In the past several years, security pundits have been predicting that the healthcare sector was going to be the hotbed of cyber threat activity. These predictions go back several years and seemingly each year, attention to the healthcare sector has been minimal at best, but we may finally have hit an inflection point in 2016.
The healthcare sector is a labyrinth of governance and compliance with risk mitigations squarely focused on the privacy of patient data. We in the industry have accepted the norm that “security is not convenient” but for those in the healthcare industry, inconvenience can have a catastrophic impact on a hospital, including the loss of a patient’s life. Besides patient records, there’s a multitude of other services critical to patient health and wellbeing wrapped by an intricate web of cutting-edge and legacy technologies making it perhaps the most challenging environment to secure. This may explain the rise in attacks against healthcare providers in the last six months.
According to an article on fastcompany.com’s website, complete medical records are selling for US$60 apiece on the dark web compared to stolen credit card selling for about US$3 bucks a piece on the high end. According to the article, one hacker claimed to have over a million full medical records of individuals. Although the individual’s claims were not verified, it should come as no surprise. Sadly, it may be a more dire situation than we know.
According to the Brookings Institute, since 2009, the medical information of more than 155 million. The report delves into a number of statistics that really punctuate the problem showing the number of incidents sharply increasing in late 2014 and continuing its ascent upward each year. The report also outlines other unique significant challenges citing the large volumes of data being for long period of time much of it stored digitally. This, coupled with the explosion of spending on technologies to handle digital health records, many hospitals are doing what they can to keep their heads above water deploying new technologies that have been mandated upon them rather than a phased approach commensurate with staffing levels.
It’s not just core network services causing concern. ICS-CERT recently released an advisory identifying numerous vulnerabilities in Philips Xper-IM Connect systems running Windows XP. Xper-IM is an automated software composition tool that provides physio- monitoring capabilities along with reporting, scheduling, inventory, and data management.
According to the advisory, the breakdown of vulnerabilities by CVSA scores are as follows:
Though mitigating the vulnerability may be as simple as upgrading off of Windows XP, the fact that XP is still out in the wild may be further evidence that the healthcare industry is falling behind in protecting itself from cyber criminals.
In January of this year, Melbourne’s largest hospital network was significantly impacted when a computer virus affected the hospitals Windows XP systems disrupting meal delivery and pathology results. Manual workarounds such as fax machines were utilized as a contingency but the use of those devices only compounds the issues of patient privacy. It’s those types of disruptions that really jeopardize the patient privacy and even safety. It’s hard to determine how many medical devices and critical services in the healthcare industry are still running Windows XP in their environments, but it is likely a number many would shudder to think about.
It is likely healthcare breaches will continue to grow upward. Funding and prioritization of initiatives are only the tip of the iceberg for healthcare institutions looking to secure their networks. Even on a solid footing, the sector will be confronted with a shortage of talent to carry out even the best-intended plans. In the meantime, patients, often unaware of the risk associated with their medical care, have to become better informed about how to protect their health records and personal identity in the event their information finds itself on the dark web up for sale to the highest bidder.
Written by: Rick Gamache
Rick Gamache is a freelance writer with 25 years’ experience in the cyber security field. His past work includes the Managing Director of Wapack Labs, CIO of the Red Sky Alliance, and lead FISMA auditor for the US Navy’s destroyer program. Rick has written several high-level cyber and general risk reports with an emphasis on the Nordic countries, India, Russia, and Ukraine and has traveled extensively, speaking on strategic cyber threat intelligence matters as they relate global supply chains.
Twitter – https://twitter.com/thecissp
(Security Affairs – healthcare sector, Dark Web)