Healthcare continues to see staggering growth in breaches to patient health information. In the first half of 2019 alone, 32 million health records were breached, compared to 15 million records in the entire year of 2018. However, this trend of growing cyber breaches in healthcare is likely to persist due to the following characteristics of the healthcare industry:
- Healthcare organizations have a treasure trove of highly sensitive patient health information. Information such as date of birth, social security number, credit card data, insurance information and medical records command a high price on the dark web.
- To facilitate efficient delivery of care, there is a proclivity for sharing this highly sensitive data within the healthcare industry. This data sharing broadens the threat landscape.
- The healthcare industry invests 4% – 7% of revenue on cybersecurity initiatives. By comparison, the financial industry — with less valuable data — invests 15% of revenue on cybersecurity initiatives.
While hackers continue to be a significant instigator of cyber breaches, according to the Verizon Data Breach Investigation Report (DBIR), insiders are the main source of cyber breaches in healthcare — 59% of healthcare breaches in 2018 were due to insiders, compared to 42% of external actors. Not only are patient health records such as insurance member ID and Social Security Numbers at risk due to insider threat, but medical imaging records are also jeopardized.
Medical imaging is a critical aspect in the delivery of patient care. Imaging records are now digitized and often stored on picture archiving communication systems (PACS), which enables the sharing of medical images to facilitate the delivery of care. However, cybersecurity measures to protect patient health information are often not implemented.
A recent report by ProPublica showed that medical imaging data of over 5 million patients in the United States are publicly available on the internet. As a result of 187 misconfigured servers, medical imaging data, often containing identifiable patient information that should be protected, is “sitting unprotected on the internet and available to anyone with basic computer expertise.” Researchers discovered over 13.7 million medical tests, including 400,000 with downloadable images. These imaging records were stored on servers, including systems used for archiving medical images, without a robust solution in place to monitor for unauthorized changes or to ensure the servers were securely configured and in compliance with regulatory standards. These medical images include MRI, X-Rays and accompanying identifiable patient data that could be used for blackmail.
Due to the vulnerabilities in picture archiving communication systems (PACS), Tripwire partnered with the National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), along with other technology collaborators, to develop cybersecurity guidance for securing PACS. According to the NCCOE, “compromises on PACS could result in significant data loss, could serve as an avenue to cause disruption through a hospital’s system, or should the information be altered or misdirected, could impede timely diagnosis and treatment.”
The guidance Tripwire developed in collaboration with NIST as part of the National Cybersecurity Center of Excellence for Securing PACS for healthcare is intended to help develop practical, interoperable cybersecurity approaches that address the real-world needs of complex Information Technology (IT) systems. This guidance offers healthcare organizations a detailed description of the practical steps needed to implement a cybersecurity solution to secure PACs based on standards and best practices.*
For example, Tripwire Enterprise was used for device hardening and configuration controls. Tripwire Enterprise monitored server configurations to ensure there were no unauthorized changes and to maintain a secure configuration posture. Tripwire Enterprise was also used to monitor file system changes as well as evaluate the servers for policy compliance to ensure compliance of the critical servers with the prescribed policies.
The full guidance for securing picture archiving communication systems (PACS) can be downloaded for free at http://www.nccoe.nist.gov/pacs.
*While the example implementations use certain products, NIST and the NCCoE do not endorse these products. The guide presents the characteristics and capabilities of those products, which an organization’s security experts can use to identify similar standards-based products that will fit within with their organization’s existing tools and infrastructure.