With the rapid shift to telehealth stemming from the pandemic, both deployment and adoption of patient portals increased. This surge in usage has exposed security vulnerabilities, and we’re now seeing that many of the patient portals in use today are ripe for fraud, phishing, and ransomware attacks. To illustrate the severity of this problem, last year the latter alone cost the healthcare industry nearly $21 billion in downtime, affecting 600 providers nationwide.
COVID-19 transformed the healthcare landscape, making patient portals and telehealth the primary means by which to communicate with providers, access treatment plans and other documents and process payments. Given the convenience this affords for patients and providers alike, these digital experiences will likely remain a primary part of the healthcare industry for years to come. As organizations continue to invest in patient portals and other telehealth innovations, it’s critical that they are cognizant of the myriad security concerns.
It should come as no surprise that hackers view patient portals as an extremely attractive target—credit card data, personally identifiable information (PII) and personal health information (PHI) are all accessible via these platforms. Unfortunately, because patient portals were designed with the user experience in mind, it’s not uncommon for them to have minimal security to make the process as frictionless as possible. Hackers are only too eager to exploit this and other security holes, so it’s critical that organizations address these concerns. With that in mind, read on for five important steps to shore up these vulnerabilities and enhance patient portal security.
Screen for Compromised Credentials
In many cases patient portals are secured solely by a password; something that is widely recognized as a poor security practice, particularly for accounts that contain such sensitive information.?? This is largely due to the pervasive problem of reusing passwords across multiple sites–something 59% of respondents in a recent survey admit to doing. If just one of these accounts has been breached, then every other site or service associated with the exposed password is also at risk. Therefore, if a patient uses a weak or compromised password to secure their portal, there is a very good chance that bad actors could launch a successful account takeover (ATO). To address this and other password-related vulnerabilities, providers should screen credentials against a dynamic database to ensure that patients aren’t inadvertently opening up the front to hackers. Given the rate at which data breaches occur, it’s also important to implement this screening on an ongoing basis, rather than solely when a patient enrolls in the portal.
By Devin Partida, technology writer and the editor-in-chief, ReHack.com.
The medical industry’s growing reliance on digital technologies has come with some increased risks. That became painfully evident for thousands of patients in the wake of a recent ransomware attack on CaptureRX, a healthcare administrative service provider.
On February 6, hackers accessed sensitive patient data from multiple CaptureRX clients, affecting at least 1 million people. The company started investigating after noticing unusual activity, and by February 19, it could confirm that someone had stolen patients’ personally identifiable information (PII). CaptureRX started alerting affected clients on March 30, and the full scope of the incident is still unclear.
Health IT’s Growing Ransomware Problem
This is far from the first instance of a ransomware attack on a health IT company. Ransomware as a whole has become much more common in the past few years, and medical businesses are more at risk than most. Hospitals have more to lose in these attacks, given the sensitive nature of their data, so a successful breach could be more profitable for hackers.
In 2020 alone, there were 92 ransomware attacks against healthcare organizations, affecting more than 18 million patient records. That represents a 60% increase over 2019 in the number of attacks and a 470% increase in records affected. Since 2016, these attacks have cost the industry more than $31 billion.
The CaptureRX attack is the latest in a troubling and growing trend of ransomware attacks against health IT. If industry leaders aren’t already aware of this problem, the sheer size of this incident will likely get their attention. With these attacks becoming more frequent and expensive, the sector will likely shift in response.
By Chris Goettl, director of product management, security, Ivanti.
The first months of 2019 have
seen a record number of reported security vulnerabilities. But potentially the riskiest,
is BlueKeep. BlueKeep is a vulnerability (CVE-2019-0708) that affects Windows
7, Windows XP, Server 2003, 2008 and 2008 R2, which many feel will be exploited
The concern has been so great
that Microsoft has issued public updates, even for the no-longer-supported XP
and Server 2003 operating systems, and has been very active in issuing warnings
to apply the fixes right away. Some may even say that Microsoft has been
uncharacteristically begging everyone to apply the necessary fixes. The NSA too
has issued an advisory and
warning to fix this immediately.
Why is this so important for healthcare organizations? It’s been reported that “70 percent of devices in healthcare organizations will be running unsupported Windows operating systems by January 2020.” This is a greenfield opportunity for the perpetrators of BlueKeep to expose health records and personally identifiable information (PII), presenting monumental, potential risk.
How does it work? BlueKeep is
considered a ‘wormable’ vulnerability because it does not require
authentication or user interaction to exploit. As such, the worm can spread
from system to system taking advantage of the vulnerability.
