The healthcare industry plays an important role since it impacts people’s lives in various ways. As innovations continue to evolve, they have brought about significant changes in the quality of health services, particularly in delivering dependable and high-quality patient care.
Apart from advancements, the healthcare industry has faced many challenges. Most of these challenges result from regulatory or legislative mandates, security threats, and process changes brought about by new technology, to name a few.
The last 24 months have transformed the role of the cloud in healthcare. Before, software solutions were usually only accessible on-prem. There was no real impetus for healthcare organizations to modernize their disconnected systems when they were contained within a facility’s four walls. For clinicians laser-focused on patient care, trying new tools from the IT department was a low priority. Both of these factors made the adoption of modern cloud solutions extremely slow.
But the rise of telehealth and remote work during the pandemic changed all that. Now, efficient collaboration across many locations is a business need — and a key to effective patient care. More healthcare organizations are making the decision to shift their systems to the cloud to facilitate easier file sharing, more streamlined workflows, and other benefits.
However, transitioning to the cloud isn’t as simple as flipping a switch. For healthcare organizations in particular, modernizing technology systems requires careful change management and a well-thought-out governance plan. Skip these steps and your organization risks missing out on the full benefits of cloud.
The sources of healthcare organizations’ technical debt
Data security and regulatory compliance are top concerns for healthcare providers when it comes to technology solutions — and for good reason. Healthcare organizations handle large quantities of highly sensitive personally identifiable information (PII), and both HIPAA and data privacy regulations like the GDPR and CCPA carry heavy penalties for violations that lead to a breach.
However, these legitimate concerns have led many healthcare organizations into deep technical debt. A widespread — and inaccurate — perception that on-prem solutions are more secure than cloud delayed adoption of modern, streamlined workflow and file management solutions. At the same time, concerns over compliance drove the adoption of pinpoint solutions from vendors able to claim their products were specifically designed for healthcare customers.
With the rapid shift to telehealth stemming from the pandemic, both deployment and adoption of patient portals increased. This surge in usage has exposed security vulnerabilities, and we’re now seeing that many of the patient portals in use today are ripe for fraud, phishing, and ransomware attacks. To illustrate the severity of this problem, last year the latter alone cost the healthcare industry nearly $21 billion in downtime, affecting 600 providers nationwide.
COVID-19 transformed the healthcare landscape, making patient portals and telehealth the primary means by which to communicate with providers, access treatment plans and other documents and process payments. Given the convenience this affords for patients and providers alike, these digital experiences will likely remain a primary part of the healthcare industry for years to come. As organizations continue to invest in patient portals and other telehealth innovations, it’s critical that they are cognizant of the myriad security concerns.
It should come as no surprise that hackers view patient portals as an extremely attractive target—credit card data, personally identifiable information (PII) and personal health information (PHI) are all accessible via these platforms. Unfortunately, because patient portals were designed with the user experience in mind, it’s not uncommon for them to have minimal security to make the process as frictionless as possible. Hackers are only too eager to exploit this and other security holes, so it’s critical that organizations address these concerns. With that in mind, read on for five important steps to shore up these vulnerabilities and enhance patient portal security.
Screen for Compromised Credentials
In many cases patient portals are secured solely by a password; something that is widely recognized as a poor security practice, particularly for accounts that contain such sensitive information.?? This is largely due to the pervasive problem of reusing passwords across multiple sites–something 59% of respondents in a recent survey admit to doing. If just one of these accounts has been breached, then every other site or service associated with the exposed password is also at risk. Therefore, if a patient uses a weak or compromised password to secure their portal, there is a very good chance that bad actors could launch a successful account takeover (ATO). To address this and other password-related vulnerabilities, providers should screen credentials against a dynamic database to ensure that patients aren’t inadvertently opening up the front to hackers. Given the rate at which data breaches occur, it’s also important to implement this screening on an ongoing basis, rather than solely when a patient enrolls in the portal.
By Devin Partida, technology writer and the editor-in-chief, ReHack.com.
