Cyberterrorism: Is the U.S. Healthcare System Safe?

Abstract

The Internet has brought with it many benefits; key among them has been its ability to allow the expansion of communication and transfer of all kinds of information throughout the U.S. healthcare system. As a consequence, healthcare has become increasingly dependent on the activities carried out in that environment. It is this very dependence that increases the likelihood of individuals or organizations conducting activities through the Internet that will cause physical and/or psychological harm. These activities have become known by the term “cyberterrorism.” In the healthcare landscape this can appear in a variety of forms, such as bringing down a hospital computer system or publicly revealing private medical records. Whatever shape it takes, the general effects are the same: patient care is compromised, and trust in the health system is diminished. Fortunately no significant cyber attack has been successfully launched against a U.S. healthcare organization to date. However, there is evidence to suggest that cyber threats are increasing and that much of the U.S. healthcare system is ill equipped to deal with them. Securing cyberspace is not an easy proposition as the threats are constantly changing, and recognizing that cyberterrorism should be part of a broader information technology risk management strategy, there are several“best practices” that can be adopted by healthcare organizations to protect themselves against cyber attacks.

What Is Cyberterrorism?

The term “cyberterrorism” has yet to become a well-understood concept in healthcare. It has been defined as:

… the convergence of terrorism and cyberspace. It is generally understood to mean unlawful attacks against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objections. Further, to qualify as cyberterrorism, an attack should result in violence against persons or property, or at the least cause enough harm to generate fear. Attacks that lead to death or bodily injury, explosions, plane crashes, water contamination, or severe economic loss would be examples.¹

This definition captures the essence of what a cyberterrorist hopes to accomplish: to cause harm and generate fear. The healthcare industry is not immune from the cyberterrorist and will need to prepare for this daunting challenge, or sooner or later it will become all too aware of what the definition looks like in practice.

The healthcare sector provides a tantalizing opportunity for the cyberterrorist. To appreciate this, one only has to look at the size of the industry. Healthcare in the United States is a $2.5 trillion industry, or 17% of GDP in 2009,² and consists of about 595,800 establishments.³ In addition, the distribution and use of information systems by the health sector and healthcare services are extensive. Healthcare entities often have to provide access to many external networks and Web applications so as to stay connected with their patients, employees, insurers, and business partners. As pointed out by Ramsaroop,⁴ “a large number of applications are used by all types of organizations in support of the logistics and operation of health programs and healthcare provision, in the management of resources, for communication among providers and other stakeholders, to search and retrieve data from knowledge bases, and as a central component of diagnostic and therapeutic interventions.” In this context of widespread utilization and increasing interconnectivity and dependency on information and communication technologies, the health sector offers an attractive target for any would-be attacker. Cyberterrorism has the potential to enable terrorists to attack healthcare facilities with much greater ease than would occur with actual physical attacks.⁵

What Is the Risk of a Cyber Attack for Healthcare Targets?

The degree to which a certain type of healthcare-related facility is considered a soft/easy target depends on what protective steps it has taken, and quantifying that risk is especially difficult with cyber threats. Cyberterrorism should be considered and integrated as part of the wider risk management process implemented by any information technology (IT), group and some suggested guidelines will be discussed at the end of this article. Given the worldwide nature of the Internet, it is difficult to know where a cyber attack is going to come from and how it's going to come. Although not an exhaustive list of healthcare applications, Table 1 ⁶ shows a variety of possible entry points of an attack. The risk has become more acute in larger healthcare organizations such as hospitals, which have moved away from stand-alone workstations to more tightly integrated platforms that are attached to networks. It is now common for these networks to link a variety of IT workstations such as admissions, clinical laboratory, pharmacy, radiology, and the billing department. Networks also connect the IT systems of an organization's inpatient and outpatient settings as well as a variety of service organizations ranging from acute care to long-term care and home care. These systems also have links to external networks, which connect and share information with patients, employees, insurers, and business partners. If systems are compromised, such a large attack surface provides many opportunities for a cyberterrorist to exploit security holes and seize sensitive data and or disrupt services.

Table 1.