Numerous possibilities exist
for a wormable exploit like BlueKeep. For example, if it uses something like
Emotet, a more sophisticated malware platform, a piece of malware could get
onto a system and have the potential of making intelligent decisions about what
it should do next. It could then automate those steps and adapt to its
Or, what if BlueKeep finds
its way on to somebody’s home computer? In that case it’s probably going to
just sit back and grab any email exchanges that are going on, scrape some email
addresses, and try to spam itself out to spread itself further.
if it got into a hospital’s network it could switch into ransomware mode –
creating perhaps an even more damaging version of WannaCry – holding critical
and even life-saving information hostage.
perspective, the WannaCry attack of 2017 was reported to cost as much
as $4 billion, making it one of the most costly ransomware attacks to ever hit
our global economy. The fact that six
security firms have independently reached successful exploit of BlueKeep makes it pretty likely that a weaponized version of BlueKeep
may be a lot more real than some of the other recent threats. Even though
nobody has detected an attack “in the wild” yet, it’s only a matter of time
before the first attacks occur. Bleeping Computer confirms private
MetaSploit modules have already been developed for demonstration.
So, what needs to be
done to keep BlueKeep away? Follow these three important steps:
comprehensive asset management solution to ensure that you have full visibility
into any and all legacy systems that may have one of the vulnerable operating
systems. It only takes one system that remains unpatched to expose your
network. Don’t let any system slip through the cracks.
the latest updates to all of your legacy systems before BlueKeep hits the
streets. You don’t want to get an ‘I told you so!’ from your incident response
and security team.
Minimize the impact on your
IT teams through automation. With the latest versions of MS SCCM not supporting
Windows XP and Server 2003, the job of applying patches can be a bit more difficult. But
it doesn’t necessarily mean that you must perform your patching manually. You
can patch up to 50 systems including
Windows XP and Server 2003 by accessing this free 60-day license to Ivanti
Security Controls here.
For those who have not
patched BlueKeep yet, it is only a matter of time before the first malicious
exploit is distributed. You can be sure that healthcare organizations will be at
the top of the target list. Be prepared and apply fixes today. Cyber adversaries are likely reverse
engineering the patch as you read this, getting ready to exploit organizations
and individuals alike. Let’s work together to avoid a potential repeat of
By Jacob Denton, chief information security officer, Mosaic451.
Unless your security team has been living in a cave in one of the last remaining places on the planet where you can still unplug, you have certainly heard about the Petya and NotPetya ransomware attacks and the chaos caused by them. Petya was a somewhat “typical” ransomware attack in 2016: It encrypted the master boot record of infected computers and asked for ransom in the form of Bitcoin. But NotPetya, a potentially state-sponsored attack against Ukraine, was more similar to WannaCry, which occurred shortly before in 2017. In addition to ransoming companies to pay the hackers in Bitcoin, NotPetya also took advantage of the EternalBlue exploit and was a “worm” that could self-propagate, like WannaCry.
What made NotPetya unique was its intrusion into MeDoc, a Ukrainian tax and accounting software package. About 80 percent of Ukrainian businesses used this software at the time of the attack. The NotPetya hackers employed an innovative strategy: They put in a slightly different version of a file into MeDoc’s software updates.
Since MeDoc was so widely used throughout the Ukrainian business community, the hackers started spreading corrupted versions of MeDoc software in April. By June, undetected, they were able to insert the NotPetya ransomware. And since it was a worm, NotPetya was able to spread rapidly. It was a lot worse than Petya in its scope: It not only encrypted the master boot record, it also encrypted other important files, making the damage to companies’ hard drives even more serious.
Cyber security firm Cybereason reports that NotPetya cost companies approximately $892.5 million in lost revenue. While it first hit Ukraine, it hurt businesses worldwide, including FedEx, Merck, and Reckitt Benckiser.
What lessons have we learned?
First, that hackers have gone way past spamming naive end users. The NotPetya attack was particularly troubling because it was a “clickless” attack that didn’t need to rely on end users for access. It also took advantage of software updates, a holy grail of commonplace cyber security.
Thankfully, there are some precautions cyber professionals can heed from this hack. According to Johns Hopkins University Computer Science Professor Matthew Green, one limited action developers could do to help “prevent their software updates from being corrupted” is to “co-design.” This would mandate that anyone trying to add new code to an application would need to sign with a cryptographic key that cannot be forged. For example, MeDoc did not have co-designing, so hackers were able to alter code in the software update.
Guest post by Ben Oster, product manager, AvePoint.
