Cyberattacks becoming a plague upon healthcare organizations

According to a recently released report conducted by SANS, an organization devoted to IT security training, certification and research, and Norse, a provider of live threat intelligence-based security solutions, the healthcare industry has been inundated by cyberattacks. Between September 2012 and October 2013, the SANS-Norse Healthcare Cyberthreat Report recorded nearly 50,000 unique malicious events at healthcare organizations. Additionally, networks and devices at 375 U.S.-based healthcare-related organizations were found to be compromised during this period, some of which are still compromised.  

Compromised devices included everything from radiology imaging software to firewalls, web cameras and mail servers. The most frequently compromised systems were virtual private networks (VPNs), which accounted for more than 30 percent of all compromised connected end-points detected. The size of healthcare organizations examined in the report ranged from small providers, to health plans, pharmaceutical companies and other types of medical organizations.

Although the types of organizations studied were vast, the majority of malicious traffic emanated from healthcare providers (72 percent), followed by healthcare business associates (9.9 percent), health plans (6.1 percent), pharmaceutical companies (2.9 percent), and healthcare clearinghouses (0.5 percent). Other healthcare-related entities accounted for 8.5 percent of malicious traffic.

In examining the data, Norse CEO Sam Glines said he was struck by the lack of “basic security protocols” in place at organizations on the provider side, which would have prevented the simplest of attacks.

“What I mean by that is firewalls and edge devices that were running with a default password sent by the manufacturer, and that was fairly common, as well as public-facing IP addresses and firewalls with very simple passwords. The dichotomy between the data being protected and the lack of rigor and basic security 101 that was not present for these organizations, that was the biggest surprise for us,” said Glines. “The second surprise I guess was the number of embedded devices or what we would call Internet-of-Things-type devices that were attacking our infrastructure and had been compromised. We knew there would be some, but it was significant enough to where it allowed us to conclude that CISOs today are just awash with a mass influx of new technology connected to IP addresses that might not be considered as part of the overall security architecture for an entity.”

Many in the IT security community have also raised concerns about the ability of hackers to gain access to vital medical devices. According to an article published by Forbes, one of the sessions at last year’s Black Hat conference highlighted the vulnerability of devices such as insulin pumps and pacemakers, which could potentially be accessed and manipulated by hackers.   

“One with enough knowledge of the equipment and the ability to compromise a (medical device) that was life-sustaining, supporting or otherwise certainly has the ability to inflict harm,” said Glines. “I can’t say that Norse has reports of this happening in a hospital or in another situation where an individual was attacked. I think we would have read about that already, but it is a true statement to say that an adversary with knowledge of equipment used and the ability to gain access, which we’ve demonstrated as possible in the report, could cause harm to an individual.”  

Despite the potential of hackers being able to takeover medical equipment, Glines said the biggest threat remains cyber criminals that recognize the value of patient data on the black market. “With the rush of data to become digitized and land on the (healthcare) exchanges – when you combine that with lack of basic security controls – you’re presented with a situation where the threat is really the motivated, monetary incented attacker that can monetize this data at a rate of three-times to 10-times that of credit card information or personally identifiable information.”

Glines said the continued implementation of the Affordable Care Act, more commonly known as Obamacare, will create a “richer target environment” for cyber criminals as more and more people enter their information online.   

“Those responsible for the security of the data, obviously, must be held accountable and ensure that the proper security controls are in place for a couple of reasons,” said Glines. “One, because that’s the responsibility that comes with owning and maintaining patient data, but also because at the end of this year, the pointed end of the stick that really gets moving starts to go into effect which is the monetary fines and penalties for a breach of data. Not that there haven’t been some fines that have been levied, but it has been few and far between, so that will change presumably.”    

Glines believes that one of reasons for this glaring lack of IT security at many healthcare organizations is due to a lack of education or understanding about what best practices mean for network security.

“There are certainly those that believe that, ‘if I buy a firewall off the shelf, plug it in, turn it on and I get the green light that I’m good go,’ but there’s more to it than that in terms of configuration,” added Glines. “I think it’s mostly a lack of knowledge about responsibilities and/or skills. I don’t think anyone is knowingly putting this at the bottom of the list of things they’re responsible for or things that they need to get done for the day. But I will say until a board of directors recognizes that if I don’t invest in the right education, skill sets or resources within my organization it will affect my earnings. It will be at that time when the right level of education starts to make its way into these organizations.”   

Of the malicious events examined in the report, Glines estimated that anywhere from 25 to 50 percent of them could have been avoided if the organization had of implemented basic security measures, such as good authentication and password policies. Although the SANS/Norse report focused on the U.S., it did look at IT security as it relates to healthcare organizations in other parts of the world and found that European companies had a much better security posture than their American counterparts.  

“One interesting finding was that in Europe in the developed EU countries, the number of incidents were far less on an apples-to-apples basis than that of the U.S., which is directly attributable to the more aggressive stance that the EU has with respect to data privacy laws and penalties for those that are not compliant versus the U.S.,” said Glines.

While data breaches inflict damage to the reputations of companies affected by them, Glines said the real danger, especially for small-to-mid-sized businesses, are the fines that will become increasingly harsh moving forward.

“The smaller you are, the less likely you are able to recover from an attack that is serious enough to be a breach,” added Glines. “For the mid-market and small-to-medium-sized businesses, the potential impacts are devastating in terms of ending a company’s existence. For the larger companies, they can withstand it, but it will be a rough quarter or two.”