This article was originally posted Oct. 24, 2016. It has been updated
By Paul Trusty and Matt Zavadsky
As EMS moves into the 3.0 transformation, our information security systems need to transform as well to prevent hacking, data theft and hardware destruction. EMS agencies use electronic systems and software today to capture 911 call data, dispatch the ambulance, record patient care, collect clinical data, bill for services and communicate to each other. We have developed a dependence on technology to improve efficiency and automate routine tasks.
Errors are decreased using technology by applying rules to make sure step B can’t start until step A has finished. As technology advances, we will likely automate even more of our everyday tasks. Now imagine the disruptions and consequences of all of those systems failing, shutting down or becoming so unstable users can’t use them.
What would happen next? Cybersecurity focuses on this very question.
What is the cybersecurity triad
When the word cybersecurity is mentioned, many people think about the major breaches that have been in the news. The breaches are focused on bad guys stealing email addresses, email content, usernames, passwords or credit card data. However, cybersecurity covers much more than just protecting against the hackers trying to steal our data.
Cybersecurity is about managing risk. It is about protecting the confidentiality, integrity, and availability of data — the CIA triad.
- Confidentiality is ensuring only the people who should have access to data do.
- Integrity is ensuring that the data entered into a system is the same when it comes out.
- Availability is making sure that systems are up and running when they are needed.
This CIA triad is protected through the application of technologies, processes and people. Technologies are purchased to protect, processes are created that use the technologies and people should follow the processes to maximize the protection [1].
How does cybersecurity impact EMS patients?
Breach of patient information can affect people in multiple ways. We often hear news reports about identity theft and fraud. It is easy to connect the dots from loss of patient information to a criminal stealing a patient’s identity.
For the patient, identity theft is an embarrassing, expensive and time consuming intrusion into their life. It can also be very devastating, especially to the retired population who make up a large percentage of our patients. If we are careless with their information, it would potentially be devastating to their retirement plans, savings and dreams.
Medical identity theft is another risk to our patients in a data breach. Medical identity theft occurs when one person uses another’s medical identity to receive medical treatment or goods. The victim, whose medical identity was stolen, may receive bills for the treatment sought by the thief. The average cost to settle a case of medical identity theft according to a Ponemon study is $13,500 [2].
The financial cost may be the least of a patient’s worries. A New York mother was accused of having recently delivered a baby that tested positive for methamphetamine [3]. Child protective services personnel were working to take away her children because of this accusation. In reality, another woman who had been using drugs had used the mother’s stolen medical identity to pay for the birth of her child.
Medical identity theft can also go further and bring greater risk to our patients. Many of our patient care reporting systems will auto-populate medications, history and allergies from previous encounters with the same patient. If we transport a patient that is using a stolen medical identity, we may be getting inaccurate information that a patient is not allergic to any medications. When we pick up the real patient that is allergic to medications we carry, the outcome could be bad.
Why EMS and who would attack us?
Health care has become a target for cybercrime. The Primary Cause of Breach graph, shown below, was generated from the Department of Health and Human Services web site data in late 2015 [4]. The significant change in the number of individuals affected by hacking or IT incidents is immediately clear.
Figure 1-HHS Breach Report Cause Analysis (Department of Health and Human Services, 2015)
In 2014, the FBI notified health care entities that they are “not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely [5].”
This information leads to a conclusion that cyber criminals have identified that the health care sector may be an easier target than others.
Today’s organized cybercrime has become as structured and efficient as many businesses. The risks criminals face of getting caught are lower in cybercrime and the income they receive can be substantial. A primary example of the level of sophistication of cybercrime today is ransomware attacks that have affected many including, hospital and public safety organizations.
When a computer is infected with ransomware the malware will encrypt files, partitions the entire disk and makes network shares inaccessible to users in an organization. To regain access to the files or data, the attacker requests payment from the victim in bitcoin. To help the victim, the entities that are delivering ransomware often provide detailed instructions and have even provided technical support to help users make the payment.
EMS isn’t alone as a target for cybercrime. Many different sectors in health care are affected. However, health care has fallen behind and we in EMS must step up to the challenge and improve our approach to cybersecurity.
What are cybersecurity incidents?
A cybersecurity incident is anything that threatens or compromises the CIA triad — confidentiality, integrity, and availability. Following is a list of cybersecurity incidents that an EMS organization may face:
- Phishing email: An attacker uses tricky emails to get users to disclose information, very often their username and password. The attacker then uses the stolen credentials to gain access to the network.
- Malware: An attacker distributes malware as email attachments or links; from the web; from external devices such as USB, CD, and DVD; or can be manually placed by an attacker that has access to the network.
- Hacking or intrusion: Occurs when an attacker is able to exploit vulnerability on a computer or computer network to gain access. From this point the attacker may increase their privileges or may use the compromised computer as a pivot point to move deeper into the network.