Balancing the strategic needs of a business with the user-friendliness of its systems is a daily struggle for IT pros in every industry. But for healthcare organizations, safeguarding the data living in these systems can be especially daunting. According to a study by the Ponemon Institute, healthcare is a minefield for various security hazards. Within the last two years, 89 percent of healthcare organizations experienced at least one data breach that resulted in the loss of patient data. As healthcare businesses and the patients they serve adopt a mobile-first approach, providers must strike a balance between innovation and risk to prevent patient data (and internal information) from falling into the wrong hands.
The use of mobile devices and apps certainly enhance patient-provider relationships, but these complex information systems present new concerns surrounding compliance, security, and privacy. As employees and patients increasingly adopt smartphones, tablets, and cloud-based software into their daily lives, healthcare leaders must prioritize users’ needs while mitigating security risks. Mastering this dynamic requires healthcare companies to balance mobility trends like BYOD and cloud computing with regulatory requirements like HIPAA.
To lower the risk of data breaches, healthcare organizations need to defend their systems by identifying, reporting on, and safeguarding sensitive data. Here are a few steps the healthcare industry can take to join the mobile revolution without compromising security:
Start with discovery – Traditionally, healthcare organizations have taken a “security through obscurity” approach to protecting data. In other words, relying on the ambiguity of the data in their systems to ward off malicious attacks and breaches. But as technology emerges that personalizes patients’ end-user experience – such as online patient portals and electronic medical records – the less obscure healthcare organizations’ data becomes. With patients and medical staff accessing this data through a range of devices and workflows, knowing precisely what content exists in a healthcare organization’s infrastructure is essential to security. That’s why discovery is the first step to safeguarding content. Healthcare IT teams should also roll out internal classification schemas to determine which user groups need access to this data. By categorizing content based on these factors, healthcare companies can lay the framework for a truly secure system.
Guest post by James Carder, CISO of LogRhythm, VP of LogRhythm Labs.
This year’s biggest health data breach victims include insurers Premera and Anthem, where incidents affected nearly 100 million patients combined. It’s clear that healthcare organizations must strengthen their cyber security programs to protect themselves and their patients, or they’ll be targeted again and again. Strategically, healthcare organizations must change the way they have operated for the past 30+ years with regard to their behaviors and their use of IT. Cyber security is now a key business differentiator as both patient care and safety are paramount to a hospital’s ability to remain a trusted provider. The hospital of the future is one that incorporates these protection measures into its business brand, thereby recruiting, retaining and reinvesting in patients.
As we start out 2016, here’s what I think we’ll see going forward:
Healthcare IT security will continue to fall further and further behind the rest of the industry verticals
Healthcare IT security will continue to fall further behind the rest of the industry verticals. Healthcare organizations are focusing on functionality for patient care (rightfully so), and security is an afterthought. Many organizations are overly dependent on antiquated hardware and software, with inherent vulnerabilities, that could inadvertently put patients in danger. There has never been a real investment in information security, so the cost to catch up to industry standards and shed the label of being the hackers’ “low hanging fruit” is that much more expensive. The industry will continue to be targeted by sophisticated and organized attackers until a serious investment is made in both technological and human capital.
The medical record is a relative goldmine of information and, as such, a highly valuable target for all classes of attackers, ranging from financial crime groups to nation state threat actors. The number of items a hacker has access to and the way in which the information can be used is more extensive. Stolen data can be re-used by a hacker over and over again. So, in addition to this general prediction, I also think that at least one of the U.S. News and World Report top 10 hospitals will go public with a breach through outside channels.
Healthcare IT (security) spend will be the highest it has ever been, doubling the spend of 2015
Despite my first prediction, healthcare organizations will invest a lot of money in IT security technology and human resources, doubling the spend of 2015. Although the executives may fund the security department, a security culture might not trickle down to the rest of the organization. The person in charge of security might be accountable for security, but the buy-in must come from the board of directors down through every level of the organization. Staff and the clinicians must understand what they are doing is making the organization a safer place for them and their patients–their effective security behaviors allow clinicians to do their job in treating patients better.
At least one major medical device manufacturer will have to go public with a vulnerability that could fatally affect patients
Medical device vendors and manufacturers have never taken security seriously. They are primarily looking for functionality for patient care and ease of administration and maintenance. A medical device is a computer system with one end attached to the patient, providing critical patient care, and the other end attached to the corporate network or Internet. Just like most devices on the network, a medical device runs a known operating system; vulnerable to the myriad exploits that effect any computer. Based on the risk profile of a medical device, it should be subject to the highest security standards in the industry but unfortunately they are not. If someone can hack into a Windows XP box that is unpatched with exploitable vulnerabilities, someone can hack into an XP-based medical device. I predict that another medical device manufacturer will disclose an easily exploitable vulnerability that could patients at direct risk. I also predict that an attacker will exploit a medical device and use it as a bridge into a company’s corporate network to facilitate a breach.
