Recently, hacking group Cozy Bear attempted to steal COVID-19 vaccine research from multiple organizations in Canada, the United States, and the United Kingdom. The hackers, reportedly under the employ of the Russian government, scanned targets for network vulnerabilities in an effort to infect them with network tracking and file exfiltration malware. This is not the first time research into the novel coronavirus has been a target and it is unlikely to be the last.
On some level, this news is unsurprising, as healthcare has always been an attractive target for cybercriminals.
Patient data is a valuable commodity on the black market, often containing everything one would need to know in order to commit various types of fraud. Access to critical systems can be a literal case of life and death, and these systems are often so interconnected that an attack may spread like wildfire. Finally, many healthcare agencies lack the time and resources to prioritize cybersecurity to the degree that they should.
Yet this is also a unique situation. We are currently in the midst of a global pandemic, a period of heightened sensitivity and unprecedented digitization. People in all industries are exhausted and anxious, a combination which makes them particularly susceptible to mistakes.
Moreover, vaccine research is a priority for governments across the world. Each seeks to lessen the virus’s impact on their citizenry and economy, with many employing state-sponsored actors to give themselves a leg up. Rank-and-file criminals, meanwhile, are also perfectly willing to exploit the situation for their own gain.
At all levels, phishing campaigns remain the number one attack vector. There’s no need to waste effort trying to break through an organization’s defenses if one can simply trick an employee into granting access. Agencies researching the COVID-19 vaccine are particularly susceptible to targeted phishing attacks due to the collaborative nature of their work.
Modern technology can be seen as a blessing and a curse, especially when it comes to the technology used in healthcare. Some of the medical technological advancements seen today are astonishing. They are there to improve our quality of life and to make us live longer, healthier lives, but everything good comes with risks. The technology we deal with today is rapidly developing and as it does, new threats are being presented to both doctors and hospitals. Today, we will be taking a look at six technologies currently being developed that could potentially become hazardous in the field of medical technology.
As we become more and more reliant on electronic medical records, the susceptibility of a hospital suffering a cyberattack or struggling because of a network failure is continuing to increase. To reduce the risk of this happening, all hospitals will need to have an extremely complex network security system that is resistant to hackers. They also need to make sure they have back-up files in case they have to deal with network failure.
Telemedicine is the practice of remote patient care, so the patient and the provider won’t be physically present with each other. This modern technology has been developed to enable consultations with patients over easy and robust telemedicine software. Although this is convenient, it may create challenges when trying to ensure the quality of care. If things go wrong, then a lawsuit could be filed for medical negligence. In these cases, a Miami medical malpractice attorney should be contacted.
Recently, there has been a huge development in medical device technology and there is a wide range of medical devices on the market. These wearable sensors are constantly transmitting a vast amount of health information to doctors. This has already been proven to increase the expectations of patients because they believe doctors are constantly monitoring and will act upon this.
For decades now, hackers have been cashing in on financial data. The routine has been constant. A hacker finds their way into a site, steals financial information belonging to the site’s visitors then uses their personal information to create fake credit cards. These are then used to steal money from unsuspecting individuals. However, this trend hit a snag once financial institutions found ways of stopping such activities. This was frustrating to these intruders considering that most times, their efforts were rendered futile after the cards they made are blocked.
These people then discovered a new cash cow that allows them to reap money from insurance companies. Typically, hackers get as little as $1 for one credit card, which is a meager payment for such a dangerous job. However, healthcare information pays well in that they create counterfeit health insurance cards, then make cash claims in fabricated hospitals. Considering that the demand for this data is high, healthcare data attacks have been on the rise, targeting several hospitals, and they have managed to affect over 11 million people.
How do you keep your data safe from these online breaches?
With such high stakes, each hospital needs to come up with security measures that ensure their data is always safe. Look at some of the possible ways you can secure your information.
