Cybersecurity: Ensuring Confidentiality, Integrity, and Availability of Information

Abstract

Understanding healthcare cybersecurity is crucial for anyone who interacts with computer systems or medical devices. Patient safety is directly tied to cybersecurity. Patient data must be protected in order to ensure that the data has confidentiality, integrity, and availability. The key to understanding healthcare cybersecurity is through awareness. Because healthcare cybersecurity is always changing, it is essential to raise awareness about these developments. But, in spite of the dynamic landscape, certain constants remain the same. To this end, it is vital to understand the historical context, as the past is the best indicator of future trends. This chapter aims to provide a solid historical foundation as well as current and timely information on the cybersecurity threat landscape within the healthcare vertical.

Appendices

Appendices

Appendix 1: Answers to Review Questions

1. 1.

   What is cybersecurity?

   The National Institute of Standards (NIST) defines cybersecurity as the “ability to protect or defend the use of cyberspace from cyberattacks.” Cybersecurity falls under the umbrella category of information security. Information security relates to the protection of information in whatever medium it may exist. Cybersecurity is a subset of information security and deals with information in electronic form (e.g., mobile devices, computer networks, servers, laptops, etc.). Cybersecurity involves the protecting of electronic information and assets from unauthorized access, use, and disclosure.

2. 2.

   What does patient safety have to do with cybersecurity?

   Within a cyberattack scenario, an attack on integrity can lead to tampered or otherwise incorrect or inaccessible patient information. This, in turn, can pose a potentially significant risk to patient safety. This is especially true in an instance where the clinician may rely on the tampered/altered information and/or if the tampered/altered information relates to the delivery of critical medication (such as insulin in an infusion pump) for the patient, and/or a life-saving or life-sustaining medical device (whose operation and/or configuration may have been altered). Thus, cybersecurity (and especially integrity) and patient safety are intertwined.

   Further, an attack on availability may lead to an asset, such as a computer system, device, network, and/or information being unavailable at a particular moment in time. Depending upon the timing and criticality of what needs to be accessed, this may pose a potentially significant patient safety problem for the patient, especially if the patient is in a critical situation (such as in the intensive care unit, in the operating room, or otherwise in need of emergency treatment).

   For more information, please see DHS AEP—A Lifeline: Patient Safety & Cybersecurity—https://www.dhs.gov/sites/default/files/publications/ia/ia_vulnerabilities-healthcare-it-systems.pdf.

3. 3.

   What is the CIA triad and why is it important?

   Cybersecurity involves the protecting of electronic information and assets from unauthorized access, use, and disclosure. There are three goals of cybersecurity, namely protecting the confidentiality, integrity, and availability of information. The three main objectives of cybersecurity are the confidentiality, integrity, and availability of information. All three are required in order for robust cybersecurity to be achieved. The failure of one or more of these components may mean that the business operations, clinical operations, and/or patient safety may be potentially placed in jeopardy.

4. 4.

   What is ransomware?

   Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid.

5. 5.

   What is phishing?

   Phishing means a social engineering tactic that is used to persuade individuals to provide sensitive information and/or take action through seemingly trustworthy communications. Phishing may take various forms, such as e-mail (e-mail phishing), social media (social phishing), phishing websites, voice calls (voice phishing), text messages (SMiShing), and the like.

6. 6.

   What is HIPAA?

   HIPAA is the Health Insurance Portability and Accountability Act of 1996. As of this writing, the most current version of HIPAA is the HIPAA Omnibus Rule. There are three components to the HIPAA Omnibus Rule: HIPAA Privacy Rule, HIPAA Security Rule, and the Breach Notification Rule.

   The HIPAA Privacy Rule sets forth permitted and required uses and disclosures of protected health information. The protected health information may exist in any form, including on paper, film, and in electronic form. Protected health information is a form of individually identifiable health information.

