It’s an almost daily occurrence now when we hear about another organization getting hacked. It seems to be an onslaught of successful cyber attacks that severely disrupt companies in pretty much every industry out there with many of these companies paying large fees and fines to repair the damage. While all industries seem to be under attack, there is one industry that is getting beaten up more than the others and that is the healthcare industry…
It’s an almost daily occurrence now when we hear about another organization getting hacked. It seems to be an onslaught of successful cyber attacks that severely disrupt companies in pretty much every industry out there with many of these companies paying large fees and fines to repair the damage. While all industries seem to be under attack, there is one industry that is getting beaten up more than the others and that is the healthcare industry.
The healthcare industry, which is the second largest industry in the US, not only gets hit the most, but it pays the most for breaches where the breach costs average $408 per record. That’s the highest of any industry (for the eighth-straight year) and nearly three times higher than the cross-industry average of $148 per record. In total, the cost of breaches adds up to $6 billion a year with an average economic impact of $2,134,800 per organization. Not only is the cost for healthcare organizations high but for some attacks, the effects can be outright deadly. For example, MedStar Health, a huge, Maryland-based healthcare system was severely incapacitated by a ransomware attack that made national headlines when, among other things, it threatened lives. Compromised by a well-known security vulnerability (vulnerable JBoss application server), MedStar Health was not only forced to shut down its email and vast records database, but it was unable to provide radiation treatment to cancer patients for days.
So why is healthcare the go-to target for attackers?
PROFITABLE DATA FOR THE ATTACKER
For an attacker, the attractiveness of healthcare, especially in the payout of data, is much high than other industries. For example, a single stolen credit card number yields an average profit of $2,000 while a Protected Health Information (PHI) record can yield up to $20,000 in profit for the attacker. Why the huge difference in numbers? PHI data can take weeks, months, (sometimes years) for the healthcare data breach to be discovered, which enables cybercriminals to extract much more valuable data. Moreover, because healthcare data can contain social security numbers, and date of birth, which are difficult or impossible to change, an attacker can take advantage of your personal information for a longer period of time.
LACK OF IT TRAINING AND BUDGET
Another reason the healthcare industry is popular among cyber attackers is that IT security for many healthcare organizations lack the appropriate funding to protect themselves. For most healthcare organizations, the funding given for security was around 3.3 percent of their IT budgets. This doesn’t even account the lack of funding the IT department might be receiving. By comparison, banking and financial services companies spent 7.3 percent, retail and wholesale spent 6.1 percent, and insurance spent 5.7 percent. Across 13 industries measured, the average was 6 percent. To give an idea where those numbers should be, the SANS Institute (the largest provider of cybersecurity training and certs) recommends organizations spend at least 10% of its IT budget for security.
For most healthcare organizations, security is typically an afterthought. They don’t provide regular security training for their employees such as social engineering assessments or classes on social engineering, which could help reduce insider threats. Additionally, some personnel don’t take security as seriously as it should be. For example, 18% of healthcare employees say they’re willing to sell their login credentials for between $500 and $1,000. And about one-quarter of healthcare employees know someone in their organization who has engaged in this practice.
To address cybersecurity vulnerabilities related to employees, it’s important to note that while training is critical, it won’t magically protect PHI data. Sometimes all it takes to steal data is to walk around a hospital setting to find it laying around. If you go to a hospital with a decent cybersecurity training program, you will still see some employees leaving their computers unlocked, leaving sticky notes with passwords under the keyboard or attached to the monitor, or leaving sensitive medical documents out on desks. This is why it is important to couple regular cybersecurity training with practical pentesting-style assessments or at a minimum, walkthroughs to ensure employees are conducting good security hygiene practices.
HIGHLY CONNECTED SYSTEMS
Think of all the equipment a hospital has and how many vendors support it. When you look at a hospitals network, you might be shocked to how much data is being transmitted to outside companies such as other hospitals, health insurance companies, doctors, billers, and vendors. This data could be metadata, electronic patient data, or data related to hospital equipment, etc.
