Technology and Health Care 24 (2016) 1–9 DOI 10.3233/THC-151102 IOS Press

1

Review Article

Cyber threats to health information systems: A systematic review Raul Luna, Emily Rhine, Matthew Myhra, Ross Sullivan and Clemens Scott Kruse∗ Texas State University, San Marcos, TX, USA Received 25 August 2015 Accepted 21 September 2015 Abstract. BACKGROUND: Recent legislation empowering providers to embrace the electronic exchange of health information leaves the healthcare industry increasingly vulnerable to cybercrime. The objective of this systematic review is to identify the biggest threats to healthcare via cybercrime. OBJECTIVE: The rationale behind this systematic review is to provide a framework for future research by identifying themes and trends of cybercrime in the healthcare industry. METHODS: The authors conducted a systematic search through the CINAHL, Academic Search Complete, PubMed, and ScienceDirect databases to gather literature relative to cyber threats in healthcare. All authors reviewed the articles collected and excluded literature that did not focus on the objective. RESULTS: Researchers selected and examined 19 articles for common themes. The most prevalent cyber-criminal activity in healthcare is identity theft through data breach. Other concepts identified are internal threats, external threats, cyber-squatting, and cyberterrorism. CONCLUSIONS: The industry has now come to rely heavily on digital technologies, which increase risks such as denial of service and data breaches. Current healthcare cyber-security systems do not rival the capabilities of cyber criminals. Security of information is a costly resource and therefore many HCOs may hesitate to invest what is required to protect sensitive information. Keywords: Cyber threats, cybercrime, cyber security, cyber terrorism, internal threats, external threats

1. Introduction Health information systems (HIS) have much to offer in managing healthcare costs and improving the quality of care. Cyber criminals, however, are interested in the data housed in HIS that can be exploited for personal or commercial interests. Controls currently exist to keep these cyber-criminals activity at bay in most areas of information technology, but in some areas, innovation must fill a security void. Through a systematic review of academic literature, this manuscript attempts to outline basic benefits that the existence and correct use of HIS offers, the threats that exist to HIS, controls that are readily available, and areas where further research and innovation needs to intervene in order to maintain security for both the patient and the organization. ∗ Corresponding author: Clemens Scott Kruse, 601 University Drive, College of Health Professions, rm 254, Texas State University, San Marcos, TX 78666, USA. Tel.: +1 210 355 4742; E-mail: [email protected].

c 2016 – IOS Press and the authors. All rights reserved 0928-7329/16/$35.00 

2

R. Luna et al. / Cyber threats to health information systems: A systematic review

Digital technology allows for better connectivity and provides stakeholders a plethora of benefits. In healthcare, health information systems, such as the electronic health record (EHR), provide a record of continuity over a continuum of care, ideally over the course of a patient’s lifetime. For a provider, health information systems have the potential to provide key information critical to care for either the management of chronic conditions or to emergency medicine. For the patient, health information systems enable patients to access lab results, reorder prescriptions, securely communicate with his/her provider, and HIS have the potential to engage the patient in the medical decision, which enables providers to meet the Joint Commission’s National Patient Safety Goal (NPSG) number 13. For the healthcare executive, HIS enables strategic decision making and identifies areas for investment or concentration. For the researcher, HIS provides aggregated data for analysis. For the government, HIS helps public health identify health trends across a country or region, and provides support for data-driven public policy. In a single-payer healthcare system, IT governance can provide enterprise-level savings of hundreds of millions of dollars [1]. Conversely, due to the data-rich environment that HIS creates, this digital space also creates a breeding ground for criminal activity. Security threats to HIS can be internal or external. The threat of cybercrime became mainstream in the 1990s; however, most crime of this nature targeted retail and financial organizations. In HIS, cyber criminals could steal or corrupt personalized health information (PHI), which could create problems for patients, payers, health care organizations, and on an extreme level, to a nation. Cybercrime in the healthcare industry became prominent within the past decade and has progressively developed into a massive threat; e.g., Anthem Health and the data breach of 80 million patients. Cybercrime poses a serious threat to the healthcare industry, and data breaches remain a serious cause for concern. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires covered entities to implement safeguards to ensure the protection of sensitive information [2]. In 2009, Congress signed the Health Information Technology for Economic and Clinical Health (HITECH) Act into law [3]. Under this legislation, regulations pertaining to covered entities providing breach notifications were established. The HIPAA Breach Notification Rule requires HIPAA covered entities to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act [4]. Health information systems cover a wide range of digital technology and are increasingly playing a role in almost all processes, such as patient registration, data monitoring, lab tests and radiology. About 95% of eligible hospitals have adopted health information technology and demonstrated meaningful use of this technology (U.S. Department of HHS, n.d.) Electronic health records are versions of a patient’s medical history maintained by the provider over time, and may include administrative clinical data relevant to a person’s care (CMS, 2012). In addition, healthcare mobile applications are now available which can enable individuals to access their Personal Health Records (PHRs) anywhere there is either a cellular or wifi connection. A person’s PHRs differ from EHR systems because intended healthcare data is owned and managed by the patient, versus the provider [5]. These PHRs and EHRs contain large portions of sensitive information in an electronic format, and are readily available to anyone who can gain access. The purpose of this systematic review is to identify the largest threats to the major benefits that HIS has to offer, and to affirm the healthcare organizations’ focus on cybercrime. The rationale behind this systematic review is to provide a framework for future research by identifying the themes and trends seen from cybercrime in the healthcare industry. Furthermore, this research will attempt to operationally define these key themes and trends for use in future research.