Asses the risks
You cannot solve a problem if you are not aware that it even exists in the first place. Check for loopholes that leave your hospital vulnerable to these attacks. For instance, a hospital with few employees leaves specific sectors such as the IT section unmanned, which makes them susceptible to being attacked. You must approach this by looking at the most sensitive areas of a company and find out the consequences that you may face if your data is stolen.
Appraise all agreement with business partners, vendors and client every year
Know the type of information that the people and entities you interact with access. Learn what your contract entails and review the speculations regularly. Long before new laws were formed, third-party companies never had any agreements with any of their partners. Whenever they got a hold of information, it was up to them to know what they wanted to do with such intel. In this era, such loopholes can lead to massive scandals, which is why you need to evaluate every past action and put stringent measures to ensure anyone who encounters sensitive information knows the implications of going against the agreement. Do not give a lot of authority to vendors and ensure that they sign privacy policies that bar them from sharing or using private data.
Summarizing the outcomes of 2018, the experts noted an increase in the share of targeted attacks that grew throughout the year reaching 62 percent in Q4. By and large, targeted attacks became the favorite method of attackers (55 percent) in 2018, unlike the previous year.
The number of attacks aimed at data theft keeps growing. A statistical analysis of 2018 showed that attacker interest was mainly focused on personal data (30 percent), credentials (24 percent), and payment card information (14 percent).
In 2018, healthcare institutions in the U.S. and Europe were at the center of attention from hackers, receiving more attacks than even banks and finance. In addition to stealing medical information, hackers also demanded ransom for restoring the operability of computer systems. Hospitals were ready to pay hackers, patient lives being at stake. According to experts, attackers got hold of personal data and medical information of more than 6 million people.
DDoS attacks became more powerful. Thus, 2018 was marked by the two biggest DDoS attacks in history, reaching 1.35 and 1.7 terabits per second. IT companies were the second-most common target of DDoS attacks, after government institutions. Hackers disrupted the operations of internet service providers and game companies, which are particularly sensitive to downtime and equipment disruption.
In 2018, malware was used in 56 percent of attacks. Such popularity is caused by the fact that malicious software is becoming more and more available each year, which reduces the barrier to entry for cybercriminals. Attackers mostly used spyware and remote administration malware to collect sensitive information or gain a foothold on systems during targeted attacks.
It has become clear in the last few years that when it comes to cybercrime, hackers are not fussy about which organization or sector they focus on – if there’s profit to be made, anyone is a potential target.
However, there are of course institutions which will always be of particular desirability to cybercriminals. Financial institutions, banks and retail are among the most targeted because the goal of most cyberattacks is financial gain, and organizations in these industries are the most lucrative targets for cybercriminals. The healthcare sector is also heavily targeted because of the personal data it holds. This data may be stolen and used for different purposes, including fraud. As a consequence, the focus on healthcare institutions by hackers has ramped up in recent years.
This increased attention on the health sector is due to hackers seeing it as an inexhaustible source of money. On multiple occasions, media reports have described leaks of data from medical centers, followed by a ransom demand sent to clinic management and patients.
There are a number of other ways criminals can monetize attacks on healthcare equipment and applications. These include threatening patient health by altering stored information; using stolen data to fraudulently obtain access to medical care or controlled medications; leveraging personal information on patients and their family members; and sabotaging websites and/or infrastructure on behalf of unscrupulous competitors. Attacking healthcare institutions also allows criminals to resell stolen data to third parties such as insurance companies, healthcare providers, banks, and others, who can use this valuable information for a number of purposes (such as advertising, research, or even discrimination based on pre-existing conditions).
One such specific way that criminals can carry out attacks is by exploiting advancements in health technology and equipment in recent years. We’ve seen an increasing number of medical devices such as pacemakers, drug pumps (like insulin infusion devices), implantable defibrillators, and other devices implementing wireless connectivity for doctors to control and fine-tune their work and update firmware. This makes these devices potentially incredibly dangerous for patients. A criminal could research and reverse communication protocols and exploit vulnerabilities in a simple piece of software used in those tiny devices, for example changing the heart rate controlled by pacemakers, injecting incorrect doses of drugs or even making them show the wrong data — leading doctors to the wrong conclusions and causing them to make mistakes in their treatment.
