Cyber terrorists have made their way into hospitals, and they are targeting ultrasound machines specifically. It appears there is a black market for this content, and people are paying good money for it.
A big reason for this is health machines are running on ancient software. The cyber terrorists use encryption to access the data from ultrasound machines. Since many health sector employees are not knowledgeable about cybersecurity, it’s an easy target and this is why they are getting a beat from cyber-terrorist.
The issue
Medical equipment today uses ancient hardware and software. Some of these machines are still running on Windows 2000. Microsoft had long cut off their support for Windows 2000, Windows 95 and Windows XP.
Thanks to the outdated software, cyber terrorists can easily get hold of the patient’s sensitive information. This can cost both the hospital and patient a fortune in ransom.
Anyone who accesses a hospital’s network can easily access all the records. Worse, they can connect to ultrasound imaging devices that are vulnerable to attacks because they use ancient software. Once you breach the network, getting access to details images and other details become very easy. It’s very scary for patients and hospitals that ultrasound machines are vulnerable to hacking.
The wake-up call
There was an attack in 2017, called the WannaCry virus. This virus targeted computers running on old Microsoft Windows systems. It could cause millions of dollars of loss.
These attacks have stolen $92 million. The underlining learning lesson was that you are a hacking target when using an ancient OS that doesn’t have updates and patches regularly.
How to solve this?
Hospitals are responsible for protecting the critical information of their patients. So, it will be a lot better if they start using encryption on their network and files. They can employ someone who can encrypt all of their stuff or use an application to do so.
Guest post by Santosh Varughese, president of Cognetyx
Cybersecurity is a serious concern for every industry in America, but healthcare has been particularly hard hit. It is the most likely industry in the U.S. to suffer a data breach. According to the Ponemon Institute, nearly nine out of 10 healthcare organizations have been breached at least once, and nearly half have been breaced three times or more. Cyber-criminals are clearly winning this war, despite more funding, more firewalls, and more scrutiny. Here are five reasons why healthcare organizations are losing the cybersecurity war.
C-level healthcare executives still aren’t taking data security seriously.
Although the epidemic of healthcare cyber-attacks has C-suite executives claiming they finally realize the gravity of the situation, their actions tell a different story. A recent survey by HIMSS found that while most facilities have given information security a higher priority, healthcare IT personnel still complain of insufficient funding and staffing for cybersecurity. The same concerns were expressed by IT personnel surveyed in the Ponemon study and an earlier study conducted by IBM.
Frontline employees aren’t taking it seriously, either.
A group of security researchers from the University of Pennsylvania, Dartmouth and USC recently conducted an ethnographic study of cybersecurity practices among nurses, doctors, and other frontline medical personnel. The results showed a flagrant, widespread, shocking disregard for even the most basic data security practices; among other things, workers were observed:
Writing passwords on sticky notes and tacking them on machines in full view of anyone who wandered by.
Allowing other staff members to use their login credentials out of “professional courtesy.”
Purposefully defeating automated system timeouts by placing foam cups over sensors or by having another employee tap a spacebar at intervals.
Criminal hackers are fully aware of these types of practices and do not hesitate to take advantage of them; 95 percent of breaches occur when hackers get their hands on legitimate login credentials, either by obtaining them from a malicious insider or by taking advantage of an employee’s negligence or carelessness.
Too many facilities think that HIPAA compliance is sufficient to secure their data.
Most healthcare organizations focus primarily or exclusively on HIPAA compliance, erroneously thinking that complying with HIPAA is all they need to do to secure their systems. However, HIPAA was never meant to be a blueprint for a comprehensive data security plan. The law primarily addresses documentation and procedures, such as specifying when a patient’s medical records can legally be released, not technical safeguards. Information security experts surveyed by the Brookings Institution stated that HIPAA does very little to address the types of security challenges faced by large healthcare organizations with hundreds of employees and highly complex, interconnected data environments. The proof is in the numbers; if HIPAA compliance were enough to protect patient data, 90 percent of healthcare organizations would not have experienced breaches.
Guest post by Carl Wright, general manager, TrapX Security.
In August 2015, my colleague Moshe Ben Simon contributed an Electronic Health Reporter story about how hospitals can protect against data breach using deception technologies. Since then, TrapX Labs, the research and development group within TrapX Security, has seen substantial evidence that cyber attackers have continued their attacks on healthcare targets. The number of attacks, quantity of data stolen and the sophisticated human attackers that TrapX Labs continues to track are increasing quarterly. Out of the top seven data breaches of 2015, three of them (Excellus BlueCross BlueShield, Premera Blue Cross and Anthem) lost more than 100 million records combined.
On Jan. 4, 2016, the Identify Theft Resource Center (ITRC) reported that 66.7 percent of all records breached came from the healthcare industry. Healthcare continues to be targeted because of the high value of the data and the vulnerabilities healthcare institutions are susceptible to, such as the medical device hijack (MEDJACK). More information on MEDJACK can be found here.
