The Way Sunnylake Deals with the Attack - Case Study Example

How should Sunnylake deal with the attack? The Sunnylake’s case study illustrates how an unjustified delegation of CEO’s powers to the head of IT department without sufficient control, as well as poor network security management in healthcare, can bring about grave consequences, endangering not only the whole hospital business, but hundreds of human lives as well. 1. Brief overview of use of information technologies in healthcare. The initial idea of Paul Layman, the CEO of Sunnylake Hospital, to equip the small hospital by cutting-edge digital electronic medical records (EMRs) system was clever and logical. He was right that information technology can substantially improve the safety of medical care by structuring actions, catching errors, and bringing evidence-based, patient-centered decision support. Bates and Gawande (2003) assert that nearly half of serious medication errors have been caused by insufficient information about the patient and the drug. They also denote other common factors: a failure to provide sufficient specificity in an order, illegibility of handwritten orders, errors of calculation, and errors in transcription. EMRs systems help to make knowledge about patients treatment more readily accessible, assist with calculations and monitoring, perform checks in real time, and provide decision support. One of the main benefits of using EMRs systems for clinical tasks is that it makes it possible to implement "forcing functions" — features that restrict the way in which tasks may be performed (Bates and Gawande, 2003). For example, prescriptions written on a computer can be forced to be legible and complete. Figure 1 shows a percentage of medication orders with doses exceeding the permissible maximum during 1 month before computerized order entry, during 1 month after the computerization and during 3 next years. One could see the percentage decreased dramatically. Figure 1. Percentage of Medication Orders with Doses Exceeding the Maximum (Bates and Gawande, 2003). It should be also noticed that personnels resistance to adopt a new IT system, which Paul Layman has experienced in the Sunnylake Hospital, is quite typical for many hospitals. Gupta (2008) determines the 3 top barriers to adoption of IT in healthcare organizations: start-up costs (56%), lack of uniform standards (44%), and lack of time (39%). 2. Paul’s mistakes before the attack. Paul succeeded in finding an appropriate EMRs system and a quite earnest IT-director Jacob Dale, which did his best to fulfill the project successfully. Paul made every effort to overcome resistance of medical staff that feared changes, and after some time the entire staff has used electronic devices, admitting that EMRs had really increased efficiency of the work. But then Paul made his first and fatal mistake – he was so much happy of the EMRs system success that he did not devote any attention to network security and patients’ privacy protection issues. Paul should keep in mind that one of the main responsibilities of any company management is to protect corporate information and preserve customers’ individual privacy. With the global boom in the Internet hacking became widespread and after a number of years it is getting more sophisticated and nastier, in healthcare in particular. The information security services SecureWorks from Atlanta, which protected 82 healthcare companies in the USA in February 2010, reported that during first nine months in 2009 they saw averaged number 6500 attack attempts per day, while it was doubled in the fourth quarter of 2009 to 13 400. 50 percent of large hospitals experienced at least one data breach in 2009. According to SecureWorks’ solutions architect Beau Woods: "Healthcare happens to be a good target for hackers because it has a lot of different types of information" (Miliard, 2010). Figure 2 shows which types of organizations are attacked most often. Figure 2. Types of the most attacked organizations (Shezaf et al, 2007). Kaspersky Lab also confirms that during the period 2007–2009 the number of new threats rose significantly (Aseev et al., 2009). While in 2007–2008 the number of new threats increased exponentially, in 2009 almost the same number of new malicious programs was identified as in 2008: approximately15 million (see Figure 3). Figure 3. Number of malicious programs in the Kaspersky Lab (Aseev et al., 2009) Aseev and Gostev (2009) suggest that the twenty most common vulnerabilities (mistakes in software that can be directly used by a hacker to gain access to a system or network) all belong to the “remote” category, i.e. they can be exploited by cybercriminals even if they do not have direct local access to the victim machine. The most dangerous of these is “system access”, as this effectively gives a cybercriminal full access to the system. 