The medical industry’s growing reliance on digital technologies has come with some increased risks. That became painfully evident for thousands of patients in the wake of a recent ransomware attack on CaptureRX, a healthcare administrative service provider.
On February 6, hackers accessed sensitive patient data from multiple CaptureRX clients, affecting at least 1 million people. The company started investigating after noticing unusual activity, and by February 19, it could confirm that someone had stolen patients’ personally identifiable information (PII). CaptureRX started alerting affected clients on March 30, and the full scope of the incident is still unclear.
Health IT’s Growing Ransomware Problem
This is far from the first instance of a ransomware attack on a health IT company. Ransomware as a whole has become much more common in the past few years, and medical businesses are more at risk than most. Hospitals have more to lose in these attacks, given the sensitive nature of their data, so a successful breach could be more profitable for hackers.
In 2020 alone, there were 92 ransomware attacks against healthcare organizations, affecting more than 18 million patient records. That represents a 60% increase over 2019 in the number of attacks and a 470% increase in records affected. Since 2016, these attacks have cost the industry more than $31 billion.
The CaptureRX attack is the latest in a troubling and growing trend of ransomware attacks against health IT. If industry leaders aren’t already aware of this problem, the sheer size of this incident will likely get their attention. With these attacks becoming more frequent and expensive, the sector will likely shift in response.
By Chris Goettl, director of product management, security, Ivanti.
The first months of 2019 have
seen a record number of reported security vulnerabilities. But potentially the riskiest,
is BlueKeep. BlueKeep is a vulnerability (CVE-2019-0708) that affects Windows
7, Windows XP, Server 2003, 2008 and 2008 R2, which many feel will be exploited
The concern has been so great
that Microsoft has issued public updates, even for the no-longer-supported XP
and Server 2003 operating systems, and has been very active in issuing warnings
to apply the fixes right away. Some may even say that Microsoft has been
uncharacteristically begging everyone to apply the necessary fixes. The NSA too
has issued an advisory and
warning to fix this immediately.
Why is this so important for healthcare organizations? It’s been reported that “70 percent of devices in healthcare organizations will be running unsupported Windows operating systems by January 2020.” This is a greenfield opportunity for the perpetrators of BlueKeep to expose health records and personally identifiable information (PII), presenting monumental, potential risk.
How does it work? BlueKeep is
considered a ‘wormable’ vulnerability because it does not require
authentication or user interaction to exploit. As such, the worm can spread
from system to system taking advantage of the vulnerability.
Numerous possibilities exist
for a wormable exploit like BlueKeep. For example, if it uses something like
Emotet, a more sophisticated malware platform, a piece of malware could get
onto a system and have the potential of making intelligent decisions about what
it should do next. It could then automate those steps and adapt to its
Or, what if BlueKeep finds
its way on to somebody’s home computer? In that case it’s probably going to
just sit back and grab any email exchanges that are going on, scrape some email
addresses, and try to spam itself out to spread itself further.
if it got into a hospital’s network it could switch into ransomware mode –
creating perhaps an even more damaging version of WannaCry – holding critical
and even life-saving information hostage.
perspective, the WannaCry attack of 2017 was reported to cost as much
as $4 billion, making it one of the most costly ransomware attacks to ever hit
our global economy. The fact that six
security firms have independently reached successful exploit of BlueKeep makes it pretty likely that a weaponized version of BlueKeep
may be a lot more real than some of the other recent threats. Even though
nobody has detected an attack “in the wild” yet, it’s only a matter of time
before the first attacks occur. Bleeping Computer confirms private
MetaSploit modules have already been developed for demonstration.
So, what needs to be
done to keep BlueKeep away? Follow these three important steps:
comprehensive asset management solution to ensure that you have full visibility
into any and all legacy systems that may have one of the vulnerable operating
systems. It only takes one system that remains unpatched to expose your
network. Don’t let any system slip through the cracks.
the latest updates to all of your legacy systems before BlueKeep hits the
streets. You don’t want to get an ‘I told you so!’ from your incident response
and security team.