The convergence of this healthcare cyberwar with incomplete HIPAA compliance creates a double jeopardy situation for healthcare professionals. Not only must healthcare institutions deal with the damage inflicted by a cyber attacker and then manage the data breach penalties, but they also face investigation and additional penalties from HHS. Hospitals, accountable care organization (ACO) networks, large physician practices, health insurance companies, diagnostic laboratories, radiology/skilled nursing facilities, surgical centers and others are high value targets for attackers and all face these risks.
Training is Essential
New strategies to prevent healthcare data breaches have evolved in many areas. Regular training for both clinicians and non-clinicians can have a positive impact on reducing successful attacks.
Clinicians and non-clinicians need to recognize that their “connected” healthcare environment needs to be tightly controlled. IBM’s “2014 Cyber Security Intelligence Index” noted that 95 percent of all security incidents seem to involve human error. Even a MEDJACK usually starts with an email or website based attack. Assuming a healthcare organization’s network perimeter and internal defenses are properly configured and updated, the next step a healthcare organization should take to substantially reduce its risk is implement a rigorous employee training program.
The first component of training comes during orientation. New employees typically receive passwords and authentication information from information technology (IT), the help desk and supervisors in their area, and it’s imperative they manage them in a safe manner (no yellow sticky notes, please).
Guest post by David Thompson, senior director, product management, LightCyber.
A targeted data breach is one of the most vexing problems facing healthcare organizations today. Just in the first three months of 2015 alone, 99 million patient healthcare records were compromised—that’s about one-third of the entire U.S. population, and those are just the ones we know about. According to some sources, 90 percent of healthcare organizations have already been breached, but we aren’t sure which ones.
The cybercriminals behind a targeted data breach do not want to be exposed—and make no mistake, these breaches are run by people, not autonomous software. Unlike the hackers of earlier days, these operatives want to stay hidden and conduct their work in secret. Even if they have successfully completed their initial goals—let’s say exfiltrate patient medical records—a cybercriminal team will likely want to stay undiscovered to continue to steal more data as it is collected, or leverage this access to break into another company. Often this will involve commandeering valid credentials from the first organization to gain access to another, perhaps a partner healthcare organization, an insurance company, an independent lab or some other entity.
The simple truth is that most healthcare organizations lack the means to detect an active data breach. First, let me define a data breach, since there is so much confusion over the term. A breach is the entire process—from initial network penetration through data exfiltration— cybercriminals go through to achieve their goals.
Often a breach is perceived as only the initial penetration into the network or infection of a machine. This one act is over in an instant, but it is the focus of considerable security resources. In other words, a large proportion of security resources are devoted to preventing single step in the breach process that lasts less than a minute, but is only the first step toward a goal.
Also, initial penetration is not as easy to spot and block as you might guess. Since the way into the network may be accomplished through the use of valid credentials acquired through social engineering or clever spear phishing, detecting the intrusion can be difficult. Effective prevention of intrusions is based on use of statically defined descriptions of software code or behavior (signatures and hashes), so it is successful mainly when known malware is used to conduct a breach. So, preventing an intrusion has a marginal success rate, but it is often seen as the last change an organization has in defeating a targeted breach.
Once an attacker is inside the network, most organizations lack the ability to find them. At the same time, an attacker is inherently at a disadvantage, having landed inside an unfamiliar network. This disadvantage is quickly dissipated since they can often go completely undetected for weeks, months or even longer. The industry average dwell time is around six months, plenty of time for an attacker to explore a network and get at assets.
Why is it that organizations are seemingly powerless to find an active data breach once an intruder has penetrated a network? There are four main reasons.
Guest post by James Bindseil, president and CEO, Globalscape.
Health IT has reached a pivotal crossroad: On one end, consumers’ expectations for more timely care and instant access to health files and records continue to skyrocket; on the other, security and compliance risks are more complex and threatening than ever before.
This leaves health providers in a precarious position: should they prioritize security and compliance, or productivity and care?
In a perfect world, the answer would be all four. Unfortunately, today’s health IT landscape — which is going through a rapid and significant transformation to keep up with evolving compliance mandates, new demands around access to patient files, changing government policies, sophisticated security threats and new technologies — is far from perfect.
One of the most pressing issues lies within the policies and technologies provided by today’s IT teams. In fact, in many instances, the policies and tools implemented by IT to keep patient data safe and secure often end up having the opposite effect: they make it incredibly difficult for providers to deliver fast and efficient care in a secure, compliant manner.
For example, let’s imagine a day-in-the-life of a hospital care provider, who faces immense pressure to deliver top-notch care to as many people, and in as little time, as possible. On day one, an off-duty doctor is called at home to provide his take on the best care plan for a specific patient. How will he review the pertinent information while working remotely? In another scenario, the doctor is running from patient to patient, and is unable to take the necessary time to record his actions. Taking the work home on a USB drive seems like the best option. The next day, the hospital needs to quickly share files with the patients’ previous provider to care for an urgent medical issue.
Guest post by Kim Lennan serves as director of healthcare markets for Hexis Cyber Solutions.