19 out of the 20 vulnerabilities potentially provide “system access” and five can result in the loss of sensitive data. This is exactly what happened in the Sunnylake Hospital. If only Paul Layman was more alarmed about their network security condition he could find a huge amount of useful information (in books, magazines and on the web). He could develop an effective network security strategy and provide its proper fulfillment, not allowing cyber vandals to hack the network. But unfortunately he was evidently in these 2 % of CEOs (see Figure 4) who become aware about information security only during a crisis. Figure 4. How often are CEOs briefed about information security? (Bednarczyk, 2009) One could also assume there was not a detailed job description for Jacob Dale and a proper functional diagram for IT-department, which fixes responsibilities in the network security clearly between personnel. Evidently, the entire IT-department work, and network security functions in particular, was out of the CEOs control. There also was not a formal corporate politics, which would determine rules in network and information security for the hospital’s staff at a whole. It seems quite irresponsible, taking into account that there are a number of governmental legislative acts on the “processing of personal data” in many countries. For example, the seventh data protection principle of the UK’s Data Protection Act 1998 requires that all data processing be undertaken in a secure environment.  This requires appropriate measures to be adopted to ensure that unauthorized processing does not occur and that data are not accidentally lost, stolen or destroyed (Privacy & Data Protection Limited, 2002). The USA’s Department of Health and Human Services (HHS) Privacy Rule (65 Fed. Reg. 82462) requires obtaining patient consent before releasing information (Gale, 2003). There are also a lot of other well-established standards for security in healthcare information systems (HIS) (Kokolakis et al., 2002), for example: Secure User Identification for Healthcare; Identification and Authentication by Password-Management and Security (prENV12251) of the European Committee for Standardisation (CEN) Standard Guide for Confidentiality Privacy Access and Data Security Principles for Healthcare Information Including Computer-Based Patient Records (E1869-97) of the ASTM (American Society for Testing Materials) Provisional Standard Guide on Security Framework for Healthcare Information (PS101-97) of the ASTM. And many others formal standards and recommendations, which would be very useful for the Sunnylake management to provide their network protection. 3. Paul’s mistakes during the attack. Undoubtedly, the Paul’s main mistake in a process of attack was that he has not informed the IT department about the first email from hackers. Even IT guys did little for network protection before, they was able to take reasonable steps to defend it in a short terms. The next big mistake of Paul was that he has not invited somebody who is more sophisticated and experienced in repulsing of hackers’ attacks even after he realized an inability of the Sunnylake’s IT department to cope with the problem. During the whole day the IT department was fighting without results, and there was a little hope they could win this cyber war. At the same time, today there are a number of third-party companies that offer a whole range of services from security event monitoring to threat intelligence to compliance and content filtering at a reasonable cost (Forrester Research, 2010). I consider Paul showed a lack of skills in inter-organisational conflict management and leadership as well. He had not managed to communicate with a staff effectively so that there were not excessive emotionality, aggressiveness and misunderstandings. The worst thing was these emotions resulted in opposition and stubborn resistance to the EMRs system, and it seems practically impossible to get doctors to trust the system again. To prevent the resistance Paul should communicate with doctors and other personnel so that to explain the situation clearly, and give them understanding of reasons and possible solutions asking for their help and support. Paul should try to persuade the personnel to not abandon the work with the EMRs system and promise to protect data in the network in nearest future. One more important mistake is that Paul did not communicate externally - with governmental structures and media. Nowadays a struggle against cyberterrorism is one of the major national security tasks in many countries. Governments created special national networks of computer-literate agents that can help monitor, track and pursue online hackers. 4. What should they do to cope with the attack? The first thing the Sunnylake should do – to calm. They have already gotten a big stress and frustration, so further emotions would be only destructive. Paul should communicate with the personnel to explain the situation as it was described above. Under no circumstances he should pay the hackers! It is better to spend the money on the system recovering and to protect the network after the accident. The IT department should disconnect all servers and computers from the internet and a local network area. The fact that all attempts of the IT department to repair the system were defeated by hackers in a minute testifies that they likely work via internet. Sometimes even an experienced IT-professional will not realise that a computer is infected with a virus. This is because viruses can hide among regular files or camouflage themselves as standard files (Kaspersky Lab, 2010). Thats why I would suggest to Paul to contract a third-party service organization that is able to solve the problem as soon as possible. The good news that the Sunnylake had got all records backed up. However, during the time of system recovering, it would be necessary to keep medical records by hands, trying not to make serious life-threatening decisions. 