R. Luna et al. / Cyber threats to health information systems: A systematic review

3

Fig. 1. The literature review process.

2. Methods 2.1. Overview Literature gathered for this review were obtained from four separate databases: (CINAHL) Complete via Ebson B. Stephens Company (EBSCO host) excluding MEDLINE, Academic Search Complete via EBSCO host, and PubMed (which queries MEDLINE), and ScienceDirect. Search criteria focused on various cyber threats to patient health information (PHI). The authors independently reviewed the articles and independently summarized the findings suitable for this review. 2.2. Sample Researchers queried databases using an array of Boolean search terms and phrases used in different combinations to find relevant articles. Searches were limited to peer-reviewed journal articles, full-text, US-based, English language, and date range of 2008–2015. One article found in the CINAHL database search directed us to the “Health Care Cyberthreat Report”, which is sponsored by Norse Corp and published by the SANS Institute. The chosen timeframe was relatively slim; this was because cybercrime was not recognized as a legitimate threat to PHI until the last decade. Figure 1 illustrates the literature review process. Common search criteria with Boolean operators were used for CINAHL and MEDILINE, but searching and filtering within Science Direct was not as advanced the other databases. In all searches, key terms such as “privacy”, “security”, and “crime” were used in various combinations because the different order revealed articles that other combinations missed.

4

R. Luna et al. / Cyber threats to health information systems: A systematic review

3. Results Researchers examined 19 articles for common themes. All reviewers made and compared summaries of the articles for consensus. At least one reviewer read all 19 articles in order to increase reliability and ensure relevance to the objective. Table 1 provides a more detailed summary of each article. 3.1. Themes An abstraction (Fig. 2) breaking down cybercrime into subcategories was created using the reviewed literature and background searches. Internal and external threats were recurring themes derived from the literature and listed below as the subcategories of cybercrime. The next step was to create a list of specific direct and indirect threats to healthcare systems from the internal and external categories. Note denial-of-service attacks can be internal or external and are some of the most crippling threats known to IT systems.

Fig. 2. Categories of cybercrime.

4. Discussion Research suggests that data breaches pose the greatest threat to health information systems. The proliferation of medical devices offer many new points of entry to data systems, which largely contribute to data breaches. Threats to data privacy and information security are categorized into two broad areas: (1) internal threats that arise from inappropriate access of sensitive data by internal parties exploiting vulnerability of information systems, and (2) external threats arising from outside agents in the information flow chain exploiting the disclosed data beyond its intended use. The Norse-Corp threat intelligence infrastructure is a global network of sensors analyzing over 100 terabytes of daily traffic. In a study conducted between September 2012 and October 2013, Norse discovered 49,917 unique malicious events and 723 unique malicious source IP addresses among 375 U.S.-based compromised healthcare-related

