By Bev Robb, IT consultant
Did you know the healthcare industry is a far easier target for hackers to invade than the banking or retail industries? With more entry points into healthcare systems, cybercriminals can attack medical devices — CT and PET scanners, MRI machines, and PACS via MEDJACK (medical device hijack) and infect them with malware — thus creating back doors into your hospital network.
Hackers in the Darknet are already discussing the possibilities. They can sit on PHI (Protected Health Information) for a year or more with the knowledge that the stolen data will eventually create a highly lucrative financial nest egg.
Last year, the FBI distributed private notices to healthcare providers, urging them to report suspicious or criminal activities. The agency stated that the healthcare industry is not as resilient to cyber intrusions because security is not as mature as financial and retail sectors, “therefore the possibility of increased cyber intrusions is likely.”
Lisa Gallagher, a cybersecurity expert at the Healthcare Information and Management Systems Society (HIMSS), recently told Politico that healthcare companies should be spending at least 10 percent of their information technology budgets on security. In the Global State of Information Security ® Survey 20151, PWC said electronic data contained in electronic health records (EHRs) and healthcare information exchanges (HIEs) have become increasingly tempting to cybercriminals.
The good news is: PWC noted an uptick in healthcare security as healthcare payers and providers began taking cyber-threats seriously. It was also noted in the report that investment in information security increased 66 percent over 2013, and spending on information technology is up 53 percent.
On the flip side: As healthcare systems become more Internet-connected, entry points for cyberattacks can mushroom. With the rising use of BYOD devices such as smartphones and tablets, monitoring the flow of patient data becomes more difficult.
There is also the possibility of insider threats that consist of hackers compromising “privileged user” credentials. According to a 2015 Vormetric Insider Threat Report, the most dangerous insiders in healthcare are privileged users2: “Privileged users traditionally have access to all resources available from systems that they manage, and credentials for their accounts are a top focus of outside attackers.”
Other inauspicious threats lurk silently in the background are old legacy systems, outdated software, employee negligence, unencrypted computing devices [laptops, USB sticks] and unsecured files that are accessible via the Internet.
“It’s important that everybody understands that if you have a computer that is outward-facing—that is connected to the web—that your computer is at some point going to be under attack,” Richard McFeely, the FBI executive assistant director, said.
You can find medical devices and databases exposed on the public Internet with the Shodan search engine. Many healthcare organizations use NoSQL MongoDB for database management and document stores. At the time of this writing, a MongoDB search returned more than 38,000 databases facing the public Internet.
Shodan founder John Matherly wrote in a blog post that the vast majority of MongoDB instances operate in the cloud without being authorization enabled. Earlier this year, three students from the Centre for IT Security at the University of Saarland in Germany discovered that MongoDB databases running TCP port 27017 as a service were easily accessible via the Internet. The scariest part of their research was when they were able to gain read-and-write access to unsecured MongoDB databases without utilizing any special hacking tools.
2015’s ‘Most Wired’
With more than 741 hospitals and health systems (representing more than 2,213 hospitals) participating in the 17th annual 2015 Most Wired Survey3, 338 hospitals made big strides in laying the foundation for robust clinical information systems. Hospitals & Health Networks (HN&N) said characteristics of the winning hospitals include “stronger security systems and faster disaster recovery” and “electronic tools to improve business processes, quality and patient safety.”
In order for a hospital to achieve “Most Wired” status, there are four specific requirements:
- Business and administrative management
- Clinical quality and safety (inpatient/outpatient hospital)
- Clinical integration (ambulatory/physician/patient/community)
This year H&HN added additional requirements:
- Identity management and access controls
- CPOE for medication, lab and radiology orders
- Use of assistive technology for five “rights” with point-of-care medication administration systems
- Clinical decision support-enabled drug formulary check and high-priority hospital condition
- Medication reconciliation
- Electronic identification of patient-specific educational resources
- EHR-generated listing of patients for quality improvement
- Patient portal functionality for access to health information
- Summary care record for transitions of care
The top growth areas in security for most wired organizations are privacy audit systems, data loss prevention, single sign-on and identity management.
Use a multilayered security approach
Dell SecureWorks believes proactive security begins with awareness and assessment. SecureWorks also advises that in combination with a risk assessment, the assessor should conduct a risk analysis for potential unauthorized entry points into the network and locate system vulnerabilities.
- Employee education. We all know that humans can be the weakest link in the security chain.
- Physically secure and encrypt all patient data.
- Perform continuous network monitoring: Network protection that includes robust firewalls, intrusion detection systems, SSL VPN security, comprehensive endpoint protection, and threat management response.
- Use two-factored authentication.
- Use medical device security testing to assess risks.
The heaviest focus should be on protecting patient data. Where does it originate? How is it stored? Who has access to it? What path does it travel throughout the network and into what devices?
The old adage by Sun Tzu — “If you are far from the enemy, make him believe you are near” — has never rung so true. Cybercriminals are constantly watching and waiting for weaknesses into healthcare networks. The more difficult you make it for them to gain access, the easier it will be for them to move on to a more trouble-free target.
From October 20-22, Dell is bringing together technology and business professionals who are crafting a vision for the future of their enterprise.Register now for Dell World 2015 in Austin, Texas.
Insights are the best medicine. Visit Dell at HIMSS16.
1 PWC. “Global State of Information Security® Survey 2015. Web. 20, August 2015. http://www.pwc.com/gx/en/consulting-services/information-security-survey/download.jhtml
2 Harris Poll. “2015 Vormetric Insider Threat Report.” Web. 20, August 2015. http://enterprise-encryption.vormetric.com/rs/vormetric/images/CW_CP_Vormetric_ITR_Healthcare_040715.pdf
3 H&HN. “2015 Most Wired. Web. 18, August 2015. http://www.hhnmostwired.com/winners/index.dhtml