Almost every day, we hear about another organization getting hacked. It seems to be an onslaught of successful cyber attacks that severely disrupt companies in almost every industry, with many companies paying hefty fees and fines to repair the damage. While all sectors seem to be under attack, the headlines most common in the news are about healthcare data breaches.
The healthcare industry, the second largest in the US, not only gets attacked the most, but it pays the most for breaches where the breach costs an average of $408 per record. That’s the highest of any industry (for the eighth-straight year) and nearly three times higher than the cross-industry average of $148 per record. In total, the cost of breaches adds up to $6 billion a year, with an average economic impact of $2,134,800 per organization. Not only is the price for healthcare organizations high, but the effects can be outright deadly for some attacks. For example, MedStar Health, a vast, Maryland-based healthcare system, was severely incapacitated by a ransomware attack that made national headlines when, among other things, it threatened lives. Compromised by a well-known security vulnerability (vulnerable JBoss application server), MedStar Health was not only forced to shut down its email and vast records database, but it was unable to provide radiation treatment to cancer patients for days.
So why is healthcare the go-to target for attackers?
PROFITABLE DATA FOR THE ATTACKER
For an attacker, the attractiveness of healthcare, especially in the payout of data, is much high than in other industries. For example, a single stolen credit card number yields an average profit of $2,000, while a Protected Health Information (PHI) record can yield up to $20,000 in profit for the attacker. Why the vast difference in numbers? PHI data can take weeks, months, (sometimes years) for the healthcare data breach to be discovered, which enables cybercriminals to extract much more valuable data. Moreover, because healthcare data can contain social security numbers and date of birth, which are difficult or impossible to change, an attacker can take advantage of your personal information for longer.
LACK OF IT TRAINING AND BUDGET
Another reason the healthcare industry is popular among cyber attackers is that IT security for many healthcare organizations lacks the appropriate funding to protect themselves. For most healthcare organizations, the funding given for security was around 3.3 percent of their IT budgets. This doesn’t even account for the lack of funding the IT department might be receiving. By comparison, banking and financial services companies spent 7.3 percent, retail and wholesale spent 6.1 percent, and insurance spent 5.7 percent. Across 13 industries measured, the average was 6 percent. To give an idea of where those numbers should be, the SANS Institute (the largest provider of cybersecurity training and certifications) recommends that organizations spend at least 10% of their IT budget on security.
For most healthcare organizations, security is typically an afterthought. They don’t provide regular security training for their employees, such as social engineering assessments or classes on social engineering, which could help reduce insider threats. Additionally, some personnel doesn’t take security as seriously as it should be. For example, 18% of healthcare employees say they’re willing to sell their login credentials for between $500 and $1,000. And about one-quarter of healthcare employees know someone in their organization who has engaged in this practice.
To address cybersecurity vulnerabilities related to employees, it’s important to note that while training is critical, it won’t magically protect PHI data. Sometimes all it takes to steal data is to walk around a hospital setting to find it lying around. Go to a hospital with a decent cybersecurity training program. Some employees will still be leaving their computers unlocked, leaving sticky notes with passwords under the keyboard or attached to the monitor, or leaving sensitive medical documents on desks. This is why it is essential to a couple of regular cybersecurity training with practical pentesting-style assessments or, at a minimum, walkthroughs to ensure employees are conducting good security hygiene practices.
HIGHLY CONNECTED SYSTEMS
Think of the hospital’s equipment and how many vendors support it. When you look at a hospital’s network, you might be shocked at how much data is being transmitted to outside companies such as hospitals, health insurance companies, doctors, billers, and vendors. This data could be metadata, electronic patient data, or data related to hospital equipment, etc.
If you ask a network engineer at a hospital which ports are allowed outbound or which egress ports are needed strictly for business functions, you will probably get a blank stare due to the overwhelming amount of equipment that communicates over varying ports. This amount of data traversing the Internet/Cloud makes for an easy target as hackers now have a larger target footprint.
