Cyberattack Simulation Finds Little Data Sharing Among Plans

Dec. 7, 2015, 7:40 PM

By Alex Ruoff, Bloomberg BNA

Health care organizations aren’t effectively collaborating to ward off cybercriminals, security executives concluded after a major breach simulation.

Health care organizations and cybersecurity groups have increasingly called for private companies and federal agencies to share information with each other about cyber attacks and data breaches. However, health care companies are often hesitant to share this information for fear of giving away trade secrets or raising the ire of regulators.

“There’s concern on behalf of the enterprise that by sharing information about an attack or some malicious code that regulators will respond negatively,” said Emily Mossburg, a principal at Deloitte Advisory Cyber Risk Services.

Deloitte, the Health Information Trust Alliance (HITRUST) and the Department of Health and Human Services on Dec. 3rd released results from a simulated cyberattack on 12 health plans. It was the second annual simulated attack performed by HITRUST, a cybersecurity trade group.

The group found that cyberattacks are becoming “increasingly pervasive and sustained” and open lines of communication between health care organizations, law enforcement, regulators and business partners are essential parts of a proper breach response.

Industry has been seeking legislation that would create trade protections for sharing cybersecurity-related data. In October, the Senate passed the Cybersecurity Information Sharing Act (S. 754) and the House in April passed the Protecting Cyber Networks Act (H.R. 1560). Both would allow private corporations to share cybersecurity threat data with government agencies without running afoul of federal privacy laws.

The bills must be reconciled by Congress before going to President Barack Obama for his signature.

Improved Security

Despite the lack of sharing of cybersecurity information among health care organizations, there is evidence that hospital IT security has improved in recent years.

Hospital use of advanced password protection increased to 49 percent in 2014 from 35 percent in 2011, according to data released on Dec. 2 by the Office of the National Coordinator for Health IT.

More than ever, hospitals are implementing two-factor authentication measures, which take log-in security beyond a password and username, the data show. Two-factor authentication is most commonly a password and a security badge or token. Improved hospital security, particularly secure log-ins for electronic health record systems, is a result of an increased fear of breaches and lower costs for implementing security measures, according to Dean Wiech, managing director of Tools4ever, a software security firm.

The cost of implementing a two-factor authentication system in a hospital has dropped from $30 per user in 2010 to roughly $10 per user, Wiech said. Similarly, the cost of implementing identity management software has dropped from $70 per user in 2010 to about $10 to $20 per user, Wiech said.

The historically high cost of the software also accounts for why larger hospitals have adopted stricter security measures, he said. According to the ONC, 63 percent of large hospitals had adopted two-factor authentication in 2014, compared to 35 percent of critical access hospitals and 40 percent of small, rural hospitals.

To read more articles log in.

Learn more about a Bloomberg Law subscription.