Minimize the impact on your
IT teams through automation. With the latest versions of MS SCCM not supporting
Windows XP and Server 2003, the job of applying patches can be a bit more difficult. But
it doesn’t necessarily mean that you must perform your patching manually. You
can patch up to 50 systems including
Windows XP and Server 2003 by accessing this free 60-day license to Ivanti
Security Controls here.
For those who have not
patched BlueKeep yet, it is only a matter of time before the first malicious
exploit is distributed. You can be sure that healthcare organizations will be at
the top of the target list. Be prepared and apply fixes today. Cyber adversaries are likely reverse
engineering the patch as you read this, getting ready to exploit organizations
and individuals alike. Let’s work together to avoid a potential repeat of
By Jacob Denton, chief information security officer, Mosaic451.
Unless your security team has been living in a cave in one of the last remaining places on the planet where you can still unplug, you have certainly heard about the Petya and NotPetya ransomware attacks and the chaos caused by them. Petya was a somewhat “typical” ransomware attack in 2016: It encrypted the master boot record of infected computers and asked for ransom in the form of Bitcoin. But NotPetya, a potentially state-sponsored attack against Ukraine, was more similar to WannaCry, which occurred shortly before in 2017. In addition to ransoming companies to pay the hackers in Bitcoin, NotPetya also took advantage of the EternalBlue exploit and was a “worm” that could self-propagate, like WannaCry.
What made NotPetya unique was its intrusion into MeDoc, a Ukrainian tax and accounting software package. About 80 percent of Ukrainian businesses used this software at the time of the attack. The NotPetya hackers employed an innovative strategy: They put in a slightly different version of a file into MeDoc’s software updates.
Since MeDoc was so widely used throughout the Ukrainian business community, the hackers started spreading corrupted versions of MeDoc software in April. By June, undetected, they were able to insert the NotPetya ransomware. And since it was a worm, NotPetya was able to spread rapidly. It was a lot worse than Petya in its scope: It not only encrypted the master boot record, it also encrypted other important files, making the damage to companies’ hard drives even more serious.
Cyber security firm Cybereason reports that NotPetya cost companies approximately $892.5 million in lost revenue. While it first hit Ukraine, it hurt businesses worldwide, including FedEx, Merck, and Reckitt Benckiser.
What lessons have we learned?
First, that hackers have gone way past spamming naive end users. The NotPetya attack was particularly troubling because it was a “clickless” attack that didn’t need to rely on end users for access. It also took advantage of software updates, a holy grail of commonplace cyber security.
Thankfully, there are some precautions cyber professionals can heed from this hack. According to Johns Hopkins University Computer Science Professor Matthew Green, one limited action developers could do to help “prevent their software updates from being corrupted” is to “co-design.” This would mandate that anyone trying to add new code to an application would need to sign with a cryptographic key that cannot be forged. For example, MeDoc did not have co-designing, so hackers were able to alter code in the software update.
Guest post by Ben Oster, product manager, AvePoint.
Balancing the strategic needs of a business with the user-friendliness of its systems is a daily struggle for IT pros in every industry. But for healthcare organizations, safeguarding the data living in these systems can be especially daunting. According to a study by the Ponemon Institute, healthcare is a minefield for various security hazards. Within the last two years, 89 percent of healthcare organizations experienced at least one data breach that resulted in the loss of patient data. As healthcare businesses and the patients they serve adopt a mobile-first approach, providers must strike a balance between innovation and risk to prevent patient data (and internal information) from falling into the wrong hands.
The use of mobile devices and apps certainly enhance patient-provider relationships, but these complex information systems present new concerns surrounding compliance, security, and privacy. As employees and patients increasingly adopt smartphones, tablets, and cloud-based software into their daily lives, healthcare leaders must prioritize users’ needs while mitigating security risks. Mastering this dynamic requires healthcare companies to balance mobility trends like BYOD and cloud computing with regulatory requirements like HIPAA.
