Elsevier

Advances in Computers

Volume 114, 2019, Pages 113-149
Advances in Computers

Chapter Three - Toward realizing self-protecting healthcare information systems: Design and security challenges

https://doi.org/10.1016/bs.adcom.2019.02.003Get rights and content

Abstract

This book chapter reviews the history of Healthcare Information Systems (HISs), discusses recent cyber security threats affecting HISs, and then introduces the autonomic computing concept and applies the concept to design self-protecting HISs (SPHISs) that can defend themselves against cyber intrusions with little or no human intervention. To realize such SPHISs, we first study security vulnerabilities of the HIS network, communication links and protocols. Based on these vulnerabilities, the component design of a SPHIS is presented. We propose that a SPHIS should contain monitoring systems, early estimation modules, intrusion detection, network forensics analysis devices and intrusion response systems. Finally, existing self-protecting approaches for HIS, enterprise systems and industrial control systems are demonstrated in detail. This chapter provides an innovated design of an autonomic security management system that could reduce IT professional's management burdens while enhancing the security posture of their HISs.

Introduction

“Medical informatics is the application of computer technology to all fields of medicine-medical care, medical teaching and medical research [1].” The history of medical informatics or Healthcare Information Systems (HISs) in the United States can be traced back to the 1950s with the breakthrough of information technology and the rise of computers. The primary stage of the development of HISs was from the 1950s to 1980s. In this period, scientists developed computer software to relieve human burdens from trivial calculation and daily diagnosis.

In the 1960s billing was the center of the HISs. In the same decade, the National Institute of Health in the USA (NIH) began to support medical informatics projects, which promoted the development of HIS. As a result, administrative and financial information systems (FISs) were developed in large hospitals and academic medical centers to support the management functions and general operations of the healthcare organizations [2]. In the 1970s Clinical Information Systems (CIS) containing patient clinical and health-related information was established. Meanwhile automatized data processing and computer-assistant medical decision-making were growing rapidly. Shared systems were still used in this period, and data processing was primarily centralized on mainframe computers.

The second stage of the modern HIS was from 1980 to 2000 with the introduction of artificial intelligence and the development of the Internet and microcomputers. In this period, CIS was continuously expanded world wide, from large hospitals to small ones. FISs and CIS were finally integrated, and distributed data processing became feasible. In 1991 the Institute of Medicine began recommending healthcare organizations to implement Computer-based Patient Record (CPR) for reducing national healthcare costs while enhancing the care of patients. By the end of 2000, the adoption rate of CPR was much lower than the expectation. Only 17% of 329 family practice residency programs were using a CPR at that time [3].

The third stage of HIS was from 2000 to present when electronic health record (EHR) and e-Health systems were widely adopted by healthcare organizations. According to a recent report from the Office of the National Coordinator for health information technology, by the end of 2015, 96% of the US hospitals possessed a certified EHR technology that met the technological capability, functionality, and security requirements required by the Department of Health and Human Services [4]. From the report, one can observe that the number of hospitals implementing at least one basic EHR significantly increased since 2008, from 9.4% to 83.8%. This adoption rate includes small hospitals in the rural areas. Note that more than 50% of the increment occurred in the 2011–2015 period.

Almost in the same period, the Internet of things (IoT) applications changed the traditional healthcare industry. Today patients can remotely access their medical data by the support of cloud computing technology. The development of mobile devices and healthcare wearables allows both physicians and patients to monitor patient's health in real time for improved health outcomes. Additionally, the real-time patient monitoring and advanced homecare medical devices reduce the cost of unnecessary physician visits and hospital readmissions [5].

Although the idea of HIS was brought forward in the 1950s, the general utilization of information technology in healthcare sectors has not seen a marked increase until recent 5 years. As soon as we began to enjoy the benefits of the HIS and the Internet of medical things (IoMT) for better quality of healthcare with a low maintenance cost, the HIS has quickly become the top target of cyber criminals. According to the 2016 IBM X-Force survey of assessing and examining the goings-on in the world of cyber security and cyber threats, healthcare was the most frequently attacked industry [6]. Over 112 million health records were compromised in 2015 [7]. Some of highly publicized HIS cyber security incidents include:

  • 1.