Examples of Information Technology Applications in Hospitals and Physician Offices

TYPE OF INFORMATION TECHNOLOGY	APPLICATIONS
Hospitals
Administrative billing and financial	Billing
	General ledger
	Cost accounting systems
	Patient registration
	Personnel and payroll
	Electronic materials management
Clinical	Computerized provider order entry for drugs, lab tests, procedures
	Electronic health record
	Picture archiving and communication systems
	Results reporting of laboratory and other tests
	Clinical decision support systems
	Prescription drug fulfillment, error-alert, transcriptions
	Electronic monitoring of patients in intensive care units
Infrastructure	Desktop, laptop, cart-based, and tablet computers
	Servers and networks
	Wireless networks
	Voice recognition systems for transcription, physician orders, medical records
	Bar-coding technology for drugs, medical devices, and inventory control
	Information security systems
Physicians
Administrative and financial	Billing
	Accounting
	Scheduling
	Personnel and payroll
Clinical	Online references (drug compendia and clinical guidelines)
	Receiving lab results and other clinical information online
	Electronic prescribing
	Computerized provider order entry
	Clinical decision support systems
	Electronic health record
	E-mail communication with patients
Infrastructure	Desktop and laptop computers
	Handheld technology
	Servers and network

What Would a Cyber Attack Look Like?

In a serious case, a cyber attack may lead to a failure of proper patient care by disabling computer information systems or causing communication networks to experience denial of service. Areas of particular concern to healthcare-related facilities include the potential for cyberterrorism-related events to erase or alter computerized medical, pharmacy, or health insurance records.⁵ If terrorists were to attack America's healthcare IT systems, it probably would not be through the use of one major assault, but rather via a series of small incursions that are much more difficult to detect. An example of this type of scenario was outlined recently in a cyberterrorism seminar at the University of California, Davis in Sacramento. The scenario began with hackers using “phishing” e-mails to introduce four separate packages of malware into the hospital networks. Once planted, these packages would trigger in sequence a few days or weeks apart. The first would infect patient record databases and alter doctors' orders, medication doses, and other information, spreading confusion and possibly causing illness and deaths. A few days later, the next program would trigger, interfering with portable devices that nurses use to record patient information. The third wave would attack the software in intensive care unit monitors, altering the data display and switching off alarms. The fourth and final wave would infect the software controlling drug infusion pumps and similar devices. After a few weeks of these rapidly changing, and different, attacks, the staff in the hospital would have no trust in any electronic data, and the IT support staff would be totally demoralized.

The possible threats can also extend beyond specific electronic applications to infrastructure or utility targets. Again, it is not possible to provide a definitive list of possibilities, but a few examples have been suggested. For instance, cyber attacks on water, electricity, or telecommunications systems would quickly put hospitals in difficulty.⁷ Attacks against the telecommunications system in particular could not only have the potential to disrupt the flow of health information, but also the multiple logistical systems upon which the operations of healthcare facilities depend, for example, the acquisition of supplies.⁵

Despite the development of scenarios such as that outlined above, there has been no published evidence showing a widespread focus by cyberterrorists on attacking American healthcare facilities, although the Federal Bureau of Investigation has been called in to investigate several hospital-related cyberterrorist incidents (personal communication from anonymous FBI officers). Cyberterrorism is certainly not mere fiction. Other examples already exist of individuals successfully targeting important infrastructure and causing harm as a result. In 2008, a system administrator who had been employed by the city of San Francisco took control of the city's computer system and prevented others from accessing a variety of software applications. According to Ellsmore and Raghu,⁸ “While this attack did not cause violence to the public, it provides a tangible proof of concept of remote interference with critical infrastructure systems, and systems responsible for human welfare or protection.”

What Is the Extent of the Cyberterrorism Threat Today?

Analysts have concluded that following past trends, where hackers and cybercriminals have taken advantage of easy vulnerabilities, we may gradually see new instances where cyberterrorists target vulnerabilities in critical infrastructure.⁹ This notion that the cyber threat is a real and growing one does have some credence. In one survey,¹⁰ 71% of senior IT executives believed that cyberterrorism is on the rise and that this trend posed a very serious threat to America's critical infrastructure. According to the non-profit information security organization Open Security Foundation, 12% of all information breaches in the United States were facilitated by hackers in 2010¹¹ (Fig. 1 gives the complete breakdown), but unfortunately no information is available on the healthcare sector specifically on this group's Web site.

Fig. 1.

Incidents by breach type.

