Securing Healthcare Against Advanced Persistent Threats
Guest post by Garret Grajek, chief security officer, dincloud.
A March 2014 study by the Ponemon Institute titled, “Ponemon Report on Patient Privacy & Data Security,” stated that cybercriminal attacks on healthcare organizations have doubled in the past three years. If you follow IT news at all, you know that healthcare organizations are also under attack, with some of the latest of these attacks being what experts classify as APTs (Advanced Persistent Threats). APT attacks distinguish themselves by being persistent attacks orchestrated by an organized (and usually well-funded) institution, either government or criminal, with a specific target and purpose for the attack.
APTs distinguish themselves from past “script kiddies” and accidental hackers who execute “crimes of opportunity” (e.g. they find a site that they can do an SQL injection and see what data they can download). Advanced persistent threats however follow the opposite workflow – they select a target and then use any and all mechanisms to obtain access to the data they desire.
You’re in healthcare – but should you care?
Healthcare IT systems are a target rich environment for advanced persistent threats attacks. What’s the reward? PHI (Personal Health Information) and PII (Personal Identification Information). PHI/PII for hackers is the gift that keeps on giving! With someone’s identity information, hackers can create multiple accounts – financial and other – for the purposes of fraud. This was seen in mid-August when Community Health Systems announced that it had fell victim to an APT attack earlier that year from an APT group based in China. Chinese hackers stole medical records for 4.5 million patients, according to a regulatory filing from the healthcare provider. And how can we forget the security breach at HealthCare.gov, the government’s health insurance marketplace.
Healthcare has the same type of information, and more. User identities, associated e-mail addresses, phone numbers, street addresses, and often insurance, credit, and other key PII information (like employer’s and spouse information), are held by health care providers. Attackers know this, and for these reasons, health care entities have become an easy target for advanced persistent threats attacks.
Defending Against APTs