    Phishing: intruders masquerade themselves as trustworthy entities to obtain sensitive information by deceiving victims who are inside of healthcare IT networks. The phishing attack is one of social engineering attacks. As an example, victims receive email messages appearing to come from legitimate enterprises but actually from attackers. Victims follow attacker's commands such as downloading malware or granting privilege to the intruders, and finally HISs are compromised and scammers gain access to the database systems and monitor specific actions [8]. Although users are very familiar with the phishing attack, it is still successful and destructive. It has already become a great risk to the healthcare industry [9]. This is because phishing attacks are cheap, easy, and flexible to launch. Moreover non-technical people such as healthcare practitioners and senior patients who are not well trained have become a pool of potential victims.

    Recently the number of real-day phishing attacks that successfully compromise HISs have increased significantly. The largest healthcare cyber attack of 2015, Anthem Breach, which affected 78.8 million people, began with phishing emails sent to the employees working at Anthem INC. [10]. Phishing attacks also affected 220,000 patient information records of DeKalb Health Medical Group (DHMG), which was the eighth largest cyber attack in healthcare of 2015 [9, 11]. The ransomware attacks introduced later are one of the consequences of the phishing attacks, through which intruders gained access of the DHMG HIS, and resided in the system, monitored and obtained the organization's activities from November 2013 to January 2015. Moreover, intruders set up a fraudulent donation webpage, which was similar to the DHMG's charity donation page and sent phishing emails to ransomware attack victims for financial rewarding [12].

    In recent 2 years several severe CEO phishing attacks compromised HISs. For instance, 11,000 W-2s information from healthcare workers of Pennsylvania Main Line Health was compromised via the attack in February 2016 [13]. In the same month, a similar cyber attack compromised St. Joseph's Healthcare System and 5000 employee's earning data was stolen [14]. Intruders generally masqueraded themselves as CEOs of their target organizations and sent spoof emails to the employees from a seemingly legitimate source, and eventually gained the access to patient and employee's information from the compromised HISs.

  • 2.

    Malware: Computer malware is four times more likely to be seen in healthcare organizations than other industries [15]. Following the initial attack vector such as social engineering attacks, healthcare employees may download and spread malware into their HISs. According to a study in 2015 conducted by the Health Information Trust Alliance (HITRUST), 52% of 30 mid-sized US hospitals were infected with malware, and the most common type was ransomware [16].

    Ransomware attacks can encrypt all files of the compromised information systems to deny legitimate access to the data. One of the most influenced HIS ransomware attacks happened in February 2016. The attackers encrypted Hollywood Presbyterian Medical Center hospital's data and seized control of its computer systems. The ransomware attacks significantly disturbed the hospital's normal operations and paralyzed its EHR system. The hospital ultimately paid $17,000 to the hacker for restoring the functions of their computer systems [17]. Following the first ransomware attack, five similar attacks were found in the next several months. The same attack vector was used to gain accesses to information systems of hospitals and healthcare organizations in CA, KY, and Washington DC.

    Incidents caused by ransomware attacks may even lead to sensitive personal and treatment data breaches. On August 24 and 25, 2016, Man Alive Inc. Lane Treatment Center was attacked by the ransomware attack that gained unauthorized access to their EHR systems, stole patients’ mental health and substance abuse records, and finally sold the records on a dark web [18]. This attack highlights new challenges that the healthcare organizations can face in securing EHR containing extra-sensitive patient records.

  • 3.

    SQL Injection: Attackers exploit vulnerabilities of the traditional SQL database applications used in HISs to bypass the authentication process. Intruders therefore access unauthorized Personal Health Information (PHI) that lead to sensitive data breaches. In May 2016, anonymous hackers attacked 33 Turkish hospitals databases via SQL Injection attacks and leaked more than 10 millions Turkish medical healthcare records [19, 20]. It is very likely that the same attack vector was adopted by another team of hackers who compromised personally identifiable information of 1400 employees working at York Hospital in Maine in early 2016 [21, 22].

  • 4.

    Distributed Denial of Service (DDoS): This is the most common hackvisit attack overloading healthcare servers with adverse traffic to shut down EHR and email systems; thus preventing legitimate requests accessing HIS resources (e.g., critical patient information) [23, 24].

    Anonymous attackers have conducted various DDoS attacks to enterprise and healthcare information systems against politicians, companies, and governments [23]. Boston Children's Hospital (BCH) was the first healthcare organization targeted by a DDoS attack in 2014 “in response to the diagnosis and treatment of a 15-year-old girl who had been removed from her parent's care by the Commonwealth of Massachusetts [23].” The DDoS attacks began with a threat and has involved three major strikes for several months [25]. The hospital immediately reacted to and mitigated the attacks with the help of third-party security companies. Even though the DDoS attacks did not significantly damage BCH HISs, their experience shows that every healthcare entity is the potential target and victim of DDoS attacks.