   The HIPAA Security Rule sets forth requirements for electronic protected health information. In other words, the confidentiality, integrity, and availability of electronic protected health information must be maintained by covered entities and their business associates.

   The HIPAA Breach Notification Rule, 45 CFR §§ 164.400–414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

7. 7.

   Why is security awareness important?

   Every organization can benefit from security awareness presentations and training. Through such efforts, individuals will learn about basic cyber hygiene (i.e., good security practices). Example topics for security awareness presentations and training include phishing, anti-virus software, maintaining good security practices while working from home or when traveling for work, and the like. (The difference between a security awareness presentation vs. training concerns depth. A more in-depth discussion of security awareness is usually provided during training, as opposed to listening to a mere presentation on the topic.) HIPAA also mandates security training for healthcare-covered entities and business associates.

Appendix 2: Definition of Key Terms

Administrative safeguard means a safeguard that is intended to protect the administrative aspects of securing an asset. For example, policies and procedures may be implemented to prevent, detect, contain, and correct security violations.

Anti-virus means a program specifically designed to detect many forms of malware and prevent them from infecting computers, as well as cleaning computers that have already been infected.

Asset means a resource that is valuable to an organization that must be protected.

Authentication means verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

Availability means that information is made available as needed. When availability is compromised, this means that information is not available when it is needed.

Breach generally means an impermissible use or disclosure that compromises the security or privacy of the information.⁴⁴ While not all security incidents are breaches, some security incidents may rise to the level of a breach. Breach notification laws exist at the federal and state levels.

Business associate means a person or entity, who is not a member of the workforce and performs or assists in performing, for or on behalf of a covered entity, a function or activity regulated by HIPAA, including the Privacy Rule, involving the use or disclosure of individually identifiable health information, or that provides certain services to a covered entity that involve the use or disclosure of individually identifiable health information.⁴⁵

Business associate agreement means contracts that the covered entity is required to enter into with their business associates to ensure that the business associates will appropriately safeguard protected health information.⁴⁶ (Please note: a contract has the same meaning as an agreement.)

Compensating controls means the security and privacy controls implemented that provide equivalent or comparable protection for a system or organization.

Confidentiality means that information is protected by preventing the unauthorized disclosure of information. When confidentiality is compromised, this means that there has been an unauthorized disclosure of information.

Countermeasures means the protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Countermeasures are synonymous with security controls.

Covered entity means (1) health plans, (2) healthcare clearinghouses, and (3) healthcare providers who electronically transmit any health information in connection with transactions for which the United States Department of Health and Human Services has adopted standards.⁴⁷

Critical infrastructure means essential services and related assets that underpin American society and serve as the backbone of the nation’s economy, security, and health.

Cyberattack means an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.

Decryption means the process of changing ciphertext into plaintext using a cryptographic algorithm and key.

Defense-in-depth means that multiple safeguards are layered to protect an asset.

Denial of service (DoS) means an attack that occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. DoS attacks can cost an organization both time and money while their resources and services are inaccessible.⁴⁸

Encryption means the process of changing plaintext into ciphertext using a cryptographic algorithm and key.

Firewall means a part of a computer system or network that is designed to block unauthorized access while permitting outward communication.

General phishing means a phishing attack that does not target specific individuals.⁴⁹

HIPAA Privacy Rule , 45 CFR Part 160 and Subparts A and E of Part 164, means national standards that have been established to protect individuals’ medical records and other personal health information (PHI) and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically. It is a HIPAA regulation. HIPAA Security Rule means security standards for the protection of electronic protected health Information that establish a national set of security standards for protecting certain health information that is held or transferred in electronic form (also known as electronic protected health information or ePHI).

Incident response means incident handling. Generally speaking, incident handling includes detection and analysis of an incident (e.g., whether an incident occurred and prioritizing the handling of the incident), containing, eradicating, recovering from an incident, and post-incident activity (such as gathering lessons learned).⁵⁰

Integrity means that information is protected by keeping it intact. When the integrity of information is compromised, this means that the information has been modified without authorization from its original form.