R. Luna et al. / Cyber threats to health information systems: A systematic review Table 1 Synopses of articles included in the review Title Medical Data Breaches: Notification Delayed is Notification Denied [5] Cybersquatting Gives the Web a Bad Name Again [6] A Little Information Goes a Long Way: Expertise and Identity Theft [7] Responding to Organized Crime Through Intervention in Recruitment Pathways [8] A New Security Model to Prevent Denial-of-Service Attacks and Violation of Availability in Wireless Networks [9] Cyberterrorism: Is the U.S. Healthcare System Safe [10]? Detecting Inappropriate Access to Electronic Health Records Using Collaborative Filtering [11] Using a Prediction Model to Manage Cyber Security Threats [12] Concern about Security and Privacy and Perceived Control Over Collection and Use of Health Information are Related to Withholding of Health Information from Healthcare Providers [13] Security Practices and Regulatory Compliance in the Healthcare Industry [14] In a ‘Trusting’ Environment, Everyone is Responsible for Information Security [15] A Decision Methodology for Managing Operational Efficiency and Information Disclosure Risk in Healthcare Processes [16] The Impact of Personal Dispositions on Information Sensitivity, Privacy Concern and Trust in Disclosing Health Information Online [17] Impact of HIPAA Provisions on the Stock Market Value of Healthcare Institutions, and Information Security and Other Technology Firms [18] The Economics of Cybersecurity: Principles and Policy Options [19] Healthcare Biometrics - Defending Patients and Their Data [20] Interdependency-Induced Risk with Applications to Healthcare [21] Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon [22]

Synopsis Summarized data-breach laws (US and Europe), the HITECH Act, assessment of penalties, causes of theft of PHI, and costs for both pt and HCO. Introduced cybersquatting in various industries and financial implications associated with extortion. Provided possible defenses. Differentiated ID theft versus ID fraud. Showed behavioral traits criminals in cybercrime exhibit and various levels of criminality. Identified 3 levels of organized crime, the processes involved in recruitment, and the opportunities that motivate participants in organized crime. Describe denial of service (DoS) attacks on the IT infrastructure. Authors provided 2 solutions to mitigate the damage inflicted by cyber attackers. Defined cyberterrorism and discussed hypothetical scenarios that would impede pt care and disruption of services. Provided insights on inappropriate access and proposed a collaborative-filtering approach to predict inappropriate accesses. Results significantly improved performance over existing methods. Introduced a mathematical model to predict the impact of an attack based on major factors that influence cyber security. Assessed the perceptions and behaviors of US adults concerning security of protected health info and how likely they are to withhold info from providers. Analysis identified 3 clusters (leaders, followers, and laggers) based on security practice patterns. Provided security practice benchmarks for HC administrators and policy makers. Discussed the vulnerability of info security in HC due to the ’trusting’ culture of health professionals and how they themselves become "insider threats". Addressed personnel shortages and mandates to safeguard pt safety and info security. Analyzed clinical workflow to illustrate practical benefits. Examined intrinsic (psychological) factors that impact trust of online systems such as EHRs. Examined agreeableness, extraversion, emotional instability, consciousness, and intellect. A person’s agreeableness was the most significant trust trait. Covered HIPAA legislation from 1996–2010 and how changes impacted healthcare institutions, IT companies, and IS companies. Covered origin of threats to sensitive information. Discussed economic barriers to improving cyber security and offered solutions to improve security and transparency. Compared the adoption of biometric technology in healthcare between the US and Europe. Discussed rise of technology and growing dependencies on multiple systems to run seamlessly. Assessed critical infrastructure themes in HC and implications to risk mgt. Reported 2014 threats, compliance issues, and biggest culprits to cybercrime in the world of HC IS systems. Also provided advice to administrators to improve info security.