The cost of IT security data breaches in the highly regulated healthcare industry is staggering, as it tops even the likes of financial services market. No one is immune. Nearly 94 percent of medical institutions report that their organizations have been victims of a cyber attack, according to findings by the Ponemon Institute. With the update last year to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, signs of increasing expenses are again a reality. The annual cap on fines for security breaches has also skyrocketed from a maximum of $25,000 per year to $1.5 million.
With breaches in healthcare spanning from insider, nosey-neighbor snooping, to external, cyber-threats, such as malware, there is an obvious urgency for detection and remediation solutions that engage not only the hardened perimeter, but also the soft center, spanning all the way out to the ancillary systems which at once stood alone, but are now networked and part of the entire electronic healthcare ecosystem.
Establishing a single, integrated, active defense approach to bolster your security posture and mitigate insider breach, as well as cybercrime in healthcare, begins with a motion to break down internal barriers. Organizations need technology and organization leaders who champion a bridging the gap between the two influential and liable, yet often un-collaborating services providers responsible for protecting these domains: Privacy and compliance and enterprise IT security.
Coordinating the effort to monitor networks and applications to achieve a greater understanding of risky behavior is a giant step toward detecting early indicators of compromise and strengthening the weak links in your security practice. We recommend an assessment of the often overlooked, non-standard variety of electronic data carriers, which can fall into the category of the “Internet of Things,” those medical device end-points, video surveillance systems, x-ray machines and call contact systems. These must be treated as part of the entire electronic ecosystem to achieve a greater degree of data protection. They carry patient health information (PHI) and even intellectual business property, and are largely unprotected by traditional intrusion detection solutions. While often perceived as immune to breaches, they represent readily available ports of entry for an attacker.
A unified approach to end-user education and monitoring for early breach detection that fosters risk mitigation requires tight coordination between privacy and IT security. The challenge is in how. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach, as neither side is able to understand the full spectrum of the threat without the others’ data. Let’s take a look at a couple of examples.
Guest post by Darren Leroux, senior director of product marketing, WinMagic.
Gone are the days where all personal health information solely lived in giant filing cabinets behind a receptionist’s desk or in the administrative office of a hospital. Today, patient data resides everywhere – desktops, laptops, smartphones, tablets and USB drives. Understandably so – given the rise of mobile computing and bring-your-own-device (BYOD) policies in healthcare, the once straightforward process of protecting patient’s personal health information has since evolved into a complex and overwhelming undertaking.
Just the Facts
According to a recent study, 81 percent of healthcare organizations are now allowing employees and medical staff to use their personal laptops and mobile devices to connect to provider networks or access company email. Interestingly enough, the same study found that of that 81 percent of healthcare institutions enabling a BYOD strategy, 54 percent did not believe that those devices were secure enough in the workplace; 65 percent of data breaches reported to the Ponemon Institute occurred on laptops and mobile devices over the last five years — it’s no wonder that more than half of those surveyed aren’t confident in the security of their devices
When we refer to personal health information at risk, we’re not just talking about historical health records – the potential for a data breach casts a much wider net, including patient billing information, clinical trial data and even employee information like payroll numbers. With so much sensitive, unprotected data up for grabs, we’re inclined to ask ourselves – how? How is this significant rise in healthcare data breaches even possible, and how do we stop this from continuing?
Below are the top three gaping security holes in remote healthcare data practices that are answering our question of how is this rise in breaches in possible:
Guest post by George Bailey, senior advisor, health IT/security, Purdue Healthcare Advisors.
The recent large-scale data security breaches experienced by major retailers Target Corp. and Neiman Marcus provide opportunities for learning across industries. These data breaches are painful for the companies, shareholders and, certainly, for the consumers victimized by subsequent fraudulent transactions on their financial accounts.
But once the dust settles, will these 110 million consumers suffer long-term damage to their privacy and financial security? I would argue no. Surprised? I say this because most of the attributes compromised in the Target and Neiman Marcus data breaches are short-lived items. By “short-lived,” I mean bits of information that can be changed or replaced by the consumer.
For instance, charge card numbers can be changed and accounts closed; debit card PINs can (and should) be changed; lost funds can be reimbursed; and credit scores reinstated. Now I don’t want to imply that this cleanup is easy, quick or inexpensive to do. It’s not. But looking three to five years into the future, these data breaches—just as the T.J. Maxx breach in 2007—will have little-to-no lasting effect on those compromised.
For the healthcare industry, a data breach is a quite different. A patient’s social security number (contained many times within healthcare records), medical history, psychiatric notes and sexual preference are not considered attributes that are “short-lived.” While a social security number can be changed, it’s a difficult and time-consuming process. The other data contained in a healthcare record is very sensitive, private, and cannot be re-written, as it is there to guide physicians in providing optimum care. Once sensitive electronic patient health information (ePHI) is lost, stolen or leaked to the Internet, it can spread faster than the best Facebook gossip and be cached, indexed and copied to a seemingly endless number of devices.