- Theft or loss of equipment: When equipment that can store PHI is lost or stolen, the information it contains is at risk.
- Tailgating, shoulder surfing, baiting: Techniques used as a means to gain access. Tailgating is following people through access controlled doors or gates to gain access to secured areas. Shoulder surfing is looking over a person’s shoulder to watch a password or pin entered during login or reading other information the user is viewing. Baiting is leaving USB, CD or DVD drives in a parking lot where a user will pick it up and put it in a computer, compromising the computer.
You may notice that many of the incidents listed above require a user to complete the attack. In EMS we may use social engineering tactics, which is persuasion, to get a stubborn AMI patient to agree to go to the hospital. Attackers have moved more and more towards social engineering tactics to trick users to accomplish their goals.
What are protection options for EMS?
Determining how to protect an organization can be an overwhelming task. Remember that cybersecurity is an organizational problem that requires everyone’s participation. Cybersecurity is not just an IT problem.
It is critical that the leaders of our EMS organizations establish a culture of cybersecurity and understand they are ultimately responsible for cybersecurity. Leaders should understand where their PHI is stored, how many incidents they have had and what the time to remediation is when an incident occurs. They should also have a plan for contacting law enforcement when a cybercrime is identified.
It is also important to understand that cybersecurity is an ongoing continuous improvement cycle. The cycle starts with risk and vulnerability assessments and is followed up by application of controls to reduce the risk that has been identified. This cycle should continue on a schedule or anytime major changes happen in the organization. When vulnerabilities are found they should be addressed with appropriate controls.
Organizations should also realize that building up defenses against a cybersecurity attack alone is not enough. Incidents, such as malware or other intrusions will occur. Preparations should be made to be able to detect, respond and remediate security incidents as they occur. Identification of internal or external cybersecurity expertise is recommended to assist in the identification and response to security incidents.
What cybersecurity training do EMS personnel need?
Training all personnel in the organization to be aware of cybersecurity is an important defense step. The entire workforce should be trained in:
- If you see something, say something. The workforce is the cybersecurity eyes and ears of the organization. Train them to recognize issues and report them to the appropriate personnel.
- Safe email and Internet browsing practices.
- Physical protection of systems and equipment by locking the operating system when they user walks away, keeping track of mobile hardware and reporting abnormal behavior of their computer system.
- Tips for username and password protection.
- How and where to report a perceived security incident.
Finally, it has been proven that health care agencies that are just reactive to cybersecurity have 4.5 times the number of records affected in a breach than an agency that is proactive in their approach [6]. There are many cybersecurity frameworks available that can be applied. Examples are the National Institute of Standards and Technology Cybersecurity Framework, International Organization for Standardization 27000 and the Control Objectives for Information and Related technologies. The frameworks provide structure and guidance on how to begin systematically applying cybersecurity practices to an organization.
Read next: How to protect your data as cybercriminals capitalize on the COVID-19 pandemic
References
1. Harris, S. (2010). CISSP. New York, NY: McGraw Hill.
2. Ponemon Institute. (2015). Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. Ponemon Institute.
3. The Central New York Business Journal (May 3, 2013)
4. Department of Health and Human Services. (2015). Breaches Affecting 500 or More Individuals. Retrieved August 16, 2015, from U.S Department of Health and Human Services Office for Civil Rights: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
5. Security Week (April 4, 2014)
6. Kwon, J., & Johnson, M. E. (2014). Proactive Versus Reactive Security Investments In The Healthcare Sector. MIS Quarterly, 38(2), 451-A3.
Australian Government Department of Defence. (2014). Strategies to Mitigate Targeted Cyber Intrusions. Australian Signals Directorate.
Australian Government Department of Defence Intelligence and Security. (2012). Top Four Mitigation Strategies to Protect Your ICT System. Australian Signals Directorate
Council on CyberSecurity. (2014). The Critical Security Controls for Effective Cyber Defense. SANS.
FBI Cyber Division. (2014). Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain. FIB.
National Institute of Standards and Technology. (2014). Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology.
Ponemon Institute. (2014). Critical Infrastructure: Security Preparedness and Maturity. Ponemon Institute LLC.
SANS. (2014). SANS Critical Security Controls Poster. Retrieved August 26, 2015, from SANS: https://www.sans.org/media/critical-security-controls/fall-2014-poster.pdf
About the author
Paul Trusty, MS, EMT-P is the information technology manager at MedStar Mobile Healthcare in Fort Worth, Texas. He has focused his attention on cybersecurity receiving a Master’s in Information Security and Assurance in 2015 and holds several cybersecurity certifications such as certified ethical hacker and computer hacking forensics investigator. He has 20 years of experience in EMS with the last 14 being focused on IT.