Zingbox, provider of healthcare Internet of Things (IoT) analytics platform, announced new research demonstrating that hackers are leveraging error messages from connected medical devices — including radiology, X-ray and other imaging systems — to gain valuable insights. These insights are then used to refine the attacks, increasing the chance of successful hack.
“Hackers are finding new and creative ways to target connected medical devices. We have to be in front of these trends and vulnerabilities before they can cause real harm,” said Xu Zou, Zingbox CEO and co-founder. “We make it our mission to assist and collaborate with device manufacturers to ensure the security and uninterrupted service of connected medical devices.”
Information gathering phase of a typical cyberattack is very time intensive phase where hackers learn as much as they can about the target network and devices. By simply monitoring the network traffic for common error messages, hackers can gain valuable insight into the inner workings of a device’s application; the type of web server, framework and versions used; the manufacturer that developed it; the database engine in the back end; the protocols used; and even the line of code that is causing the error. Hackers can also target specific devices to induce error messages. With this information, the information gathering phase is greatly shortened and they can quickly customize their attack to be tailored to the target device.
Zingbox’s research discovered that:
Information shared as part of common error messages can be leveraged by hackers to compromise target connected devices.
Hackers can “trick” or induce medical devices into sharing detailed information about the device’s inner workings.
Leveraging this information quickens a hacker’s access to a hospital’s network.
“Imagine how much more effective hackers can be if they find out that a device is running on IIS Web Server, using Oracle as backend and even gathering usernames,” said Daniel Regalado, principal security researcher at Zingbox and co-author of Gray Hat Hacking. “That will help them to focus their attack vectors towards the database where PHI data might be stored.”
The research also revealed that the healthcare industry has made great strides in collaborating across providers, vendors and manufacturers: there was rapid response and a willingness to generate patches for their medical devices from three out of seven manufacturers whose devices were included in the study. However, there is still work to be done to bring the urgency of these findings as well as increased collaboration between security vendors and device manufacturers.
Guest post by Donald Voltz,MD, Aultman Hospital, Department of Anesthesiology, Medical Director of the Main Operating Room, Assistant Professor of Anesthesiology, Case Western Reserve University and Northeast Ohio Medical University.
As Halloween approaches, the usual spate of horror movies will intrigue audiences across the US, replete with slashers named Jason or Freddie running amuck in the corridors of all too easily accessible hospitals. They grab a hospital gown and the zombies fit right in. While this is just a movie you can turn off, the real horror of patient data theft can follow you.
(I know how terrible this type of crime can be. I myself have been the victim of a data theft by hackers who stole my deceased father’s medical files, running up more than $300,000 in false charges. I am still disputing on-going bills that have been accruing for the last 15 years).
Unfortunately, this horror movie scenario is similar to how data thefts often occur at medical facilities. In 2015, the healthcare industry was one of the top three hardest hit industries with serious data breaches and major attacks, along with government and manufacturers. Packed with a wealth of exploitable information such as credit card data, email addresses, Social Security numbers, employment information and medical history records, much of which will remain valid for years, if not decades and fetch a high price on the black market.
Who Are The Hackers?
It is commonly believed attacks are from outside intruders looking to steal valuable patient data and 45 percent of the hacks are external. However, “phantom” hackers are also often your colleagues, employees and business associates who are unwittingly careless in the use of passwords or lured by phishing schemes that open the door for data thieves. Not only is data stolen, but privacy violations are insidious.
The problem is not only high-tech, but also low-tech, requiring that providers across the continuum simply become smarter about data protection and privacy issues. Medical facilities are finding they must teach doctors and nurses not to click on suspicious links.