There are reports, however, suggesting that healthcare institutions are increasingly being targeted with theft or manipulation of electronic data as well as malicious attacks that disrupt computer systems. One U.S. information security service vendor has noticed an upswing in attacks launched at its healthcare clients involving malware.¹² If a computer is infected with malware, it can be used to steal data stored by the victim's browser (including passwords), launch distributed denial of service attacks, spread via USB devices or peer to peer, and download additional malware onto the infected computer.

Why Is Healthcare a Cyberterrorism Target?

As with other sectors of the U.S. economy, the 9/11 terrorist attacks in particular provided justification for the insertion and large scale investment of the security industry into healthcare delivery.¹³ This influx of money and resources has not proven to be a sure fix in addressing security vulnerabilities. Ellsmore and Raghu⁸ commented that despite this increase in IT budgets, ”only a fraction of it is allocated to securing systems within the healthcare industry, so it is to be expected that information systems within the industry are vulnerable to attack.” Indeed, one of the top security breach “trends” in the healthcare industry is a susceptibility to new hacking technologies because organizations have simply delayed investment in upgrading their older systems. SQL Injection attacks in particular are on the rise. This is a case whereby a hacker executes a SQL enquiry from the Internet to perform an operation on the recipient's database to transfer data back to themselves.¹⁴

How Are We Currently Protecting Ourselves?

The healthcare industry has proven to be particularly difficult to fortify against cyber attack in terms of coordinating and implementing “best practice” cyber security policies and procedures. Much of this stems from the fact that the industry is not a single homogeneous entity but, rather, consists of decentralized and loosely coupled organizations, both public and private, most of which are small compared with those found in such sectors as financial services.¹⁵ In response to this situation the Federal Government has taken the lead, through the Department of Homeland Security, to prevent and respond to cyber attacks on the nation's critical infrastructures by establishing a “National Infrastructure Protection Plan.” A subset of this plan includes the “Healthcare and Public Health Plan,” which describes how the infrastructure protection risk management framework is being implemented and integrated within the health sector. One of the key aims of these plans is to improve sharing of information between the public and private sectors about physical and cyber security threats and vulnerabilities.³

Another development on the healthcare front has seen the establishment of the National Health Information Sharing and Analysis Center. Its mission is to advance the integrity and cyber security protection of the nation's healthcare and public health critical infrastructure from threats and vulnerabilities and to foster the availability of best practices, countermeasure solutions, security awareness, and workforce education.¹⁶ The Government has also been proactive in other areas. For example, in recognition of the fact that electronic health records are being increasingly adopted by many medical practices, the Office of the National Coordinator for Health Information Technology has provided a cyber-security checklist for the small healthcare environment.¹⁷

Private healthcare organizations are also stepping up efforts to protect themselves in areas such as electronic patient information as they witness increased attacks against hospital networks, mindful how a data breach could hurt patients and their own reputations.¹⁸ Some hospitals such as Northwestern Memorial have even started taking preventive measures by using a cyber-specific response plan that mirrors the color-coded national alert system used by the Department of Homeland Security; as alert levels change, the hospital responds by turning off certain services, thereby eliminating access to potential attackers.⁷

Despite the initiatives launched by the Federal Government and the changes to the security and privacy landscape (e.g., HIPPA), a 2009 survey published by the Healthcare Information and Management Systems Society found that a large number of healthcare practices and hospital systems do not perform security risk analyses and therefore do not understand their vulnerability to cyber attack. Other key findings of this survey indicated that budgets dedicated to security remain low, and many organizations still do not have a formally designated Chief Information Security Officer or Chief Security Officer to provide the needed organizational leadership to focus on cyber security. In addition, many organizations are not using available technologies to secure data, such as encryption of computer hard drives. Although almost two-thirds of responding organizations do secure data under transmission, fewer than half encrypt stored data. Also, organizations often do not have a plan for responding to threats or incidents relating to a security breach.¹⁹

So we have a mixed picture at best, with some healthcare organizations making strides to protect themselves, but a large proportion still vulnerable to attack. What should the organizations in the latter category be doing? Up-to-date computer security systems and firewalls, personal vigilance, and adherence to “best practice” guidelines are essential in maintaining the security of computer systems.²⁰ Organizations must evolve their methodologies to address these changes and provide information assurance that is effective, consistent, and continuous. Because of this, organizations must develop security policies and guidelines for their information assets that apply to all systems and that actively support the need for greater awareness and understanding of security issues with the goal of developing a “culture of security.”⁴

What Should We Be Doing to Protect Ourselves Better in the Future?

