CERT Team Examines Health-Care Security Risks
September 21, 2010 • Announcement
September 24, 2010—In April 2009, newspapers were dominated with headlines about intruders breaking into a Virginia state website that pharmacists used to track prescription drug use. The intruders allegedly deleted records of more than 8 million patients and replaced the site's home page with a ransom note demanding $10 million.
Six months earlier, Express Scripts, one of the largest pharmacy benefit management companies in North America, announced that it had received a letter from an unknown person or persons trying to extort money from the company by threatening to expose millions of the company's patient records.
On a separate front, the federal government has made electronic medical records a national priority. In fact, the Health Information Technology for Economic and Clinical Health (HITECH) Act, a component of the American Recovery and Reinvestment Act (ARRA) of 2009, has mandated the widespread adoption and use of electronic health record (EHR) technologies. Health-care organizations now face the challenge of protecting patient information while minimizing the risks posed by this new requirement.
The issue has become a primary source of concern among health-care providers. According to a survey released in August by Imprivata Inc., 76 percent of organizations claim "breach of confidential information or unauthorized access to clinical applications" as their greatest security concern, and yet 38 percent report that they cannot track inappropriate access in accordance with the HITECH Act.
Far too often, the threats come from within an organization, according to Randy Trzeciak, a senior member of the technical staff at CERT and the insider threat team lead. Since its inception, the CERT insider threat team has studied internal malicious activity against organizations. The team has created a database of more than 400 insider threat cases that team members use to analyze potential indicators of malicious activity. The insider threat team has identified three types of insider threat crime:
- IT sabotage: An insider(s) sabotages systems or data to cause some harm to an organization.
- theft of intellectual property: An insider(s) steals confidential or sensitive information.
- fraud: An individual(s) modifies, adds, or deletes data from a database. This time of crime also includes individuals stealing large sets of data from an organization and selling that data to external parties, resulting in fraud (e.g., identity theft, credit card fraud) against the victims."
According to Trzeciak, health-care organizations are at risk because of the nature of information they collect. That risk often originates from within, and is primarily the result of fraud.
"If you look at information that health-care providers collect on patients, in many cases it is information that is personally identifiable. There could be a market for that particular data, which individuals could use to commit some type of identity theft," explained Trzeciak, adding that all organizations, not just those in health care, collect similar information about their employees.
With each passing year, medical facilities and hospitals rely more heavily on IT systems. This reliance makes them vulnerable to IT sabotage, which is often perpetrated at the hands of an employee. "Employees who conduct IT sabotage are disgruntled. There is a perceived injustice on the part of the individual. Often, there has been a negative workplace event that caused the person to become disgruntled and want to exact revenge against the organization," Trzeciak said.
Greg Porter, a visiting scientist at CERT and the founder of Allegheny Digital, a security and privacy services company based in western Pennsylvania, said there are many avenues where a breach of information can occur, including social media. And, he added, while health-care entities are more rapidly adopting new technologies, they often lag behind when it comes to securing those technologies.
"If ad hoc security management rules the day, as it does in plenty of health care organizations, it's just a matter of time until a breach occurs," Porter said. The resulting breach can cause serious consequences beyond legal fees. What if the IT system that is compromised is connected to a patient monitoring system? "People often focus on the data, health information itself, as they should, but consideration must also be given to critical internal systems, such as an IV infusion pump in the intensive care unit (ICU), that could be supporting a human life. What are the consequences if the integrity of those assets is compromised?"
To further complicate matters, the security and privacy regulations called for in the HITECH Act now apply not only to health-care organizations, but the businesses that work with them.
"Business associates like claims processors and medical transcription companies are all becoming quite concerned—and rightfully so. Information security isn't their specialty;it's not part of their core business. But without the right oversight, medical information can become exposed," explained Porter.
Porter said he wanted to collaborate with CERT because of programs like secure coding, resilience management, and insider threat where researchers are working to address these issues.
The CERT insider threat team has developed a number of resources to help organizations. These resources, available from the insider threat area of the CERT website, include "The Common Sense Guide to Prevention and Detection of Insider Threats," which outlines 16 steps that organizations can take to respond to insider malicious activity.
For more information about this work, visit www.cert.org/insider_threat/.
Randy Trzeciak and Greg Porter presented a webinar on September 23, as part of the SEI Webinar Series. The two discussed the effects of the recent regulations on the health-care industry and some of the essential elements that health-care technology executives should consider in order to secure patient information and systems from external threats. Porter also discussed the synergies between the HITECH Act's breach notification requirements and incident response programs.
To view the webinar, please visit
Photo caption: Randy Trzeciak