Why Hackers Pick on Healthcare
Skybox Blog Team Jun 30, 2015
As the healthcare industry shifts to more electronic medical records, we’ll continue to see an increase in massive attacks like those that hit Anthem (78.8 million patient records compromised), Premera (11 million patient records compromised) and Community Health Systems (4.5 million patient records compromised). That is, until the industry’s security practices catch up with the rest of its digitalization.
The Internet of Things Strikes Back
The prevalence of Internet-connected medical devices (see: everything) has exploded in recent years, but their security has taken a back seat. Medical devices commonly run out-of-date or unpatched operating systems. And, as the internal software isn’t managed by the healthcare network’s IT team, responsibility for implementing and maintaining device security falls to the manufacturer.
This creates a perfect formula for private backdoors, capable of steamrolling traditional security measures dutifully put in place by healthcare organizations. Hackers have taken note.
A recently discovered tactic, coined “MEDJACK” (medical device hijack), could allow an attacker to exploit a vulnerability medical device and navigate to a healthcare system’s main network. According to a PwC report, “47 percent of healthcare provider and payer respondents say they have integrated consumer technologies such as wearable health-monitoring devices or operational technologies like automated pharmacy-dispensing systems with their IT ecosystem.” That figure is only likely to rise, providing more points of entry to access patient data or worse.
The Cost of a Breach
stimates vary on the cost of data breaches. Studies suggest the average cost of a breach is anywhere from $3.8 to $5 million, with cost per record ranging from $145 to more than $194; costs per healthcare record may be as high as $363. These costs come from a variety of sources including post-breach forensic activities, implementing crisis teams, and lost customers. But what about the customers you may never have?
The cost of a good name may never be put in numbers. But would you rather be: A) a drug pump manufacturer enabling on-time medication doses for the most effective treatment; or B) a creator of rogue devices capable of handing a drug-loaded gun to cyber criminals? (Hospira drug infusion pumps are reportedly vulnerable to attacks that could increase dosages to fatal levels.) What happens to the image of a company facing 50 class-action lawsuits from one breach alone, let alone the legal costs?
Why Medical Records are Worth More
Medical records are estimated to be worth ten-times more than credit card records and contain the holy grail of personal information: social security numbers, billing information, birth date, policy number, and diagnosis codes. With these credentials, cyber criminals can create fake IDs to file false insurance claims, obtain free health services, or even buy up drugs or pricy medical equipment for resale. With a breached medical record, fraudsters can also continually open new credit accounts in victim’s names. In contrast, stolen credit card information must be used quickly before the card is canceled by their vigilant owners or more security-savvy banks and credit card companies.
And, thanks to the healthcare industry’s outdated IT security, cyber criminals often have more time—even years—to use breached information with impunity.
Take Premera, Please
Just how bad is healthcare’s IT security? Only three weeks before Premera’s network was breached, the health insurer received an audit courtesy of the Office of Personnel Management (despite its own security shortcomings).
The audit revealed Premera had server applications so old they were no longer supported by their vendors; had insecure configurations; and lacked recommended physical security protocols for its data centers. The audit also revealed Premerea was not implementing critical patches and software updates “in a timely manner.” Premera contested this point claiming they were in compliance with implementing critical patches, but OPM was unimpressed.
With sources saying more than 90 percent of data breaches are preventable, the healthcare industry—along with just about everyone else—needs to take a close look at their IT security beyond the compliance requirements. While compliance is a major concern for healthcare, it can’t be what drives security. “Check box security” is a peacetime tactic in a wartime environment.
Best Practices, Not Check Boxes
Total network visibility is the first step in effective, next-generation security. Knowing all your assets and threats against them; where your most valuable data rests and moves; and how attackers may infiltrate and run amuck in your network all start with visibility. Once you bring your attack surface into view, you can take actions to shrink it.
Staying on top of patches—critical or otherwise—is imperative to network security. While it may be impossible to patch everything everywhere, organizations need to have a means to prioritize patches in the context of their network and focus resources where they have the biggest impact.
Tracking vulnerability remediation progress or firewall change implementations shouldn’t be an afterthought. Ensuring the success of these actions through the end of the workflow means threats are neutralized and security gaps are closed. Period.
Until we see industries adopting these comprehensive approaches, we’re going to see a lot more headlines that our personal data has been exposed once again.
How’s your cyber hygiene? Keep your network healthy and ready for action with 5 steps to reduce your attack surface.
Vulnerability assessment beyond the scan. How Vulnerability Control gives you on-demand data, context-aware prioritization, and the tools for rapid response to emerging threats.
Don’t wait for the live show. Simulate attacks on your network and be ready when the attackers come knocking. See the demo.