Healthcare and public health is one of 16 critical infrastructure sectors [26]. Unlike other computing systems, HISs are lagging in terms of proper cyber security defense and investment [27]. Medical information, however, is valuable for hackers and this makes HISs popular targets for cyber attacks. One recent survey shows that 340% more information security incidents occurred in the healthcare sector than other industries [28]. According to 2015 KPMG Healthcare Cyber Security Survey [29], only 53% of healthcare providers and 66% of health insurers out of 223 US-based healthcare organizations said that they are prepared to defend against an attack. 81% of healthcare organizations have been compromised by cyber attacks in the past 2 years.

Current healthcare organizations continuously rely on security solutions such as antivirus, firewalls and data encryption to secure their IT environment. However, HIS security is still largely at risk from sophisticated Brute Force, Phishing, Malware, SQL Injection, and DDoS attacks [30]. The biggest barriers of healthcare organizations to mitigate cyber security events are lack of financial resources and appropriate cyber security professionals. The large amount of emerging threats and the complex nature of current network infrastructure made the HIS protection even harder [30]. Therefore, there is a great urgency to develop more advanced and cost-efficient security solutions to reduce the human burden of managing and mitigating HIS threats and vulnerabilities.

Autonomic Computing (AC) technology was inspired by the autonomic nervous system that regulates and maintains homeostasis from the unconscious efforts of the brain. In an analogous way, AC technology allows computing systems and applications to manage themselves with minimum human intervention. The self-protection capacity has been applied to securing enterprise computing systems and Supervisory Control and Data Acquisition (SCADA) systems from both internal and external known or zero-day attacks with little or no human intervention [[31], [32], [33], [34], [35], [36]]. A similar approach can be developed to supplement the system administrator's responsibility to anticipate and defend the HIS as a whole from malicious activities.

Section snippets

Autonomic computing and self-protecting HISs

The self-protection aspect of autonomic computing can be used to secure and safeguard HIS communications, properly grant authorization privileges, and evaluate performance of security mechanisms toward achieving greater resiliency. By continuously monitoring measures of performance and security, autonomic systems can ascertain differences associated with normal vs abnormal system behavior. With the usage of mathematical techniques for intrusion detection and response evaluation algorithms, the

Healthcare information system

Before we introduce how to realize a self-protecting HIS, let us first understand the computer network, components and communication standards of a typical Healthcare Information System (HIS). The HIS normally contains FISs and CISs. Similar to an enterprise system, a HIS adopts a three-tier client–server architecture that contains a web tier, an application tier, and a data tier for retrieving and storing healthcare related information. As shown in Fig. 5, the web tier, also known as the

HL7 messaging standard

This section introduces one of the most widely used HIS communication standards, Health Level Seven (HL7), and its security risks. HL7 was developed by a nonprofit organization providing a comprehensive framework and developing standards for the communication of electronic health information [50].

HL7 was founded in 1987. Currently, it has more than 2500 members representing 90% of HIS vendors from 55 countries. The recent report [50] shows that 95% of US healthcare organizations are using the

State-of-the-art research for enhancing HIS security

3 Healthcare information system, 4 HL7 messaging standard introduce HIS networks, communication standards and the potential security threats. In this section we present state-of-the art research on enhancing HIS security. The HIS can be categorized as an enterprise system and hence, the self-protecting feature in HISs is still in the initial stage. Therefore, besides surveying research on enhancing HIS security posture, we also reviewed existing technology to protect information systems in

Conclusion

This book chapter first reviewed the history of healthcare information systems (HISs), introduced and analyzed recent emerging cyber breaches that affected HISs, and then proposed the autonomic computing concept and applied the concept to design self-protecting HISs (SPHISs) that can defend themselves against cyber intrusions with little or no human intervention. To realize such SPHISs, we studied security vulnerabilities residing in HIS networks and the HL7 communication standard, presented a

Acknowledgments

This study is supported by supported by the National Science Foundation (NSF) under Grant No. 1812599. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author and do not necessarily reflect the views of the NSF.