To thwart accidental and purposeful hackers, organizations should implement physical security procedures to secure network hardware and storage media through measures like maintaining a visitor log and installing security cameras. Also limiting physical access to server rooms and restricting the ability to remove devices from secure areas. Yes, humans are the weakest link.
Medical data theft is a growing national nightmare. IDC’s Health Insights group predicts that one in three healthcare recipients will be the victim of a medical data breach in 2016. Other surveys found that in the last two years, 89 percent of healthcare organizations reported at least one data breach, with 79 percent reporting two or more breaches. The most commonly compromised data are medical records, followed by billing and insurance records. The average cost of a healthcare data breach is about $2.2 million.
At health insurer Anthem, Inc., foreign hackers stole up to 80 million records using social engineering to dig their way into the company’s network using the credentials of five tech workers. The hackers stole names, Social Security numbers and other sensitive information, but were thwarted when an Anthem computer system administrator discovered outsiders were using his own security credentials to log into the company system and to hack databases.
Investigators believe the hackers somehow compromised the tech worker’s security through a phishing scheme that tricked the employee into unknowingly revealing a password or downloading malicious software. Using this login information, they were able to access the company’s database and steal files.
Healthcare Hacks Spread Hospital Mayhem in Diabolical Ways
Not only is current patient data security an issue, but thieves can also drain the electronic economic blood from hospitals’ jugular vein—its IT systems. Hospitals increasingly rely on cloud delivery of big enterprise data from start-ups like iCare that can predict epidemics, cure disease, and avoid preventable deaths. They also add Personal Health Record apps to the system from fitness apps like FitBit and Jawbone.
Banner Health, operating 29 hospitals in Arizona, had to notify millions of individuals that their data was exposed. The breach began when hackers gained access to payment card processing systems at some of its food and beverage outlets. That apparently also opened the door to the attackers accessing a variety of healthcare-related information.
Because Banner Health says its breach began with an attack on payment systems, it differentiates from other recent hacker breaches. While payment system attacks have plagued the retail sector, they are almost unheard of by healthcare entities.
Guest post by Santosh Varughese, president, Cognetyx.
The U.S. healthcare industry is under siege from cyber criminals who are determined to access patient and employee data. Information security think tank Ponemon Institute’s most recent report on healthcare cyber security, published in May 2016, revealed some sobering statistics:
In the past two years, 89 percent of healthcare organizations – and 60 percent of their business associates (or BAs) – experienced at least one data breach, with 79 percent experiencing two or more breaches. The most commonly compromised data are medical records, followed by billing and insurance records. These breaches have not declined since Ponemon began tracking them in 2010.
The average cost of a healthcare data breach is about $2.2 million.
Criminal attacks, from outside the organization or from malicious insiders, account for half of all healthcare data breaches, the other half being due to mistakes by employees or BAs.
The majority of respondents (69 percent of healthcare organizations and 63 percent of BAs) feel that the healthcare industry is at greater risk of breaches than other industries. Despite these concerns, the majority of respondents reported that their organizations had either decreased their cyber security budgets or kept them the same.
Another study conducted in April by IBM, found similar problems, as well as insufficient employee training on cybersecurity best practices and a lack of commitment to information security from executive management.
With only about 10 percent of healthcare organizations not having experienced a data breach, hackers are clearly winning the healthcare data security war. However, there are proactive steps that the healthcare industry can take to turn the tide in its favor.
Data Security Starts with a Culture of Security Awareness
Both the IBM and Ponemon studies highlight an issue that experts have been talking about for some time: despite increasing dangers to information security, many healthcare organizations simply do not take cybersecurity seriously. Digital technologies are relatively new to the healthcare industry, which was very slow to adopt electronic records and when it finally did so, it implemented them rapidly without providing employees adequate training on information security procedures.
Unfortunately many front-line employees feel their only job is to treat patients and that information security is “the IT department’s problem.” These employees fail to grasp the importance of data security, and are not educated on the dangers of patient data breaches, reflected in Ponemon’s findings that employee mistakes account for half of all healthcare data breaches.
