Data driven medical care with connected devices is now the norm. Patient monitors, IV pumps, MRI machines, and infusions pumps all behave like computers with the ability to monitor patient conditions in real time, share data and even automatically adjust dosages. Although all of these innovations are improving in-patient care, their ability to communicate over internal computer networks has introduced new vulnerabilities to cyber attacks.
The health risks are high. Hackers can infiltrate devices and tamper with doses or even make devices show false data, leading doctors to the wrong diagnosis. Attackers can also hold electronic medical records ransom, causing delays in procedures required to treat patients.
The invisible threat
The biggest obstacle to securing medical devices is the simple fact that many of them are hidden. Hospitals often don’t have full visibility into which medical devices they have, so they aren’t aware of all the vulnerabilities. You can’t tell if your MRI is insecure if you don’t keep a full inventory of all the medical devices and all information necessary to assess the relative security risk.
Some hospitals rely on manual methods such as Excel spreadsheets to maintain an inventory of medical equipment. However, electronic files maintained by humans can’t keep pace with the growing number of the devices, and all the changes and updates that occur on an ongoing basis.
Often medical devices are added to the network without notifying security professionals and going through the necessary cautionary procedures. Many departments add equipment with the noble aim of improving patient care without notifying IT, since they are simply following the doctor’s orders and doctors are king. Something as simple as browsing for a local restaurant at a nurse’s station can put the hospital at risk if the computer isn’t adequately secured.
Senate health committee Chairman Lamar Alexander (R-Tenn.) and Ranking Member Patty Murray (D-Wash.) are urging insurer Anthem to notify all 78.8 million Americans whose sensitive personal information may have been exposed in a cyber attack discovered in January.
In a letter to Anthem, the committee leaders note that more than a month and a half after a cyber attack identified on Jan. 29, 2015, “more than 50 million Americans … have yet to receive notice directly from Anthem” that their personal information, including addresses, birth dates, employer information, Social Security numbers and email addresses, may have been compromised, exposing them to resulting security threats like identity theft.”
The senators write, “…[T]he highly sensitive nature of this information makes early notification essential, and we are concerned with your slow pace of notification and outreach thus far. We are writing to formally request that you speed up the pace of notifications, and share with our committee what steps you plan to take in the next few days, to dramatically increase the pace of notification. This slow pace is of particular concern given that many of the individuals whose information has been compromised are not Anthem customers and may still be unaware that their information was contained in the attacked database.”
They continue, “We formally request that you provide a clear action plan that accelerates the current pace of notification and ensures that all affected families receive notification in the upcoming days. …This is a critical and pressing issue, and while we understand there are many complications given the size and scope of the attack, we look forward to your response by April 1, 2015 on your progress and a clear target for when you will have reached out to every affected individual.”
While the frequency and severity of cyberattacks against organizations are on the rise, a majority of information technology (IT) leaders do not feel confident in their leaderships’ ability to leverage intelligence that can predict a cyber vulnerability and effectively combat threats, according to a new survey commissioned by Lockheed Martin.
A majority of survey respondents noted an increase in the severity (75 percent) and frequency (68 percent) of cyberattacks, but feared that they don’t have the budget (64 percent) or the expert personnel (65 percent) to address the threats.
“This survey illuminates areas of concern about cyber readiness across government and critical infrastructure industries,” said Guy Delp, director of cybersecurity and advanced analytics for Lockheed Martin. “The results highlight that the challenges in this domain are universal across both industry and government, and therefore our response needs to be equally holistic. The adoption of Intelligence-Driven Defense techniques is critical to ensuring that not only IT officers, but also chief executives, boards of directors and customers have confidence in the security of their information.”
Other key findings include:
Many organizations are relying on intuition, rather than intelligence, to assess their security levels: Business and government respondents who felt that they were not presently being targeted for attack relied on their intuition (35 percent) or logical deduction (33 percent) rather than data or intelligence (32 percent) to justify their beliefs.
Whether malicious or negligent, insiders continue to be among the greatest perceived cyber threats: Thirty-six percent of respondents said that negligent insiders were the most significant network vulnerability facing their organization, and more than half (53 percent) ranked malicious insiders in their top four threats.
The most serious risks do not receive the most budget: The top two factors impacting an organization’s cybersecurity posture – employee cyber awareness and supply chain security – receive only four and 15 percent of cybersecurity budgets, respectively. Top budget items, such as mobile and cloud security, are both perceived to be lower threat levels.