In order for healthcare organizations to effectively protect their sensitive patient data, they should consider using a defense-in-depth strategy, as part of their overall information technology risk management strategy. This approach involves implementing multiple layers of protection to shield the organization from current and emerging threats. A provider of information security services to 82 healthcare clients in the United States offered up six key guidelines for the healthcare industry to follow:

1. Perform regular security risk assessments that will look at the controls the organization has in place compared with regulatory requirements and help determine if there are any gaps.

2. Implement intrusion prevention and detection services to detect and block attempts by cyber attackers to access data on your servers and your network.

3. A data loss prevention solution can help monitor your network traffic for possible leakage of information such as social security numbers or Health Level 7 codes.

4. Log monitoring centralizes and correlates audit logs from your applications and systems to allow you to identify improper access to sensitive patient data from internal or external sources.

5. Perform Web application security testing regularly and implement a Web application firewall.

6. Implement strong encryption policies and technologies on mobile devices, laptops, portable storage, and backup tapes.¹²

One final guideline to consider is how to handle the “internal” threat from disgruntled employees or ex-employees. These are people who are able to carry out attacks because of privileges assigned as part of their job function. This accounts for 70% of computer-related criminal activity.²¹ Protecting an organization from this threat will require action on several fronts in addition to securing software applications. It could mean creating greater cyber awareness to sensitize employees to the problem to disabling access immediately during employee terminations.²²

Cunningham²³ concluded that effective protection from cyberterrorism comes down to three main ingredients: the right combination of people, processes, and technology. IT staff and employees need to be educated about security and their roles in enforcing it. “Best practice” security processes need to be carefully followed and implemented, and the right technology should be deployed to assist all of these efforts and shore up vulnerabilities that may exist. If the Healthcare Information and Management Systems Society survey from 2009¹⁹ is anything to go by, this more holistic approach to tackling cyber security and by extension cyberterrorism is not being adopted by many U.S. healthcare organizations and certainly not with the urgency that is needed.

Cyberterrorism may not be the current “weapon of choice” for terrorist groups, but it does remain a real and growing threat to the U.S. healthcare system. Terrorists are looking at ways of striking from a distance in order to reduce the chances of being captured while still creating panic and fear within the target community. Cyberterrorism fulfills these requirements, and healthcare is becoming more vulnerable and more threatened every day because of the fact it has become dependent on computer-based technologies and the Internet. It is clear that many U.S. healthcare organizations are not prepared or equipped to handle a serious cyberterrorist attack despite the best efforts of the Federal Government to address this. The stakes are high. The ability to deliver healthcare would be crippled if terrorists disabled crucial parts of the nation's IT system using cyber methods to alter, delete, or steal vital health information. Healthcare organizations should therefore prepare themselves by ensuring they have appropriate measures in place to secure important systems that could be potential targets for terrorists. Protective measures are available today, but many organizations are simply not resourcing and managing their security initiatives appropriately in relation to the size of the threat that they face. They do so at their peril because the future terrorists of the world are growing up in a more technologically advanced society than their parents and will have at their disposal cyber assets that could disrupt the healthcare system. The risk to the U.S. healthcare system and the future of health on the Internet unfortunately shows no signs of diminishing in the 21st century.

Footnotes

Disclosure Statement

D.H. is an employee of Océ North America—a Canon Group Company. P.M.Y. declares no competing financial interests exist.

References

Denning

. Cyberterrorism: Testimony before the Special Oversight Panel on Terrorism. Committee on Armed Services. U.S. House of Representatives. The Terrorism Research Center. www.stealth-iss.com/documents/pdf/CYBERTERRORISM.pdf. 2012 January 31.

Brent

. Medical expenses have ‘very steep rate of growth’ USA Today. www.usatoday.com/news/health/2010-02-04-health-care-costs_N.htm. 2012 February 2.

U.S. Department of Health and Human Services. Healthcare and public health sector-specific plan: An annex to the national infrastructure protection plan. www.dhs.gov/xlibrary/assets/nipp-ssp-healthcare-and-public-health-2010.pdf. 2012 January 31.