The healthcare industry needs to adjust this attitude toward cybersecurity and implement a comprehensive and ongoing information security training program, and cultivate a culture of security awareness. Information security should be included in every organization’s core values, right beside patient care. Employees should be taught that data security is part of everyone’s job, and all supervisors – from the C-suite down to the front line – should model data security best practices.
Additionally, organizations should implement physical security procedures to secure network hardware and storage media (such as flash drives and portable hard drives) through measures like maintaining a visitor log and installing security cameras, limiting physical access to server rooms, and restricting the ability to remove devices from secure area. Continue Reading
A stolen credit card record can be sold for as low as a quarter while a medical record can be sold for $50. Why is that? When a credit card is stolen, the owner is able to cancel it as soon as he/she notices fraudulent activity and then they are also able to dispute the charges. But think about a medical record – changing your Social Security number, birth date, home address and medical history isn’t that simple, even impossible.
The problem becomes much bigger than just financial identity theft. Think about what would happen to a person whose medical record is stolen and being used to obtain free healthcare and subscriptions. Then think about the customer going in for an emergency with the wrong records on file and getting the wrong blood transfusion.
Protecting patients’ medical records should be every hospital’s and physician’s office’s concern. But with many issues in the healthcare industry vying for attention, security may fall through the cracks.
Keystroke logger malware was recently discovered on Muhlenberg Community Hospital computers in Kentucky—but it could have gone undetected for nearly four years. Potentially compromised data includes patient names, addresses, telephone numbers, dates of birth, Social Security numbers, driver’s license/state identification numbers, health plan information, financial account numbers, payment card information and employment information.
Though there’s currently no evidence the information has been used maliciously, it’s just another reminder that medical information is an intriguing target for hackers. Netsurion, a provider of remotely-managed data and network security services for multi-location business, just released this infographic on the value of a medical record. It’s insightful.
Guest post by Joseph Schorr, director of advanced security solutions, Bomgar.
Moving into 2016, healthcare organizations will continue to be one of the most attractive targets for hackers. Last year, attacks against healthcare organizations were up 125 percent from 2010 and cost the industry $6 billion, according to the Ponemon Institute.
As illustrated in the Anthem and Excellus Blue Cross Blue Shield data breaches, hackers are moving beyond phishing attacks and random malware drops, and adopting methods that are more sophisticated. By leveraging third-party access and privileged account credentials (such as those held by IT security professionals, IT managers and database administrators) to exploit IT systems, hackers can gain an unrestricted and unmonitored attack foothold on the network. Once they have this foothold, they are remaining inside the victim’s environment for an incredible span of time – on average more than 200 days.
With this trend continuing, healthcare organizations can expect to see an uptick in these types of attacks within the industry. To combat this rise, healthcare organizations will need to focus on shoring up IT security around vendors and other third parties in the year ahead. The following are areas where they can concentrate attention to aid in this effort:
Reevaluate the legacy
In particular, third parties such as vendors are particularly juicy targets because they often use VPN and other legacy access methods to access systems. Examining and implementing more secure, sophisticated remote access and privileged access solutions is a good place to start strengthening IT security for the new year.
It’s a common misconception that a VPN guide is a secure way to provide third-party vendors with network access. The problem lies in that an organization cannot ensure that third-party vendors’ security policies and practices are as strenuous as internal practices. If a criminal compromises a valid VPN connection, they have an open tunnel to an organization’s network and the sensitive data within.
Be in control
For too many healthcare organizations, vendors have more access than they need or their access can’t be monitored or restricted. It’s a scary question: Does your IT department know who their privileged users are and what level of IT permissions they have? If not, taking stock of those users, the systems to which they need access, and when they must access them is a critical undertaking for 2016. Following that, the organization can set access parameters that allow those privileged users to be productive and gain access to tools, data and systems they need to do their jobs, while limiting risk. Proactively controlling and monitoring access to critical systems can help tighten IT security within healthcare organizations.