5

6

R. Luna et al. / Cyber threats to health information systems: A systematic review

organizations [22]. Within Norse-Corp’s 2014 Health Care Cyberthreat Report, they cite the Ponemon Institute’s report indicating some 94 percent of medical institutions reported their organizations have been victims of a cyber-attack. The SANS institute found that many devices and systems can be compromised. These types of devices include radiology imaging software, video conferencing systems, digital video systems, call contact software, security systems and edge devices such as VPNs, firewalls and routers [22]. Most of the malicious traffic passed through VPN applications and devices (33 percent), whereas firewalls sent 16 percent, routers sent 7 percent and enterprise network controllers (ENCs) sent 3 percent. Also compromised were individual PHRs. In a PHR system, the patient record and an institution’s EHR may not interconnect, and therefore a PHR has no privacy breach protection under HIPAA or the HITECH Act. In the 2013 survey, Ponemon estimated close to 2 million Americans spent over $12 billion out of pocket to deal with consequences of their compromised medical or insurance files [22]. In February of 2015, the Ponemon published their Fifth Annual Study on Medical Identity Theft. The study reports that since the fourth annual study, medical identity theft has risen 21.7 percent. The retail and financial industries who have traditionally been the target of cybercrime have more experience and are better able to mitigate breaches than healthcare organizations [24]. Criminals have also had time to organize into sophisticated cells with the explicit purpose of gathering sensitive information for nefarious purposes. Cyber criminals have forced the healthcare industry to address identity theft issues and healthcare is currently at a sizable disadvantage when it comes to cybercrime. Identity theft and identity fraud are not synonymous. Identity theft only involves the extraction of the information. Identity fraud is the unlawful use of the data for nefarious purposes [7]. The importance of this distinction is paramount because criminal elements are also categorizing their objectives when conducting cybercrime. This theft of medical identification is growing due to the financial incentives involved. A medical record is currently worth more than a Social Security number on the black market. Criminals have created objectives to extract sensitive medical information with the intent to sell the information on the black market. Others may use this information to commit identity fraud for the benefit of their illegitimate medical practices, or with the primary goal of Medicare fraud. With increasing reliance on technology and critical infrastructure systems, healthcare organization must prepare for the likelihood of cyberterrorism. Dependence on this technology increases the likelihood of individuals or organizations conducting activities through the internet that will cause physical and/or psychological harm [10]. The concept of cyberterrorism can come in many forms, however, the end goal of cyberterrorists is to inflict harm and generate fear. Healthcare is particularly vulnerable, not only to data breaches, but also to the disruption of services. Compromised computerized health services may lead to improper patient care by indirect consequences. An example of this could be an attack on the telecommunication system and the multiple logistics that affect operations in healthcare facilities [10]. Financial schemes and vengeful employees are the most common reasons for launching a cyber-attack. A hypothetical cyber-attack outlined at a cyberterrorism seminar at the University of California Davis showed hackers beginning their attack through “phishing” emails to introduce malware packages into a hospital network. These packages initiated sequences of attacks days apart. The first attack would infect patient records and alter physician’s medication orders. The second attack would interfere with portable devices used by providers to record patient data. The third attack would be on intensive care unit monitors, sounding alarms and changing displays. The fourth and final attack would infect software controlling drug infusion pumps and similar treatment devices. Although the above mentioned scenario is fiction, a survey revealed 71 percent of senior IT executives believe that cyberterrorism is a true threat and could cause real harm to America’s critical infrastructure [10].

