A new report from SANS/Norse Security shows that healthcare organizations of all stripes are facing a significant threat from cyberattacks coming in through devices that may not always be high on the security list. One such attack recently came through a dialysis machine that had a data connection. The report reveals that the networks and Internet-connected devices of organizations in virtually every healthcare category — from hospitals to insurance carriers to pharmaceutical companies — have been and continue to be compromised by successful attacks.
A network compromise often leads to a data breach, potentially exposing the personally identifiable information of millions of consumers as well as the organization’s own intellectual property and billing systems. In addition, these compromised networks allow cybercriminals to use the organization’s network infrastructure and devices to launch attacks on other networks and to execute billions of dollars worth of fraudulent transactions.
“I think what you’re seeing reflected in this report is a perfect storm of security officers being overwhelmed in terms of possible threats, along with the rush to digitize everything which creates new opportunities for adversaries that people might not immediately expect,” Sam Glines, CEO and co-founder, Norse says in an interview with CivSource.
According to the report, 49,917 unique events of a malicious nature took place within the healthcare IT environment during the period when intelligence was gathered, and this was a small sample of the data gathered during that period. “Organizations have a tendency to deploy devices and leave in place factory issued passwords or settings, all of which are already known to adversaries,” Glines says. With that reality, the number of attacks seems less surprising.
Networks and devices at 375 U.S.-based healthcare-related organizations were compromised during report’s study period, and some of them are still compromised. Compromised devices included everything from radiology imaging software, to firewalls, to Web cameras, to mail servers.
Given the demand and scope for healthcare and healthcare IT services, the data is startling. More specifically, that the report is primarily a picture for enterprise level healthcare – hospitals, provider offices, etc. Add to that home healthcare workers, companies and devices and “the snowball gets bigger,” Glines notes. This is especially troubling as healthcare providers are mandated to protect personally sensitive information through the HIPAA and HITECH laws already on the books.
Cybercrimes such as identity theft, stolen information and fraud not only place extreme inconvenience on individuals but also drive additional healthcare costs that patients may not be able to recover. While most consumers are shielded against ecommerce-related theft and fraud expenses, they are responsible for costs related to compromised medical insurance records and files — costs that reached $12 billion in 2013.
“The sheer number of attacks being perpetrated against healthcare organizations is overwhelming, while the defenses in place are not nearly enough to neutralize them. So although the healthcare industry continues to search for ways to protect its data, many organizations are still not able to properly safeguard critical data, and both companies and consumers are paying the price,” Glines says.
New enforcement policies are in the pipeline at the federal and state level which will compel healthcare organizations to pay significant fines for noncompliance with cybersecurity and data protection rules. Those fines will start to come into play at the end of this year. Report data shows a clear need for such oversight and enforcement, which is alarming given the level of personally sensitive data in the hands of healthcare providers. “I think frameworks like the one from NIST are a good first step, but unfortunately it is really going to be the threat of fines that pushes this issue over the edge. We’ve already seen it in critical industries like financial services which have had to deal with increased data security and compliance concerns over the past few years. In some ways you can think of this in the same vein as PCI compliance for that industry it can’t all just be voluntary. Healthcare is going to have to build up security too.”