Ramsaroop

. Cybercrime, cyberwarfare, terrorism, and sabotage: Critical issues in data protection for health services information. Pan American Health Organization. www.ehealthstrategies.com/files/cybersecurity.pdf. 2012 January 31.

Clem

, Galwankar

, Buck

. Health implications of cyber-terrorism. Prehosp Disaster Med, 2003; 18:272–275.

Medpac. Report to the Congress: New approaches in Medicare. www.medpac.gov/publications%5Ccongressional_reports%5CJune04_ch7.pdf. 2012 January 31.

Haugh

. Cyber terror. Hosp Health Netw, 2003; 77:60–64.

Ellsmore

, Raghu

. Cyber terrorism: Are we there yet? Stratsec. www.stratsec.net/getattachment/8f7ffede-d893-4a08-bf5a-61d90cacf4ee/stratsec—Ellsmore-Raghu—Cyber-Terrorism-Are-We-There-Yet.pdf. 2012 January 31.

Wilson

. Botnets, cybercrime, and cyberterrorism: Vulnerabilities and policy issues for Congress. CRS Report for Congress RL32114. Washington, DC: Congressional Research Service, 2008. www.dtic.mil/dtic/tr/fulltext/u2/a477642.pdf. 2012 October 18.

10.

Ponemon Institute LLC. Cyber security mega trends study. www.ponemon.org/local/upload/fckjail/generalcontent/18/file/CA%20Security%20Mega%20Trends%20White%20Paper%20FINAL%202%20(2).pdf. 2012 January 31.

11.

Open Security Foundation. Data loss statistics. http://datalossdb.org/statistics. 2012 January 31.

12.

SecureWorks Inc. Hacker attacks targeting healthcare organizations doubled in the 4th quarter of 2009. www.secureworks.com/media/press_releases/PR/13571/. 2012 January 31.

13.

McGlown

. Terrorism and disaster management: Preparing healthcare leaders for the new reality. Chicago: Health Administration Press, 2004.

14.

Brill

. Interview podcast: Healthcare cyber security issues in 2012 with Alan Brill Vol. 1. www.hitconsultant.net/2012/01/20/interview-podcast-healthcare-cyber-security-issues-in-2012-with-alan-brill-vol-1/. 2012 January 31.

15.

Harrington

, Miller

, Wang

. Protecting one of the nation's critical infrastructures: Healthcare. http://mitre.org/news/the_edge/spring_05/harrington.html. 2012 January 31.

16.

National Health Information Sharing and Analysis Center. www.nhisac.org/. 2012 January 31.

17.

U.S. Department of Health and Human Services, Office of the National Coordinator for Health Information Technology. CYBERSECURITY—The protection of data and systems in networks that connect to the Internet: 10 best practices for the small healthcare environment. http://healthit.hhs.gov/pdf/cybersecurity/Basic-Security-for-the-Small-Healthcare-Practice-Checklists.pdf. 2012 January 31.

18.

Messmer

. Are healthcare organizations under cyberattack? PCWorld. www.pcworld.com/article/142926/are_healthcare_organizations_under_cyberattack.html. 2012 January 31.

19.

Symantec. 2009 HIMSS security survey. Healthcare Information and Management Systems Society. www.himss.org/content/files/himss2009securitysurveyreport.pdf. 2012 January 31.

20.

Perling

. Network security: A new virtual foot solider against cyber-terrorism. SC Magazine. www.scmagazineus.com/network-security-a-new-virtual-foot-soldier-against-cyberterrorism/article/30685/. 2012 January 31.

21.

SecureWorld Expo. Privacy and cyberliability exposures in healthcare: Landscape, legislation and risk management. Kibble & Prentice: A USI Company http://secureworldexpo.com/2011/seattle/Shapiro.pdf. 2012 January 31.

22.

Diamant

. Innovation INSIGHT on security: 3 ways to safeguard against employee sabotage. Enterprise Services Blog http://h30507.www3.hp.com/t5/Enterprise-Services-Blog/Innovation-INSIGHT-on-Security-3-ways-to-safeguard-against/ba-p/99447. 2012 January 31.

23.

Cunningham

. Cyberterrorism: Are we leaving the keys out? SC Magazine. www.scmagazineus.com/cyberterrorism-are-we-leaving-the-keys-out/article/30522/. 2012 January 31.