Guest post by David Thompson, senior director, product management, LightCyber.
A targeted data breach is one of the most vexing problems facing healthcare organizations today. Just in the first three months of 2015 alone, 99 million patient healthcare records were compromised—that’s about one-third of the entire U.S. population, and those are just the ones we know about. According to some sources, 90 percent of healthcare organizations have already been breached, but we aren’t sure which ones.
The cybercriminals behind a targeted data breach do not want to be exposed—and make no mistake, these breaches are run by people, not autonomous software. Unlike the hackers of earlier days, these operatives want to stay hidden and conduct their work in secret. Even if they have successfully completed their initial goals—let’s say exfiltrate patient medical records—a cybercriminal team will likely want to stay undiscovered to continue to steal more data as it is collected, or leverage this access to break into another company. Often this will involve commandeering valid credentials from the first organization to gain access to another, perhaps a partner healthcare organization, an insurance company, an independent lab or some other entity.
The simple truth is that most healthcare organizations lack the means to detect an active data breach. First, let me define a data breach, since there is so much confusion over the term. A breach is the entire process—from initial network penetration through data exfiltration— cybercriminals go through to achieve their goals.
Often a breach is perceived as only the initial penetration into the network or infection of a machine. This one act is over in an instant, but it is the focus of considerable security resources. In other words, a large proportion of security resources are devoted to preventing single step in the breach process that lasts less than a minute, but is only the first step toward a goal.
Also, initial penetration is not as easy to spot and block as you might guess. Since the way into the network may be accomplished through the use of valid credentials acquired through social engineering or clever spear phishing, detecting the intrusion can be difficult. Effective prevention of intrusions is based on use of statically defined descriptions of software code or behavior (signatures and hashes), so it is successful mainly when known malware is used to conduct a breach. So, preventing an intrusion has a marginal success rate, but it is often seen as the last change an organization has in defeating a targeted breach.
Once an attacker is inside the network, most organizations lack the ability to find them. At the same time, an attacker is inherently at a disadvantage, having landed inside an unfamiliar network. This disadvantage is quickly dissipated since they can often go completely undetected for weeks, months or even longer. The industry average dwell time is around six months, plenty of time for an attacker to explore a network and get at assets.
Why is it that organizations are seemingly powerless to find an active data breach once an intruder has penetrated a network? There are four main reasons.
According to a 2014 Identity Theft Resource Center Report, the healthcare industry has officially surpassed other major industries and now accounts for 42.3 percent of all data breaches recorded last year. As the number of patient medical records transitions to a digital sharing model, the potential cost of data breaches is now substantially higher than for those less regulated, like retail and public services. It’s clear that the industry is increasingly vulnerable to sophisticated cyberattacks; hackers are after vital patient information such as social security numbers and past medical records. With limited budgets and priorities often, and rightfully, placed on patient care, many healthcare organizations lack the resources to implement stronger security levels. Despite these constraints, with the right technology and best practices in place healthcare organizations can position themselves for success.
The costs associated with “damage control” for many healthcare providers is steep with the annual cap on fines for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, up from a maximum of $25,000 per year to $1.5 million. And fines are only part of the financial burden. Investigation and legal efforts, business downtime and decreased credibility all drive up costs even further.
Unfortunately, many healthcare organizations are still facing challenges when it comes to effectively communicating and collaborating on security. In many of these healthcare organizations, there is a department for privacy and compliance and then a separate department for enterprise IT security. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach as neither side is able to understand the full spectrum of the threat without the others’ data.
The consequences of the gap between compliance and IT security becomes evident when dealing with insider threats. An individual’s actions may look legitimate but when correlated against other activity, could indicate that malicious activity is occurring. A workstation that has always previously accessed clinical data or some other patient information doesn’t raise suspicion. But a subtle, steady increase in traffic, say of five or ten percent, correlated with communication to an unauthorized or new IP address, likely indicates a breach. The same example could apply to an external threat with a malicious actor using social engineering methods to entice an unwitting user to download malware. Once inside the network, the malware can replicate the very same scenario. Either way, a breach has occurred. The IT security department may discover the situation, investigate and handle it and move on to the next task. But without visibility into this type of data, how would the compliance department learn about possible data leakage and take the necessary steps to investigate and report?