Dr. Guenevere (Qian) Chen is an Assistant Professor with the Department of Electrical and Computer Engineering at the University of Texas at San Antonio (UTSA). Before joining UTSA, Dr. Chen was an Assistant Professor and Coordinator of the Computer Science Technology Program at Savannah State University. She earned her Ph.D. degree in Electrical and Computer Engineering from Mississippi State University in 2014. Dr. Chen's primary research area is autonomic computing and cyber security. She

References (109)

  • E. Snell

    Healthcare cybersecurity knowledge gaps in phishing awareness

    (2016)
  • K. Santos

    Phishing attacks target health care sector

    (2014)
  • M.J. Schwartz

    Anthem breach: phishing attack cited

    (2015)
  • 10 largest healthcare cyber attacks of 2015

    (2016)
  • A. Ellison

    More than 1,300 dekalb health patients’ information compromised by cyberattack, phishing scheme

    (2014)
  • S. Sjouwerman

    CEO fraud phishing attack steals 11,000 W-2s from health care workers

    (2016)
  • L. Washburn

    St. Joseph's healthcare system falls victim to phishing scam

    (2016)
  • D. Bisson

    Healthcare industry is four times more likely to be impacted by advanced malware than other industries

    (2015)
  • R. Moskovitch et al.

    Malicious code detection using active learning

  • R. Winton

    Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating

    (2016)
  • M.K. McGee

    More breaches expose mental health, substance abuse data

    (2016)
  • Anonymous published more than 10 millions turkish medical healthcare records

    (2016)
  • Healthcare records from 33 turkish hospitals leaked by anonymous

    (2016)
  • J.S. Davis

    York hospital breach compromises PII of 1,400 employees

    (2016)
  • Worldwide hospital cyber-attacks posing danger to patient data

    (2016)
  • Hacking healthcare IT in 2016: Lessons the Healthcare Industry Can Learn from the OPM Breach

    (2016)
  • J. Belliveau

    How DDoS attack increase may affect healthcare cybersecurity

    (2016)
  • DDoS case study: DDoS attack mitigation boston children's hospital

    (2016)
  • Critical infrastructure sectors — homeland security

    (2016)
  • M. Heller

    Health care's cyber-security spend found lacking

    (2015)
  • B. Glick

    Healthcare sector 340% more prone to IT security threats

    (2015)
  • G. Bell et al.

    HEALTH care and cyber security: increasing threats require increased capabilities

    KPMG

    (2015)
  • HIMSS cybersecurity survey

    (2015)
  • Q. Chen et al.

    An autonomic detection and protection system for denial of service attack

  • Q. Chen et al.

    A model-based approach to self-protection in SCADA systems

  • Q. Chen et al.

    A model-based validated autonomic approach to self-protect computing systems

    IEEE Internet Things J.

    (2014)
  • Q. Chen et al.

    A model-based approach to self-protection in computing system

  • Q. Chen et al.

    Towards automatic security management: a model-based approach

  • Q. Chen et al.

    Towards realizing self-protecting SCADA systems

  • J.O. Kephart

    Autonomic computing: the first decade

  • M. Parashar et al.

    Autonomic computing: an overview

  • J.O. Kephart et al.

    The vision of autonomic computing

    Computer

    (2003)
  • Y. Diao et al.

    A control theory foundation for self-managing computing systems

    IEEE J. Sel. Areas Commun.

    (2005)
  • Q. Chen et al.

    Towards autonomic security management of healthcare information systems

  • Q. Chen et al.

    Towards realizing a self-protecting healthcare information system

  • Risk Analysis Guide for HITRUST Organizations & Assessors

    (2016)
  • Q. Chen et al.

    Model-based autonomic security management for cyber-physical infrastructures

    Int. J. Crit. Infrastruct.

    (2016)
  • Architecture of health IT

    (2016)
  • Introduction to HL7 standards

    (2016)
  • DICOM: about DICOM

    (2016)
  • Cited by (7)

    View all citing articles on Scopus

    Dr. Guenevere (Qian) Chen is an Assistant Professor with the Department of Electrical and Computer Engineering at the University of Texas at San Antonio (UTSA). Before joining UTSA, Dr. Chen was an Assistant Professor and Coordinator of the Computer Science Technology Program at Savannah State University. She earned her Ph.D. degree in Electrical and Computer Engineering from Mississippi State University in 2014. Dr. Chen's primary research area is autonomic computing and cyber security. She developed an Autonomic Security Management framework that proactively defends the computing systems against known and unknown cyber attacks with little or no human intervention. The ASM framework has been successfully applied to secure distributed systems, industrial control systems (e.g., SCADA), high performance and cloud computing and the Internet of Things (IoT) ecosystems. Her research interests include risk assessment, malware behavioral analysis, early warning intrusion detection and response, and end-to-end security solution development.

    View full text