Healthcare IT Predictions for 2016

Guest post by James Carder, CISO of LogRhythm, VP of LogRhythm Labs.

James Carder
James Carder

This year’s biggest health data breach victims include insurers Premera and Anthem, where incidents affected nearly 100 million patients combined. It’s clear that healthcare organizations must strengthen their cyber security programs to protect themselves and their patients, or they’ll be targeted again and again. Strategically, healthcare organizations must change the way they have operated for the past 30+ years with regard to their behaviors and their use of IT. Cyber security is now a key business differentiator as both patient care and safety are paramount to a hospital’s ability to remain a trusted provider. The hospital of the future is one that incorporates these protection measures into its business brand, thereby recruiting, retaining and reinvesting in patients.

As we start out 2016, here’s what I think we’ll see going forward:

Healthcare IT security will continue to fall further and further behind the rest of the industry verticals

Healthcare IT security will continue to fall further behind the rest of the industry verticals. Healthcare organizations are focusing on functionality for patient care (rightfully so), and security is an afterthought. Many organizations are overly dependent on antiquated hardware and software, with inherent vulnerabilities, that could inadvertently put patients in danger. There has never been a real investment in information security, so the cost to catch up to industry standards and shed the label of being the hackers’ “low hanging fruit” is that much more expensive. The industry will continue to be targeted by sophisticated and organized attackers until a serious investment is made in both technological and human capital.

The medical record is a relative goldmine of information and, as such, a highly valuable target for all classes of attackers, ranging from financial crime groups to nation state threat actors. The number of items a hacker has access to and the way in which the information can be used is more extensive. Stolen data can be re-used by a hacker over and over again. So, in addition to this general prediction, I also think that at least one of the U.S. News and World Report top 10 hospitals will go public with a breach through outside channels.

Healthcare IT (security) spend will be the highest it has ever been, doubling the spend of 2015

Despite my first prediction, healthcare organizations will invest a lot of money in IT security technology and human resources, doubling the spend of 2015. Although the executives may fund the security department, a security culture might not trickle down to the rest of the organization. The person in charge of security might be accountable for security, but the buy-in must come from the board of directors down through every level of the organization. Staff and the clinicians must understand what they are doing is making the organization a safer place for them and their patients–their effective security behaviors allow clinicians to do their job in treating patients better.

At least one major medical device manufacturer will have to go public with a vulnerability that could fatally affect patients

Medical device vendors and manufacturers have never taken security seriously. They are primarily looking for functionality for patient care and ease of administration and maintenance. A medical device is a computer system with one end attached to the patient, providing critical patient care, and the other end attached to the corporate network or Internet. Just like most devices on the network, a medical device runs a known operating system; vulnerable to the myriad exploits that effect any computer. Based on the risk profile of a medical device, it should be subject to the highest security standards in the industry but unfortunately they are not. If someone can hack into a Windows XP box that is unpatched with exploitable vulnerabilities, someone can hack into an XP-based medical device. I predict that another medical device manufacturer will disclose an easily exploitable vulnerability that could patients at direct risk. I also predict that an attacker will exploit a medical device and use it as a bridge into a company’s corporate network to facilitate a breach.

Continue Reading

Premera Cyberattack: Why It Happened and How to Protect Your Organization

Bob Swanson
Bob Swanson

In light of the Premera Blue Cross cyberattack and data breach — which, so far, is the second-biggest of its kind in industry history that exposed personal, financial and medical information of more than 11 million customers — Bob Swanson, compliance engineer at LogRhythm provides some wonderful detail and perspective regarding the news.

In the following conversation, Swanson discusses what we know about the beach so far, how organizations can strengthen their security efforts, motivations of hackers, as well as provides a vast level of insight to help navigate the situation and guidance for others hoping to avoid breach,

What do you know about the hack and what don’t you know? How similar/dissimilar is it to other major hacks?

Although Premera has said the breach was detected back on Jan. 29,2014, the first signs of the attack date back to May 5, 2014. So with the breach going undetected for over six months, the culprit(s) had ample time to navigate through Premera’s network and find exactly what they were looking for – sensitive data with value in the black market, regardless of whether there is evidence indicating it has surfaced. Given time, a proficient hacker will set false trails and distort clues of their activities to confuse investigators or IT security professionals. However, they are currently under federal investigation working with the FBI and cyber security firm, Mandiant, to better understand the nature and scope of the attack. Many additional details will come to light as the investigation continues, but it is clear that early indicators were not picked up on. Similar to other major breaches in the healthcare and other industries, as the mean-time-to-detection (MTTD) increases, this gives proficient hackers time to navigate the network, find what they are after and make it more difficult to discover the true details around the attack.

Is it related to the Anthem hack? Several Blues plans that aren’t part of Anthem still were business partners and were affected by the hack. As Premera was investigating the effect of the Anthem hack, did they discover their own hack?

With many of the facts surrounding the breach still unclear or undefined, initially it does not appear to be linked to the Anthem breach; however, consider their targets or objectives for similarities.  In healthcare, patient information containing elements of social security numbers or other protected health information (PHI) has a significant worth in various markets, both known and unknown. With this comes a demand and hackers are seeking out organizations to exploit and provide the supply. Also, as seen in both Anthem and Premera, the intrusion went on for some time without detection or actions taken to remediate compromised systems. The similarities between the attacks can be seen at a higher-level where the industry as a whole finds challenges in gaining the necessary budget allocation to support sound cyber security programs. Many healthcare organizations have highly integrated systems, so all you need is one back door to be left open, say a compromised account, and hackers can navigate to their targets unseen for lengthy periods of time.

Continue Reading