IDC Health Insights announces a new report, “Business Strategy: Thwarting Cyber Threats and Attacks against Healthcare Organizations.” that features findings from the 2014 IDC Insights Cross Industry Cyber Threat Survey. The report is designed to gauge how financial services, healthcare provider organizations and retailers are responding to increasing cyber threats and the impact of successful attacks on business operations. The study also highlights how healthcare organizations are investing in their cyber strategy to protect their most valuable electronic assets.
Today’s healthcare organizations are at greater risk of a cyber attack than ever before in part because electronic health information is more widely available today than in the nearly 20 years since the Health Insurance Portability and Accountability Act was passed in 1996. Cyber criminals view healthcare organizations as a soft target compared to financial services and retailers because historically healthcare organizations have invested less in IT, including security technologies and services, than other industries, thus making them more vulnerable to successful cyber attacks.
The value of health information, which can be used to commit medical fraud, is surpassing the value of social security and credit card numbers on the black market, thus increasing the attractiveness of stealing health information.
Key findings include:
After physical loss or theft of a laptop, mobile or portable device, malicious hacking or IT incident was the most common breach reported on the Department of Health and Human Services (DHHS) website. In 2013, 20 (out of 175) breaches related to hacking or an IT incident represented 9 percent of the individuals affected and 11.4 percent of the attacks.
All respondents of the 2014 IDC Insights Cross Industry Cyber Threat Survey reported that they had experienced a cyber attack in the past 12 months; 39.4 percent reported that they were attacked more than 10 times and 27.1 percent of the attacks were described as “successful attacks.”
Security is a top IT initiative for health care providers. In 2014, according to the 2014 IDC Global Technology and Industry Research Organization IT Survey, security and risk management technologies was the number 1 initiative (29.0 percent). In 2013, it was also the top ranked initiative (20.1 percent).
Approximately one out of four cyber attacks had an impact on normal business operations. The majority of respondents (52.2 percent) indicated that the shortest impact lasted less than an hour and 43.3 percent reported that the longest duration was between eight and 24 hours.
The overwhelming majority of healthcare executives reported that their spending on cyber threats increased (59.6 percent) or stayed the same (38.3 percent) over the last three years. On average, the increase for those respondents that reported an increase was 14.8 percent.
Consumers highly value their privacy according to a recent 2014 IDC Insights Cross-Industry Consumer Experience Survey, but are not as confident that healthcare organizations were adequately protecting their data. Concerned consumers are willing to end a healthcare relationship after a breach, including changing their care providers (21.6 percent) and changing health plans (5 percent).
Since the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law in February 2009, rural, community and critical access hospitals are turning to electronic health record (EHR) systems to receive significant incentive payments based on meeting meaningful use regulations. However, the impact on workflow makes achieving a return on investment (ROI) after implementation challenging. Additionally, the burden is placed on these hospital’s small IT departments to meet federally mandated deadlines such as meaningful use.
According to a 2014 HIMSS Analytics survey, 83 percent of healthcare providers are using cloud services. Compared to server-based networks, the cloud is especially beneficial to rural hospitals because of the lower upfront, implementation and maintenance costs, resulting in increased ROI. The cloud system’s pay-as-you-use method removes the need for expensive hardware, and the accessibility and security of patient records improves efficiency and patient care, allowing hospitals to prove they are meaningfully using EHR technology.
Implementation and Maintenance
Because of budgetary restraints, rural hospitals typically have outdated technology and some areas do not even have computers. Recently, I visited a hospital with only one computer on each floor and no EHR system in place at all. Because of this, these hospitals must implement user-friendly healthcare technology that is easily implemented across the network– even for clinicians with limited or no experience in a high-tech environment. This type of easy-to-use EHR systems not only improves patient care, but also helps hospitals qualify for federal incentive payments. However, time is running out. Hospitals only have one more year to receive incentives for being MU compliant. After this timeframe they not only won’t receive payments, but they will be penalized financially for not meeting regulations, which is especially detrimental to smaller hospitals.
Cloud-based solutions allow hospitals to deploy EHR systems quickly and at a lower cost. While server-based EHR systems can cost $40, 000 or more, a cloud network does not require any hardware to be installed on-site. Therefore, upfront, implementation and maintenance costs are much lower than a server-based solution. Less hardware means less opportunity for failure – thus, maintenance costs decrease drastically as the lifespan of a cloud-based system is much longer than a physical server solution.