Aside from large amounts of traffic leaving and entering the hospital, the medical equipment inside a hospital is mainly untested for security vulnerabilities. It often can’t even be updated as it would break the equipment. When a sysadmin calls the manufacturer and asks about a newer firmware version that fixes a particular security issue, the manufacturer usually states there isn’t any new firmware version. They aren’t going to make one unless it provides new functionality that could make them money (the actual answer I got once).
So, while a systems administrator might do an excellent job updating servers and user computers, you will still find situations where specific servers can’t be updated with critical security patches, or they are running on an obsolete operating system such as Windows Server 2003, Windows Server 2000, or Windows XP. Patching in healthcare environments, primarily acute care facilities, can be challenging and may require devices to remain online and available. Some healthcare devices cannot be patched and may require vendor approval or manual implementation by remote maintenance personnel.
If we now add an attacker into the mix where they successfully social engineered an employee or exploited an external system to gain internal access, it’s easy to see why they can quickly gain privileged access to all the systems in little time.
HEALTHCARE DATA BREACHES – VULNERABLE PROTOCOLS ARE LEAVING A DOOR OPEN
Eighty-five percent of devices on medical networks running Windows OS had Server Block Messaging (SMB) protocol turned on, allowing uncontrolled access for attackers to get beyond the perimeter and move laterally. Device manufacturers sometimes leave network ports open by default – often unbeknownst to IT and security staff.
HEALTHCARE DATA BREACHES – FIGHTING BACK
What can the healthcare industry do to mitigate cyber threats? Aside from acquiring tools such as data loss prevention, user behavior analytics, and endpoint security technologies, the industry should be aware that cybersecurity isn’t just the responsibility of the IT department. Everyone should be mindful of the risks, from management to new contract staff.
Healthcare security professionals need to understand the threats they face and the regulations they must comply with, and they must be provided with best practices for strengthening cybersecurity defenses. This means implementing comprehensive security awareness training that educates all personnel on current threats, red flags to look for in an email message or web link, how to avoid infection, and what to do in case of an active exploit. And since the threat landscape is constantly changing, training should be repeated and updated regularly.
Additionally, healthcare organizations should get regular penetration testing done and, more importantly, fix the issues. With penetration testing and having qualified consultants who know the challenges and landscape of the healthcare industry, you stand to know where your security gaps are, along with a roadmap to follow to strengthen your organization. If you are an IT Director or someone who answers to executive-level personnel, a pentest report might also be excellent ammo to convince the right people that you need the proper funding. If you are worried about security audits and HIPAA regulations, remember that security compliance is a by-product of good security.
Other recommendations on how organizations can develop and implement enterprise-wide security and risk-management strategy include the following:
- Enabling agentless discovery of all devices. Although devices with software agents make it easier for security and IT management to communicate with systems and monitor their activity, most medical devices do not support agents. Agentless detection of all IP-connected devices across the extended network is critical.
- Identifying and auto-classifying devices. It’s not sufficient to simply detect a device’s IP address. Rapid and granular auto-classification is essential for extracting contextual insights from each device on the network and determining its purpose, owner, and security posture. This information must feed into a real-time asset inventory to drive access control policies and help security teams quickly respond to targeted attacks on specific operating systems or devices.
- Continuously monitoring devices. Medical devices must be constantly monitored to detect any change in device posture. A point-in-time analysis can result in a set-it-and-forget-it mentality whereby compliance fatigue sets in and risk propagates. Nonstop network monitoring using passive and/or active techniques provides security teams with real-time situational awareness to continuously track asset information and behavior while increasing the efficiency of security teams.
- Enforcing segmentation. Network segmentation is a known best practice, but it isn’t easy to manage or enforce throughout the network. High-risk devices such as known-to-be-vulnerable legacy systems should be segmented to contain a potential breach and limit risk.
We know that reaching 100% security against cyberattacks won’t happen but with a few steps in the right direction and having a proactive mentality, healthcare organizations can make sure that it’s too complex and unprofitable for malicious actors to attack them – forcing them to move on to other targets.
Author: Jason Zaffuto