R. Luna et al. / Cyber threats to health information systems: A systematic review

7

A separate case study of three healthcare entities revealed cybercrime trends can differ from site to site and cyber criminals are strategic and intentional in their attacks. In an attack in Florida at a medical supply company in November 2012, hackers used the organization as reconnaissance to access other organizations. Malicious activity came from 28 neighboring IP addresses and 5 destination ports. According to investigators, this activity indicated the compromise of the company’s call center operations [22]. Criminal cyber activity at a second healthcare organization between April and October of 2013 gave investigators the impression that the organization had no idea information was compromised. The attack of the large, Northeastern medical conglomerate involved 227 contiguous IP addresses, 35 destination ports, and a number of associated network services. The source IP addresses led investigators to believe that these cyber criminals were affiliates or partners of the parent company. This internal threat gave breadth to a multitude of possible compromises to several areas of the organization [22]. Investigators discovered 2,400 separate malicious events at a third site during the final quarter of 2012. All events involved one IP address and destination port. This particular attack involved targeting remote desktop sessions, which has become quite common in healthcare. The third site provides services for nearly 80 percent of primary care physicians in its area, opening up vulnerabilities to 300 patients and 80 employees daily [22]. 5. Conclusion Health information systems encompass a broad assortment of technologies involved in managing and sharing patient information electronically. The industry has now come to rely heavily on these technologies, which present risks that can lead to denial-of-service and data breaches. The security of information is a costly resource and many HCOs may hesitate to invest what is required to protect sensitive information. Economic barriers to the adoption of security systems include misaligned incentives, information asymmetries, and externalities. Covered entities defined by HIPAA focus on what is necessary to meet federal requirements, but still lack the proper security measures that have protected other healthcare organizations. Data breaches are the number one threat to healthcare organizations and, more specifically, identity theft is the main factor motivating future security threats. The primary limitation to this study is the sample size of the literature review. Expanding search limiters to include other research databases not affiliated with healthcare research will increase the sample. Including earlier research by expanding the time-frame filter will also help to increase the sample size. The final noteworthy limitation is the time restraints for this literature review. Future research may focus specifically on threats to EHRs, economic barriers to cyber security, cybercriminal behaviors or the evolution of cyberterrorism. Acknowledgements This manuscript began as a directed-research project in a master’s level class. Over time, it has evolved to the product that we submit today. Operational definitions Cyberterrorism: The convergence of terrorism and cyberspace directed towards a computer or network of information. This attack or breach steals information to damage or cause fear to an individual or group [10].

8

R. Luna et al. / Cyber threats to health information systems: A systematic review

Cyber Security: All practices, procedures, and technologies used to protect networks such as HISs from unauthorized access or attack from hackers. Cybersquatting: When a person other than the owner of a well-known trademark registers that trademark as an Internet domain name and then attempts to profit from it either by ransoming the domain name back to the trademark owner or by using the domain name to divert business from the trademark owner to the owner of the domain name [23]. Data breach: The acquisition, access, use, or disclosure of unsecured data, in a manner not permitted by the HIPPA.4 Denial-of-Service: Short for denial-of-service attack is a type of attack on a network designed to bring the network to its knees by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols [9]. External threats: Any intentional or unintentional, harmful, malicious event that is caused by people or systems that are unaffiliated with a healthcare institution. Identity Theft: Identity Theft Assumption and Deterrence Act (ITADA) of 1998 states that identity theft occurs when a person “knowingly transfers, possesses or uses, without lawful authority, a means of identification of another person with the intent to commit. . . a violation of Federal law, or [an act] that constitutes a felony under any applicable State or local law” [7]. Internal threats: The intentional or unintentional harmful event caused by people [or systems] with legitimate, authorized access to information systems within an organization’s network [15].

References [1]