To lower the risk of data breaches, healthcare organizations need to defend their systems by identifying, reporting on, and safeguarding sensitive data. Here are a few steps the healthcare industry can take to join the mobile revolution without compromising security:
Start with discovery – Traditionally, healthcare organizations have taken a “security through obscurity” approach to protecting data. In other words, relying on the ambiguity of the data in their systems to ward off malicious attacks and breaches. But as technology emerges that personalizes patients’ end-user experience – such as online patient portals and electronic medical records – the less obscure healthcare organizations’ data becomes. With patients and medical staff accessing this data through a range of devices and workflows, knowing precisely what content exists in a healthcare organization’s infrastructure is essential to security. That’s why discovery is the first step to safeguarding content. Healthcare IT teams should also roll out internal classification schemas to determine which user groups need access to this data. By categorizing content based on these factors, healthcare companies can lay the framework for a truly secure system.
Guest post by James Carder, CISO of LogRhythm, VP of LogRhythm Labs.
This year’s biggest health data breach victims include insurers Premera and Anthem, where incidents affected nearly 100 million patients combined. It’s clear that healthcare organizations must strengthen their cyber security programs to protect themselves and their patients, or they’ll be targeted again and again. Strategically, healthcare organizations must change the way they have operated for the past 30+ years with regard to their behaviors and their use of IT. Cyber security is now a key business differentiator as both patient care and safety are paramount to a hospital’s ability to remain a trusted provider. The hospital of the future is one that incorporates these protection measures into its business brand, thereby recruiting, retaining and reinvesting in patients.
As we start out 2016, here’s what I think we’ll see going forward:
Healthcare IT security will continue to fall further and further behind the rest of the industry verticals
Healthcare IT security will continue to fall further behind the rest of the industry verticals. Healthcare organizations are focusing on functionality for patient care (rightfully so), and security is an afterthought. Many organizations are overly dependent on antiquated hardware and software, with inherent vulnerabilities, that could inadvertently put patients in danger. There has never been a real investment in information security, so the cost to catch up to industry standards and shed the label of being the hackers’ “low hanging fruit” is that much more expensive. The industry will continue to be targeted by sophisticated and organized attackers until a serious investment is made in both technological and human capital.
The medical record is a relative goldmine of information and, as such, a highly valuable target for all classes of attackers, ranging from financial crime groups to nation state threat actors. The number of items a hacker has access to and the way in which the information can be used is more extensive. Stolen data can be re-used by a hacker over and over again. So, in addition to this general prediction, I also think that at least one of the U.S. News and World Report top 10 hospitals will go public with a breach through outside channels.
Healthcare IT (security) spend will be the highest it has ever been, doubling the spend of 2015
Despite my first prediction, healthcare organizations will invest a lot of money in IT security technology and human resources, doubling the spend of 2015. Although the executives may fund the security department, a security culture might not trickle down to the rest of the organization. The person in charge of security might be accountable for security, but the buy-in must come from the board of directors down through every level of the organization. Staff and the clinicians must understand what they are doing is making the organization a safer place for them and their patients–their effective security behaviors allow clinicians to do their job in treating patients better.
At least one major medical device manufacturer will have to go public with a vulnerability that could fatally affect patients
Medical device vendors and manufacturers have never taken security seriously. They are primarily looking for functionality for patient care and ease of administration and maintenance. A medical device is a computer system with one end attached to the patient, providing critical patient care, and the other end attached to the corporate network or Internet. Just like most devices on the network, a medical device runs a known operating system; vulnerable to the myriad exploits that effect any computer. Based on the risk profile of a medical device, it should be subject to the highest security standards in the industry but unfortunately they are not. If someone can hack into a Windows XP box that is unpatched with exploitable vulnerabilities, someone can hack into an XP-based medical device. I predict that another medical device manufacturer will disclose an easily exploitable vulnerability that could patients at direct risk. I also predict that an attacker will exploit a medical device and use it as a bridge into a company’s corporate network to facilitate a breach.
Guest post by David Thompson, senior director, product management, LightCyber.