5. What should they do after the attack? An initial and principal step is to develop comprehensive, effective, enterprise-wide security strategy and policy that would consider the following issues (Pille and Ryan, 1999): Resource protection requirements (what information is private, confidential, or sensitive?) Resulting organizational issues (if a violation occurs, what is the potential impact?) Unauthorized users (are there procedural methods that must be in place to protect information?) Legal conditions (what are the legal requirements or/and obligations regarding various types of information?) Cost versus security (what investments can be made in the interest of security?) Once the policy has been developed it should be enforced by the use of many available tools and technologies, so that they provide basic security functions: authentication, access control, regular monitoring, auditing, encrypting and decryption. Technology, of course, is a core part of any solution for dealing with malware, but it would be unwise to ignore the human dimension of security. The corporate security strategy will be less effective if it doesn’t address the human element (Emm, 2010). Every person, working in the Sunnylake Hospital, from an intern to the CEO, should understand her role and duties in the network security, as well as consequences of her actions in the network. Education and awareness are the keys to helping employees recognize and understand it. References Aseev, E., Gostev, A., and Maslennikov, D. (2009) Kaspersky Security Bulletin 2009. Malware Evolution 2009. Moscow, Kaspersky Lab. [Online] Available from: http://www.viruslist.com/en/viruses/analysis?pubid=204792101 [Accessed 21 March 2010] Aseev, E., and Gostev, A. (2009) Kaspersky Security Bulletin 2009. Statistics 2009. Moscow, Kaspersky Lab. [Online] Available from: http://www.viruslist.com/en/viruses/viruses/analysis?pubid=204792098 [Accessed 21 March 2010] Bates, D.W., & Gawande, A.A. (2003) Improving Safety with Information Technology. The New England Journal of Medicine, 348 (25), 2526-34. Bednarczyk, M. (2009) Well - Meaning Employees - And How To Stop Them. Information Week Analytics, March 2009. New York, United Business Media. [Online] Available from: http://www.darkreading.com/insiderthreat/util/download.jhtml?id=174900020&cat=whitepaper [Accessed 21 March 2010] Emm, D. (2010) Patching human vulnerabilities. Moscow, Kaspersky Lab. [Online] Available from: http://www.viruslist.com/en/viruses/analysis?pubid=204792106 [Accessed 21 March 2010] Forester Research. (2010) Market Overview: Managed Security Services. Cambridge, Forester Research. [Online] Available from: http://www.forrester.com/go?docid=56068 [Accessed 21 March 2010] Gale, Inc. (2003) Doctor-Patient Confidentiality. In: Gale encyclopedia of everyday law. Shirelle Phelps, ed. Farmington Hills: Gale World Headquarters. [Online] Available from: http://www.enotes.com/everyday-law-encyclopedia/doctor-patient-confidentiality [Accessed 21 March 2010] Gupta, P. (2008) IHE and CPOE: The Twine Shall Meet fir Healthcare. In: Mall, P.B., ed. IT in Healthcare and Lifesciences. SETLabs Briefings, May, 37-42. Infosys Technologies Limited, SETLabs. Kaspersky Lab (2010). What to Do If Your Computer Is Infected. Moscow, Kaspersky Lab. [Online] Available from: http://www.viruslist.com/en/viruses/encyclopedia?chapter=153280800 [Accessed 21 March 2010] Kokolakis, S., Grizalis, D., Katsikas, S. & Ottes, F. (2002) Overview on Security Standards for Healthcare Information Systems. In: Barber, E.B. et al, eds. Security Standards for Healthcare Information Systems. Amsterdam, IOS Press, 13-23. Miliard, M. (2010) Healthcare top target for hackers. Healthcare IT News. [Online] Available from: http://www.healthcareitnews.com/news/healthcare-top-target-hackers [Accessed 21 March 2010] Pille, B.T., and Ryan, K. (1999) Information System Integrity and Continuity. In: Strategies and Technologies for Healthcare Information: Theory into Practice. Ball, M.J. et al., eds. New York, Springer-Verlag. Privacy & Data Protection Limited. (2002) The Ultimate Guide to the Data Protection Act 1998. London, Privacy & Data Protection Limited. [Online] Available from: http://privacydataprotection.co.uk/guide/part1/ [Accessed 21 March 2010] Shezaf, O., and Breach Security Labs (2007) The Web Hacking Incidents Database 2007. Annual Report. Carlsbad, Breach Security Incorporation. [Online] Available from: http://www.breach.com/assets/files/resources/breach_security_labs/2008/02/The%20Web%20Hacking%20Incidents%20Database%20Annual%20Report%202007.pdf [Accessed 21 March 2010] Read More