Guest post by Garret Grajek, chief security officer, dincloud.
A March 2014 study by the Ponemon Institute titled, “Ponemon Report on Patient Privacy & Data Security,” stated that cybercriminal attacks on healthcare organizations have doubled in the past three years. If you follow IT news at all, you know that healthcare organizations are also under attack, with some of the latest of these attacks being what experts classify as APTs (Advanced Persistent Threats). APT attacks distinguish themselves by being persistent attacks orchestrated by an organized (and usually well-funded) institution, either government or criminal, with a specific target and purpose for the attack.
APTs distinguish themselves from past “script kiddies” and accidental hackers who execute “crimes of opportunity” (e.g. they find a site that they can do an SQL injection and see what data they can download). Advanced persistent threats however follow the opposite workflow – they select a target and then use any and all mechanisms to obtain access to the data they desire.
You’re in healthcare – but should you care?
Healthcare IT systems are a target rich environment for advanced persistent threats attacks. What’s the reward? PHI (Personal Health Information) and PII (Personal Identification Information). PHI/PII for hackers is the gift that keeps on giving! With someone’s identity information, hackers can create multiple accounts – financial and other – for the purposes of fraud. This was seen in mid-August when Community Health Systems announced that it had fell victim to an APT attack earlier that year from an APT group based in China. Chinese hackers stole medical records for 4.5 million patients, according to a regulatory filing from the healthcare provider. And how can we forget the security breach at HealthCare.gov, the government’s health insurance marketplace.
Healthcare has the same type of information, and more. User identities, associated e-mail addresses, phone numbers, street addresses, and often insurance, credit, and other key PII information (like employer’s and spouse information), are held by health care providers. Attackers know this, and for these reasons, health care entities have become an easy target for advanced persistent threats attacks.
IDC Health Insights announces a new report, “Business Strategy: Thwarting Cyber Threats and Attacks against Healthcare Organizations.” that features findings from the 2014 IDC Insights Cross Industry Cyber Threat Survey. The report is designed to gauge how financial services, healthcare provider organizations and retailers are responding to increasing cyber threats and the impact of successful attacks on business operations. The study also highlights how healthcare organizations are investing in their cyber strategy to protect their most valuable electronic assets.
Today’s healthcare organizations are at greater risk of a cyber attack than ever before in part because electronic health information is more widely available today than in the nearly 20 years since the Health Insurance Portability and Accountability Act was passed in 1996. Cyber criminals view healthcare organizations as a soft target compared to financial services and retailers because historically healthcare organizations have invested less in IT, including security technologies and services, than other industries, thus making them more vulnerable to successful cyber attacks.
The value of health information, which can be used to commit medical fraud, is surpassing the value of social security and credit card numbers on the black market, thus increasing the attractiveness of stealing health information.
Key findings include:
After physical loss or theft of a laptop, mobile or portable device, malicious hacking or IT incident was the most common breach reported on the Department of Health and Human Services (DHHS) website. In 2013, 20 (out of 175) breaches related to hacking or an IT incident represented 9 percent of the individuals affected and 11.4 percent of the attacks.
All respondents of the 2014 IDC Insights Cross Industry Cyber Threat Survey reported that they had experienced a cyber attack in the past 12 months; 39.4 percent reported that they were attacked more than 10 times and 27.1 percent of the attacks were described as “successful attacks.”
Security is a top IT initiative for health care providers. In 2014, according to the 2014 IDC Global Technology and Industry Research Organization IT Survey, security and risk management technologies was the number 1 initiative (29.0 percent). In 2013, it was also the top ranked initiative (20.1 percent).
Approximately one out of four cyber attacks had an impact on normal business operations. The majority of respondents (52.2 percent) indicated that the shortest impact lasted less than an hour and 43.3 percent reported that the longest duration was between eight and 24 hours.
The overwhelming majority of healthcare executives reported that their spending on cyber threats increased (59.6 percent) or stayed the same (38.3 percent) over the last three years. On average, the increase for those respondents that reported an increase was 14.8 percent.
Consumers highly value their privacy according to a recent 2014 IDC Insights Cross-Industry Consumer Experience Survey, but are not as confident that healthcare organizations were adequately protecting their data. Concerned consumers are willing to end a healthcare relationship after a breach, including changing their care providers (21.6 percent) and changing health plans (5 percent).