A targeted data breach is one of the most vexing problems facing healthcare organizations today. Just in the first three months of 2015 alone, 99 million patient healthcare records were compromised—that’s about one-third of the entire U.S. population, and those are just the ones we know about. According to some sources, 90 percent of healthcare organizations have already been breached, but we aren’t sure which ones.
The cybercriminals behind a targeted data breach do not want to be exposed—and make no mistake, these breaches are run by people, not autonomous software. Unlike the hackers of earlier days, these operatives want to stay hidden and conduct their work in secret. Even if they have successfully completed their initial goals—let’s say exfiltrate patient medical records—a cybercriminal team will likely want to stay undiscovered to continue to steal more data as it is collected, or leverage this access to break into another company. Often this will involve commandeering valid credentials from the first organization to gain access to another, perhaps a partner healthcare organization, an insurance company, an independent lab or some other entity.
The simple truth is that most healthcare organizations lack the means to detect an active data breach. First, let me define a data breach, since there is so much confusion over the term. A breach is the entire process—from initial network penetration through data exfiltration— cybercriminals go through to achieve their goals.
Often a breach is perceived as only the initial penetration into the network or infection of a machine. This one act is over in an instant, but it is the focus of considerable security resources. In other words, a large proportion of security resources are devoted to preventing single step in the breach process that lasts less than a minute, but is only the first step toward a goal.
Also, initial penetration is not as easy to spot and block as you might guess. Since the way into the network may be accomplished through the use of valid credentials acquired through social engineering or clever spear phishing, detecting the intrusion can be difficult. Effective prevention of intrusions is based on use of statically defined descriptions of software code or behavior (signatures and hashes), so it is successful mainly when known malware is used to conduct a breach. So, preventing an intrusion has a marginal success rate, but it is often seen as the last change an organization has in defeating a targeted breach.
Once an attacker is inside the network, most organizations lack the ability to find them. At the same time, an attacker is inherently at a disadvantage, having landed inside an unfamiliar network. This disadvantage is quickly dissipated since they can often go completely undetected for weeks, months or even longer. The industry average dwell time is around six months, plenty of time for an attacker to explore a network and get at assets.
Why is it that organizations are seemingly powerless to find an active data breach once an intruder has penetrated a network? There are four main reasons.
According to a 2014 Identity Theft Resource Center Report, the healthcare industry has officially surpassed other major industries and now accounts for 42.3 percent of all data breaches recorded last year. As the number of patient medical records transitions to a digital sharing model, the potential cost of data breaches is now substantially higher than for those less regulated, like retail and public services. It’s clear that the industry is increasingly vulnerable to sophisticated cyberattacks; hackers are after vital patient information such as social security numbers and past medical records. With limited budgets and priorities often, and rightfully, placed on patient care, many healthcare organizations lack the resources to implement stronger security levels. Despite these constraints, with the right technology and best practices in place healthcare organizations can position themselves for success.
The costs associated with “damage control” for many healthcare providers is steep with the annual cap on fines for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, up from a maximum of $25,000 per year to $1.5 million. And fines are only part of the financial burden. Investigation and legal efforts, business downtime and decreased credibility all drive up costs even further.
Unfortunately, many healthcare organizations are still facing challenges when it comes to effectively communicating and collaborating on security. In many of these healthcare organizations, there is a department for privacy and compliance and then a separate department for enterprise IT security. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach as neither side is able to understand the full spectrum of the threat without the others’ data.
The consequences of the gap between compliance and IT security becomes evident when dealing with insider threats. An individual’s actions may look legitimate but when correlated against other activity, could indicate that malicious activity is occurring. A workstation that has always previously accessed clinical data or some other patient information doesn’t raise suspicion. But a subtle, steady increase in traffic, say of five or ten percent, correlated with communication to an unauthorized or new IP address, likely indicates a breach. The same example could apply to an external threat with a malicious actor using social engineering methods to entice an unwitting user to download malware. Once inside the network, the malware can replicate the very same scenario. Either way, a breach has occurred. The IT security department may discover the situation, investigate and handle it and move on to the next task. But without visibility into this type of data, how would the compliance department learn about possible data leakage and take the necessary steps to investigate and report?