Healthcare institutions are attractive cyber targets not just because of the potentially lucrative data they maintained, but also because of the inherent infrastructure risks and privacy constraints.
The technology infrastructure supporting the healthcare community tends to be older legacy systems. For example, market research suggests 20% of healthcare organizations in the US and UK still run on Windows XP. Often these systems do not receive security updates with the same level of care and frequency as modernized infrastructure.
This is concerning because, in 2017, we increasingly observed bad actors were performing new tricks with older tools, some of which have been around for nearly 20 years.
Yet there’s another challenge facing security shops in healthcare environments when it comes to security software. These organizations must protect networks and do so in a manner that does not place personally identifiable information (PII) at risk.
In security, this means casting a wary glance at technology tools that need to ship data to another platform to perform analysis – as opposed to those that can perform the analysis inline on the network.
We examine these two problems in greater detail in a new solution datasheet Bricata recently published for security professionals in healthcare organizations. It’s also against that backdrop that we offer this additional perspective on three emerging cybersecurity trends
1) Room for improvement on health care security fundamentals.
A preliminary analysis of available data by the HIPAA Journal found mixed results for the year ending in 2017. While the number of records exposed and individuals affected by health care security incidents fell, the volume of breaches rose.
The publication reported 342 healthcare security breaches are currently listed on a breach portal maintained by the U.S. Department of Health & Human Services for 2017. That total has continued to rise over the last three years with 270 reported in 2015 and 327 reported in 2016.
The analysis suggests some, and perhaps many of these breaches could be prevented in 2018 with some improvement to the basic processes including awareness training, access to privileged information and the management of new vulnerabilities.
For example, a contributing factor was a rise in ransomware attacks exploiting newly discovered server vulnerabilities. “Many healthcare data breaches in 2017 could have been prevented had patches been applied promptly,” according to the assessment.
Yet health care organizations tend to have complex IT environments and operations staff prefer to test new vulnerability patches before implementing them to ensure the patches doesn’t cause another problem. We saw this with the rush to patch hardware vulnerabilities in the wake of the Meltdown and Spectre vulnerabilities.
Certainly, improving the collaboration between change management and security would improve the process, but standalone network intrusion detection monitoring can buy time to carefully shepherd a patch through the change management process without rushing it.
This is because it’s generally faster to write a detection rule than it is to develop exploitative malware. For example, a detection rule for the vulnerability at the center of the Equifax breach was published a day after the vulnerability was announced.
Healthcare IT Pro? Listen to this very special webinar:
Solving the IDPS Challenges in Enterprise Healthcare
Watch now to glean insights for securing your healthcare security infrastructure.
2) New strategies for profiting from health care PII.
While many attacks begin with tricking users to open or click on emails with malicious code, the patching challenges above led to new attack techniques. In 2017, hackers were able to gain access to systems without using email to initiate an attack. Once inside, they didn’t steal the data for resale, they just held it for ransom.
That’s what happened to 1,400 files at Hancock Health, a regional hospital system with 20 facilities in Indiana, according to the Daily Reporter, a local newspaper. The attack exploited an unpatched server vulnerability using SamSam ransomware, which has been used to attack several healthcare organizations.
In the case of Hancock Health, the attack changed the names of the locked files to “I’m sorry.” Healthcare workers were forced to revert to pen and paper in support of treating patients.
The attacker (or attackers) demanded a payment valued at $55,000 be made in virtual currency within seven days. The healthcare organization had backed up the files affected, however restoring these could have taken weeks – and possibly at a greater expense.
While experts generally advise against paying the ransom, the leadership decided making the payment would be easier under the circumstances. Fortunately, the attackers did unlock the files in this incident, but it’s perilous to rely on such people to keep their word.
Even more concerning, now that the attack was financially successful, there’s clear incentive for bad actors to replicate the effort.
3) Fighting a growing healthcare cyber threat with a flat budget.
A 2016 study of health care security by the Poneman Institute found upwards of 90% of health organizations had experienced a breach in the previous two years. The report found that most breaches are small involving just 500 records or less, yet the average cost of a breach in healthcare is $2.2 million.
Overall Poneman estimates data breaches cost the healthcare industry $6.2 billion annually. It’s a staggering statistic, especially when the costs are stacked up with the budget for preventing them.
For example, a survey of healthcare IT professionals by Symantec found 65% say their organization invests 6% or less of the IT budget on security. This about half of the 12-15% of the IT budget other regulated industries spend on security according to an analysis of the survey.
More specifically, respondents said:
- 36% invest between 0-3% of the IT budget on security;
- 29% invest between 4-6%; and
- 24% invest 7-10%.
In other words, 89% of health organizations invest less on security than benchmarks in other industries – all while the cost and frequency of breaches are rising.
The economics of security are a challenge in every vertical market, but this is especially difficult. It means it becoming critically important for health care to be smarter about how it invests in people, process and security solutions. The industry has to both meet the unique requirements of safeguarding PII, while also enhancing the value of the overall technology portfolio.
* * *
Note: If this subject matter is interesting, you won’t want to miss this webinar: Solving the IDPS Challenges in Enterprise Healthcare. The event will feature Steve Swansborough, a senior director of enterprise security portfolio at a Fortune 10 healthcare company.
If you enjoyed this post, you might also like:
4 Considerations for Evaluating an Intrusion Detection System