If you ask a network engineer at a hospital which ports are allowed outbound or which egress ports are needed strictly for business functions, you will probably get a blank stare due to the overwhelming amount of equipment that communicates over varying ports. By having this amount of data traverse the Internet/Cloud, it makes for an easy target as hackers now have a larger target footprint.
Aside from large amounts of traffic leaving and entering the hospital, the medical equipment inside a hospital is largely untested for security vulnerabilities and many times, it can’t even be updated as it would break the equipment. When a sysadmin calls the manufacture and asks about a newer firmware version that fixes a particular security issues, the manufacture usually states there isn’t any new firmware version and they aren’t going to make one unless it provides a new functionality that could make them money (actual answer I got once).
So, while a systems administrator might do an excellent job updating servers and user computers, you will still find situations where specific servers can’t be updated with critical security patches or they are running on an obsolete operating system such as Windows Server 2003, Windows Server 2000, or Windows XP. Patching in healthcare environments, especially acute care facilities, can be challenging and may require devices to remain online and available. Some healthcare devices cannot be patched and may require vendor approval or need manual implementation by remote maintenance personnel.
If we now add an attacker into the mix where they successfully social engineered an employee or exploited an external system to gain internal access, it’s easy to see why they can quickly gain privileged access to all the systems in little time.
VULNERABLE PROTOCOLS ARE LEAVING A DOOR OPEN
Eighty-five percent of devices on medical networks running Windows OS had Server Block Messaging (SMB) protocol turned on, allowing uncontrolled access for attackers to get beyond the perimeter and move laterally. Device manufacturers sometimes leave network ports open by default – often unbeknownst to IT and security staff.
What can the healthcare industry do to mitigate cyber threats? Aside from acquiring tools such as data loss prevention, user behavior analytics, and endpoint security technologies, the industry should be aware that cybersecurity isn’t just the responsibility of the IT department. Meaning, everyone should be aware of the risks, from management down to brand-new contract staff.
Healthcare security professionals need to understand the threats they face and the regulations they must comply with, and they must be provided with best practices for strengthening cybersecurity defenses. This means implementing comprehensive security awareness training that educates all personnel on current threats, red flags to look for in an email message or web link, how to avoid infection, and what to do in case of an active exploit. And since the threat landscape is constantly changing, training should be repeated and updated on a regular basis.
Additionally, healthcare organizations should get regular penetration testing done, and more importantly, fix the issues that were found. With penetration testing and having qualified consultants who know the challenges and landscape of the healthcare industry, you stand to know where your security gaps are along with a roadmap to follow to strengthen your organization. If you are an IT Director or someone who answers to executive level personnel, a pentest report might also be excellent ammo to convince the right people that you need the right funding. If you are worried about security audits and HIPAA regulations, then remember that security compliance is a by-product of good security.
Other recommendations on how organizations can develop and implement an enterprise-wide security and risk-management strategy includes the following:
- Enabling agentless discovery of all devices. Although devices with software agents make it easier for security and IT management to communicate with devices and monitor their activity, most medical devices do not support agents. Agentless detection of all IP-connected devices across the extended network is critical.
- Identifying and auto-classifying devices. It’s not sufficient to simply detect a device’s IP address. Rapid and granular auto-classification is essential for extracting contextual insights from each device on the network and determining its purpose, owner and security posture. This information must feed into a real-time asset inventory to drive access control policies and help security teams quickly respond to targeted attacks on specific operating systems or devices.
- Continuously monitoring devices. Medical devices must be continuously monitored to detect any change in device posture. A point-in-time analysis can result in a set-it-and-forget-it mentality whereby compliance fatigue sets in and risk propagates. Nonstop network monitoring using passive and/or active techniques provides security teams with real-time situational awareness to continuously track asset information and behavior while increasing the efficiency of security teams.
- Enforcing segmentation. Network segmentation is a known best practice, but it isn’t easy to manage or enforce throughout the network. High-risk devices such as known-to-be-vulnerable legacy systems should be segmented to contain a potential breach and limit risk.
We know that reaching 100% security against cyberattacks won’t happen but with a few steps in the right direction and having a proactive mentality, healthcare organizations can make sure that it’s too complex and unprofitable for malicious actors to attack them – forcing them to move on to other targets.
Author: Jason Zaffuto