Guest post by David Thompson, senior director, product management, LightCyber.
A targeted data breach is one of the most vexing problems facing healthcare organizations today. Just in the first three months of 2015 alone, 99 million patient healthcare records were compromised—that’s about one-third of the entire U.S. population, and those are just the ones we know about. According to some sources, 90 percent of healthcare organizations have already been breached, but we aren’t sure which ones.
The cybercriminals behind a targeted data breach do not want to be exposed—and make no mistake, these breaches are run by people, not autonomous software. Unlike the hackers of earlier days, these operatives want to stay hidden and conduct their work in secret. Even if they have successfully completed their initial goals—let’s say exfiltrate patient medical records—a cybercriminal team will likely want to stay undiscovered to continue to steal more data as it is collected, or leverage this access to break into another company. Often this will involve commandeering valid credentials from the first organization to gain access to another, perhaps a partner healthcare organization, an insurance company, an independent lab or some other entity.
The simple truth is that most healthcare organizations lack the means to detect an active data breach. First, let me define a data breach, since there is so much confusion over the term. A breach is the entire process—from initial network penetration through data exfiltration— cybercriminals go through to achieve their goals.
Often a breach is perceived as only the initial penetration into the network or infection of a machine. This one act is over in an instant, but it is the focus of considerable security resources. In other words, a large proportion of security resources are devoted to preventing single step in the breach process that lasts less than a minute, but is only the first step toward a goal.
Also, initial penetration is not as easy to spot and block as you might guess. Since the way into the network may be accomplished through the use of valid credentials acquired through social engineering or clever spear phishing, detecting the intrusion can be difficult. Effective prevention of intrusions is based on use of statically defined descriptions of software code or behavior (signatures and hashes), so it is successful mainly when known malware is used to conduct a breach. So, preventing an intrusion has a marginal success rate, but it is often seen as the last change an organization has in defeating a targeted breach.
Once an attacker is inside the network, most organizations lack the ability to find them. At the same time, an attacker is inherently at a disadvantage, having landed inside an unfamiliar network. This disadvantage is quickly dissipated since they can often go completely undetected for weeks, months or even longer. The industry average dwell time is around six months, plenty of time for an attacker to explore a network and get at assets.
Why is it that organizations are seemingly powerless to find an active data breach once an intruder has penetrated a network? There are four main reasons.
Guest post by Moshe Ben-Simon, co-founder and vice president of services and research, TrapX Security.
Healthcare is a major market in the United States with annual expenditures that consume almost 17.4 percent of the gross domestic product. Healthcare in the U.S. includes 893,851 physicians, 2,724,570 registered nurses, including physician’s assistants and administrative staff that support them. Additionally, there are approximately 5,686 hospitals that support these professionals directly. The great majority of physician practices now have electronic medical records (EMR/EHR) systems that are all interconnected with the rest of the ecosystem.
The typical hospital is replete with Internet connected systems and medical devices. These devices are also connected to EMR systems that are being deployed at a fast pace across practices and hospitals because of government incentives, such as meaningful use. This creates a highly connected community that brings the most vulnerable devices together with some of the highest value data.
Medical records = big money for organized crime
Healthcare data presents a compelling opportunity for organized crime. Cybersecurity firm Dell Secure Works notes that cyber criminals were getting paid $20 to $40 for health insurance credentials, compared with $1 to $2 for U.S. credit card numbers prior to the Target Breach. The Federal Bureau of Investigation (FBI) issued a private industry notification (PIN) report in April 2014 that noted cyber-attacks will increase against healthcare systems and medical devices because of lax cybersecurity standards and a higher financial payout for medical records in the black market.
As of Mar. 30, 2015, the Identify Theft Resource Center (ITRC) has healthcare breach incidents at 32.7 percent of all listed incidents nationwide. Per ITRC, for the first quarter of 2015, more than 99,335,375 medical records have been exposed and compromised in the United States alone.
As in other industries, the attackers in healthcare may be standalone operators or part of larger organized crime syndicates. The great majority are clearly after valuable healthcare data and economic gain. Health insurance credentials can have a value 20 times that of a credit card on the hacker black market. These attackers know that healthcare networks are more vulnerable and provide greater potential rewards. They have already determined that these vulnerabilities are so extreme as to make healthcare the easiest choice for their attack.
Despite the latest/greatest perimeter network security technology, hackers continue to get in
The risk for ongoing data exfiltration, theft and subsequent HIPAA (Health Insurance Portability and Accountability Act) violations has never been higher. Basic defense-in-depth cyber security products seem to be failing at an increasing rate. The concept of defending a perimeter around hospital networks no longer works against a variety of cyber-attack vectors. Recent studies suggest that most hospitals are unaware of active attackers likely hiding within their medical devices inside their networks already.
These medical devices have become the key pivot points for attackers within healthcare networks. They are visible points of vulnerability in the healthcare enterprise and the hardest area to remediate even when attacker compromise is identified. These persistent cyber-attacks threaten overall hospital operations and the security of patient data.
Most hospital information technology teams are managing a very heavy workload. They must deal with a multitude of vendors and supporting a diverse set of networks across the hospital. Further, they must work to be compliant with HIPAA security rules and other compliance requirements. Cyber security products issue a multitude of alerts and can overwhelm these hospital teams while real cyber security event alerts are perhaps hidden or missed.