Did you know that the healthcare industry is a far easier target for hackers to invade than banking or retail is? With more entry points into healthcare systems — cybercriminals can attack medical devices such as CT and PET scanners, MRI machines, and PACS via MEDJACK (medical device hijack) and infect them with malware — thus creating backdoors into your hospital network.
Hackers in the Darknet are already discussing the possibilities. They can sit on PHI (Protected Health Information) for a year or more with the knowledge that the stolen data will eventually create a highly lucrative financial nest egg.
Last year, the FBI distributed private notices to healthcare providers urging them to report suspicious or criminal activities to the FBI stating that the healthcare industry is not as resilient to cyber intrusions because security is not as mature as financial and retail sectors, “therefore the possibility of increased cyber intrusions is likely.”
HIMSS cybersecurity expert, Lisa Gallagher recently told Politico that healthcare companies should be spending at least 10 percent of their information technology budgets on security. In the Global State of Information Security ® Survey 20152, PWC said that electronic data contained in electronic health records (EHRs) and healthcare information exchanges (EHRs) have become increasingly tempting to cyber criminals. The good news is: PWC noted an uptick in healthcare security as healthcare payers and providers began taking cyber-threats seriously. It was also noted in the report that investment in information security increased 66 percent over 2013, and spending on information technology is up 53 percent.
On the flipside: as healthcare systems become more internet-connected, entry points for cyber-attacks can mushroom. With the rising use of BYOD devices such as smartphones and tablets — monitoring the flow of patient data becomes more difficult. There is also the possibility of insider threats, that consist of hackers compromising”privileged user” credentials. According to a 2015 Vormetric Insider Threat Report —the most dangerous insiders in healthcare are privileged users3:
“Privileged users traditionally have access to all resources available from systems that they manage, and credentials for their accounts are a top focus of outside attackers.”
Other inauspicious threats that lurks silently in the background are old legacy systems; outdated software; employee negligence, unencrypted computing devices [laptops, USB sticks], and unsecured files that are accessible via the Internet.
“It’s important that everybody understands that if you have a computer that is outward-facing—that is connected to the web—that your computer is at some point going to be under attack”. —Richard McFeely, FBI Executive Assistant Director
You can find medical devices and databases exposed on the public Internet with the Shodan search engine. Many healthcare organizations use NoSQL MongoDB for database management and document stores. At the time of this writing, a MongoDB search returned more than 38,000 databases facing the public Internet.
John Matherly, Founder of Shodan wrote a more extensive blog post here, and stated that the vast majority of MongoDB instances operate in the cloud, without authorization enabled. Earlier this year, three students from the Centre for IT Security at University of Saarland in Germany discovered that MongoDB databases running TCP port 27017 as a service, were easily accessible via the Internet. The scariest part of their research was when they were able to gain read and write access to unsecured MongoDB databases without utilizing any special hacking tools.
Security that Shines
2015’s Most Wired
With more than 741 hospitals and health systems (representing more than 2,213 hospitals) participating in the 17th annual 2015 Most Wired Survey1, 338 hospitals made big strides in laying the foundation for robust clinical information systems. Hospitals & Health Networks (HN&N) said characteristics of the winning hospitals include: “stronger security systems, faster disaster recovery, evidence-based electronic order sets and electronic tools to improve business processes, quality and patient safety.” It is obvious from the survey that the wired winners are becoming more proactive with the use of heightened privacy and security measures to safeguard and shield patient health data.
In order for a hospital to achieve “Most Wired” status there are four specific requirements:
- Business and administrative management.
- Clinical quality and safety (inpatient/outpatient hospital).
- Clinical integration (ambulatory/physician/patient/community).
This year H&HN added additional requirements:
- Identity management and access controls.
- CPOE for medication, lab and radiology orders.
- Use of assistive technology for five “rights” with point-of-care medication administration systems.
- Clinical decision support-enabled drug formulary check and high-priority hospital condition.
- Medication reconciliation.
- Electronic identification of patient-specific educational resources.
- EHR-generated listing of patients for quality improvement.
- Patient portal functionality for access to health information.
- Summary care record for transitions of care.
The top growth areas in security for Most Wired organizations are privacy audit systems, data loss prevention, single sign-on, and identity management.
Use a Multi-layered Security Approach
Dell SecureWorks believes that proactive security begins with awareness and assessment. SecureWorks also advises that in combination with a risk assessment, the assessor should conduct a risk analysis for potential unauthorized entry points into the network and locate system vulnerabilities.
- Employee education. We all know that humans can be the weakest link in the security chain.
- Physically secure and encrypt all patient data.
- Continuous network monitoring: Network protection that includes robust firewalls, intrusion detection systems, SSL VPN security, comprehensive endpoint protection, and threat management response.
- Use Two-factored authentication.
- Use Medical device security testing to assess risks.
The heaviest focus should be on protecting patient data — where does it originate? How is it stored? Who has access to it? What path does it travel throughout the network and into what devices?
The old adage: If you are far from the enemy, make him believe you are near. —Sun Tzu has never rung so true. Cybercriminals are constantly watching and waiting for weaknesses into healthcare networks. The more difficult you make it for them to gain access, the easier it will be for them to move on to a more trouble-free target.
1 H&HN. “2015 Most Wired. Web. 18, August 2015. http://www.hhnmostwired.com/winners/index.dhtml
2 PWC.”Global State of Information Security® Survey 2015. Web. 20, August 2015. http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml
3 Harris Poll.”2015 Vormetric Insider Threat Report.” Web. 20, August 2015. http://enterprise-encryption.vormetric.com/rs/vormetric/images/CW_CP_Vormetric_ITR_Healthcare_040715.pdf
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site Power More.Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.