Hillestad R, Bigelow J, Bower A, Girosi F, Meill R, Scoville R., Taylor R. Can electronic medical record systems transform health care? Potential health benefits, savings, and costs. Health Affairs, 2005;24(5): 1103-1117. [2] Health Insurance Portability and Accountability Act (HIPPA). 45 CFR §§164.530(c). (1996). [3] Health Information Technology for Economic and Clinical Health Act (HITECH). 42 U.S.C. §201. (2009). [4] U.S. Department of Health and Human Services [homepage on the Internet]. Breach Notification Rule. 45 CFR §§164.400-414. Washington, D.C.: [updated 2010; cited 2015 Aug 23]. Available from: http://www.hhs.gov/ocr/privacy/ hipaa/administrative/breachnotificationrule. [5] Kierkegaard P. Medical data breaches: Notification delayed is notification denied. Computer Law and Security Review. 2012; 28(2): 163-183. Available from: doi:10.1016/j.clsr.2012.01.003 [6] Koehler W. Cybersquatting gives the Web a bad name. Searcher. 2008; 16(8): 12. [7] Vieraitis L, Copes H, Powell Z, Pike, A. A little information goes a long way: Expertise and identity theft. Aggression and Violent Behavior. 2015; 20. Available from: doi:10.1016/j.avb.2014.12.008. [8] Smith RG. Responding to organised crime through intervention in recruitment pathways. Trends & Issues in Crime & Criminal Justice. 2014; 473: 1-9. [9] Malekzadeh M, Ghani AA, Subramaniam S. A new security model to prevent denial-of-service attacks and violation of availability in wireless networks. International Journal of Communication Systems. 2012; 25(7): 903-925. Available from: doi:10.1002/dac.1296. [10] Harries D, Yellowlees P. Cyberterrorism: Is the U.S. Healthcare System Safe? Telemedicine and E-Health. 2013; 19(1): 61-66. doi:10.1089/tmj.2012.0022. [11] Menon A, Jiang X, Kim J, Vaidya J, Ohno-Machado L. Detecting inappropriate access to electronic health records using collaborative filtering. Mach Learn. 2013; 95(1): 87-101. Available from: doi:10.1007/s10994-013-5376-1. [12] Jaganathan V, Cherurveettil P, Muthu Sivashanmugam P. Using a Prediction Model to Manage Cyber Security Threats. The Scientific World Journal. 2015; 703713. Available from: doi:10.1155/2015/703713. [13] Agaku IT, Adisa AO, Ayo-Yusuf OA, Connolly GN. Concern about security and privacy, and perceived control over collection and use of health information are related to withholding of health information from healthcare providers. Journal of The American Medical Informatics Association 2014. Journal of the American Medical Informatics Association. 21(2): 374-378. Available from: doi:10.1136/amiajnl-2013-002079. [14] Kwon J, & Johnson ME. (2013). Security practices and regulatory compliance in the healthcare industry. Journal of the American Medical Informatics Association. 2013; 20(1): 44-51. Available from: doi:10.1136/amiajnl-2012-000906.

R. Luna et al. / Cyber threats to health information systems: A systematic review [15] [16] [17] [18] [19] [20] [21] [22] [23] [24]

9

Williams PA. In a ‘trusting’ environment, everyone is responsible for information security. Information Security Technical Report. 2008; 13(4): 207-215. Available from: doi:10.1016/j.istr.2008.10.009. Bai X, Gopal R, Nunez M, Zhdanov D. A decision methodology for managing operational efficiency and information disclosure risk in healthcare processes. Decision Support Systems. 2014; 57: 406-416. Available from: doi:10.1016/ j.dss.2012.10.046. Bansal G, Zahedi F, Gefen D. The impact of personal dispositions on information sensitivity, privacy concern and trust in disclosing health information online. Decision Support Systems. 2014; 49: 138-150. Available from: doi:10.1016/ j.dss.2010.01.010. Khansa L, Cook DF, James T, Bruyaka O. Impact of HIPAA provisions on the stock market value of healthcare institutions, and information security and other information technology firms. Computers & Security. 2012; 31: 750-770. Available from: doi:10.1016/j.cose.2012.06.007. Moore, T. The economics of cybersecurity: Principles and policy options. International Journal of Critical Infrastructure Protection. 2010; 3: 103-117. Available from: doi:10.1016/j.ijcip.2010.10.002. Gold S. Feature: Healthcare biometrics – defending patients and their data. Biometric Technology Today. 2010; (7): 109-11. Available from: doi:10.1016/S0969-4765(10)70145-4. Katina PF, Ariel Pinto C, Bradley JM, Hester PT. Interdependency-induced risk with applications to healthcare. International Journal of Critical Infrastructure Protection. 2014; (7): 12-26. Available from: doi:10.1016/j.ijcip.2014.01.005. SANS Institute. Health Care Cyberthreat Report 2014:2-41. [updated 2014, cited 2015 Aug 20]. Available from http:// pages.norse-corp.com/rs/norse/images/Norse-SANS-Healthcare-Cyberthreat-Report2014.pdf. Legal Information Institute [homepage on the Internet]. Available from: http://www.webcitation.org/6ai9asM04. EMC, 2013. Cybercrime and the Healthcare Industry. [cited 2015 Aug 20]. Available from: http://www.emc.com/colla teral/white-papers/h12105-cybercrime-healthcare-industry-rsa-wp.pdf.

Cyber threats to health information systems: A systematic review.

Recent legislation empowering providers to embrace the electronic exchange of health information leaves the healthcare industry increasingly vulnerabl...
563B Sizes 1 Downloads 14 Views