Cyberattacks becoming a plague upon healthcare organizations

Report sheds light on vulnerability of healthcare companies to hackers

According to a recently released report conducted by SANS, an organization devoted to IT security training, certification and research, and Norse, a provider of live threat intelligence-based security solutions, the healthcare industry has been inundated by cyberattacks. Between September 2012 and October 2013, the SANS-Norse Healthcare Cyberthreat Report recorded nearly 50,000 unique malicious events at healthcare organizations. Additionally, networks and devices at 375 U.S.-based healthcare-related organizations were found to be compromised during this period, some of which are still compromised.  

Compromised devices included everything from radiology imaging software to firewalls, web cameras and mail servers. The most frequently compromised systems were virtual private networks (VPNs), which accounted for more than 30 percent of all compromised connected end-points detected. The size of healthcare organizations examined in the report ranged from small providers, to health plans, pharmaceutical companies and other types of medical organizations.

Although the types of organizations studied were vast, the majority of malicious traffic emanated from healthcare providers (72 percent), followed by healthcare business associates (9.9 percent), health plans (6.1 percent), pharmaceutical companies (2.9 percent), and healthcare clearinghouses (0.5 percent). Other healthcare-related entities accounted for 8.5 percent of malicious traffic.

In examining the data, Norse CEO Sam Glines said he was struck by the lack of “basic security protocols” in place at organizations on the provider side, which would have prevented the simplest of attacks.

“What I mean by that is firewalls and edge devices that were running with a default password sent by the manufacturer, and that was fairly common, as well as public-facing IP addresses and firewalls with very simple passwords. The dichotomy between the data being protected and the lack of rigor and basic security 101 that was not present for these organizations, that was the biggest surprise for us,” said Glines. “The second surprise I guess was the number of embedded devices or what we would call Internet-of-Things-type devices that were attacking our infrastructure and had been compromised. We knew there would be some, but it was significant enough to where it allowed us to conclude that CISOs today are just awash with a mass influx of new technology connected to IP addresses that might not be considered as part of the overall security architecture for an entity.”

Many in the IT security community have also raised concerns about the ability of hackers to gain access to vital medical devices. According to an article published by Forbes, one of the sessions at last year’s Black Hat conference highlighted the vulnerability of devices such as insulin pumps and pacemakers, which could potentially be accessed and manipulated by hackers.   

“One with enough knowledge of the equipment and the ability to compromise a (medical device) that was life-sustaining, supporting or otherwise certainly has the ability to inflict harm,” said Glines. “I can’t say that Norse has reports of this happening in a hospital or in another situation where an individual was attacked. I think we would have read about that already, but it is a true statement to say that an adversary with knowledge of equipment used and the ability to gain access, which we’ve demonstrated as possible in the report, could cause harm to an individual.”  

Despite the potential of hackers being able to takeover medical equipment, Glines said the biggest threat remains cyber criminals that recognize the value of patient data on the black market. “With the rush of data to become digitized and land on the (healthcare) exchanges – when you combine that with lack of basic security controls – you’re presented with a situation where the threat is really the motivated, monetary incented attacker that can monetize this data at a rate of three-times to 10-times that of credit card information or personally identifiable information.”

This content continues onto the next page...