looking at seriously.
One cloud service provider, NaviSite, uses DaaS to virtualize the end-point mobile device and thus centrally control access to sensitive records. Services like NaviSites can see what data is stored on the mobile device, encrypt data with password control, remotely lock down and/or delete data and control what content and services can be stored on the device, according to NaviSite’s general manager, Sumeet Sabharwal.
“We are able to create containers on the device to abstract and separate out and create a work space away from personal,” Sabharwal said, “and enforce control on that work space.”
In a related announcement this week HyTrust, a cloud security services company, unveiled HyTrust Boundary Controls, which gives IT administrators the ability to define when and where virtual workloads (such as an EHR system) are able to run based on both geographic area and risk classification. If the data is copied or removed from its defined location, it will not run and cannot be decrypted.
No guarantees
Nothing is bulletproof. It's up to hospital administrators and their IT specialists to figure out how best to mitigate and plan for the risk.
“There is no silver bullet,” said Mick Coady, principal of PricewaterhouseCooper’s health information privacy and security advisory unit. “It is a question of cost (for an additional layer of security) vs. risk.”
Even with the more robust IT security controls in place, users and employees continue to be the weakest link, said Jeff Forristal, CTO of mobile data security company Bluebox Security.
“They misplace devices, they have weak passwords, they don’t log out of workstations, they inappropriately share information, they unintentionally expose the organization to more risk through errant actions, they can be tricked or social engineered,” Forristal explained. “They can be bribed.”
Part of the problem is that the mobile industry itself is immature - and until it matures, data protection will remain an issue. Beyond that, it's up to all the links in the healthcare chain to be as persistent in protecting patient data as the bad guys are in trying to steal it.
Ephraim Schwartz is a freelance writer based in Burlington, Vt. Schwartz is a recognized mobile expert and columnist, having spent 15 years as Editor-at-Large for InfoWorld, half of them covering the mobile space. Prior to that he was Editor-in-Chief of Laptop Magazine.
Related articles:
Tech titans' battle turns to mHealth
mHealth masters Q&A: Wireless-Life Sciences Alliance CEO Rob McCray
How IBM and Apple expect hospitals to use their mobile platform