Internet of Things (IoT) means devices, sensors, and the like (but other than computers, smartphones, or tablets) that connect, communicate, or otherwise transmit information with or between each other via the Internet.

Legacy systems mean systems which may not have any ongoing support from the hardware and software vendor(s) that provided these solutions.⁵¹

Malicious insider means individuals, such as employees, former employees, contractors, business associates, or business partners who has or had authorized access to an organization’s network, system, or information and who has intentionally exceeded or misused that access so as to negatively affect the confidentiality, integrity, or availability of the organization’s information or information systems.⁵²

Malware means a computer program that is covertly placed onto a computer or electronic device with the intent to compromise the confidentiality, integrity, or availability of data, applications, or operating systems. Common types of malware include viruses, worms, malicious mobile code, Trojan horses, rootkits, spyware, and some forms of adware.

Multi-factor authentication means authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).

Nation-state actors are cyber threat actors who are typically motivated by political, economic, technical, or military agendas and who may engage in industrial espionage. Nation-state actors are typically highly sophisticated cyber threat actors.⁵³

Negligent insider (also called an unintentional insider) means an individual, such as employees, former employees, contractors, business associates, or business partners who has or had authorized access to an organization’s network, system, or information and who, through action or inaction and without malicious intent, causes harm or substantially increases the likelihood of future serious harm to the confidentiality, integrity, or availability of the organization’s network, system, or information.⁵⁴

Password spraying means an attack that tries a few commonly used passwords on a large number of accounts.⁵⁵

Patch means a software component that, when installed, directly modifies files or device settings related to a different software component without changing the version number or release details for the related software component.

Phishing means a social engineering tactic that is used to persuade individuals to provide sensitive information and/or take action through seemingly trustworthy communications.⁵⁶ Phishing may take various forms, such as e-mail (e-mail phishing), social media (social phishing), phishing websites, voice calls (voice phishing), text messages (SMiShing), and the like.

Physical safeguard means a safeguard that is intended to protect physical security of an asset.

Protected health information (PHI) generally means information that is created, transmitted, received, or maintained by a covered entity or a business associate, including demographic information, related to the past, present, or future physical or mental health or condition of an individual, provision of healthcare to an individual, or past, present, or future payment for the provision of healthcare to an individual, together with certain identifiers (which may serve to identify the individual patient).

Ransomware is a type of malicious software or malware that denies access to a computer system and data and demands the payment of ransom.

Ransomworm means a type of computer worm that, upon infecting a new system, encrypts a victim’s data and holds it for ransom until payment is received.⁵⁷

Risk means a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.

Safeguards (also referred to as countermeasures and controls) means actions, devices, procedures, techniques, or other measures that reduce the vulnerability of a system. Safeguards may be physical, technical, or administrative in nature.

Security awareness means initiatives that are designed to change behavior or otherwise reinforce good security practices of individual users.

Security incident means an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

Shadow IT means the use of systems, devices, applications, software, and services that are not authorized for use by the organization’s information technology department.⁵⁸

Spear-phishing means a targeted phishing attack.⁵⁹

Supply chain means the physical and informational resources required to deliver a good or service to the final consumer.

Technical controls (also referred to as security controls or technical security controls) means the security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.

Technical safeguard means a safeguard that is intended to protect the cybersecurity of an asset.

Threat means any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

Trojan horse means a computer program that appears to have a useful function, but that also has a hidden and potentially malicious function that evades security mechanisms, sometimes by piggybacking on a legitimate process.

Vulnerability means a weakness in information systems, system security procedures, internal controls, or implementation/configuration of the same that may be exploited by a threat actor.

Whaling means a targeted phishing attack that is aimed at wealthy, powerful, or prominent individuals (e.g., C-suite executives such as chief financial officers (CFO) and chief executive officers (CEO), politicians, and celebrities).⁶⁰