USA Hong Kong
The IncreasIng Frequency oF cyber-aTTacks
Did you know that every 60 seconds, 232 computers are infected with malware; that means 7 billion, 316 million, and 352 thousand computers are infected every year?
In addition, there are 416 hacking attempts recorded every minute along with over 500 new websites created and 200 million new emails sent. And, of the 219 million some odd attacks every year, more than 10 million are successful. Might one of these be yours?
Medical records are now worth more than $50 each on the dark web, or 50 times the value of a credit card. The average profit per record is $20,000—compared to just $2,000 for regular identity theft. In addition, medical identity theft has nearly doubled in the last five years, from 1.4 million adult victims to over 2.3 million in 2014. The number of HIPAA violation complaints has also geometrically increased since the HITECH act - in the last 3 years; there have been over 70,000 complaints.
Hospital and health systems represent critical infrastructure targets, yet they are absolutely essential to providing health services that contribute to the proper functioning of a society and its economy.
Why healThcare?
In the last ten years, these supporting infrastructures have increasingly moved toward electronic medical records and digital technology as a way to gather, store and share patient information. Today’s medical care is delivered through a complex network of information technology systems
5 Must Have’s for assuring Your Data is secure
HealtHcare Data
securitY 2015
connecting patients, doctors, nurses, pharmacists, technicians, administrators, insurance companies and accountants with electronic health records (EHR). Similar network connections are increasingly extended to medical devices and other IoT (Internet of Things) instruments and appliances as well.
Most of the underlying systems were built with security as an afterthought and are substantially ill-equipped to support the stress brought on by cyber attackers, hackers and threats designed to exploit specific vulnerabilities unique to these healthcare systems.
This contention is supported by an FBI Private Industry Notification published in April of 2014 that characterized the healthcare industry as weaker in resilience to cyber intrusions when compared with the financial and retail sector.
The mandatory January 2015 deadline to transition to EHR, combined with a rapid migration to Internet connected medical devices has contributed in large part to that vulnerability. Weak cybersecurity standards along with the high value of medical information (10-50x more money on the black market than financial information), has caused the FBI to describe the healthcare industry as “a rich new environment for cybercriminals to exploit.”
lIFe and deaTh
While this is a global problem shared by every developed nation on the planet, in the U.S., data loss carries the potential for rising fines and increasing sanctions under the Health Insurance Portability and Accountability Act (HIPAA).
There are good reasons for this oversight. In a worst case scenario, failure of the network to deliver securely accurate data critical to patient care can literally mean the difference between life and death. Saving lives and improving patient outcomes are key drivers in healthcare and since these goals are now closely tied to a dependence on privacy and security, healthcare professionals at all levels are newly aware of the need for reliable and accurate data.
Given the complexity of the current threat landscape, the security challenge is to be able to identify the nature of the threat, the intent of the attacker, the assets at risk, the overall appetite for prevention
and the budgetary constraints surrounding the environment. No single security software system prevents all threats and no defense strategy that centers on a single theme will be satisfactory for all attack vectors. Every healthcare security solution requires a customized configuration of software, technologies, policy and training to address each individual environmental challenge.
In 2014, cyberattacks on hospitals, medical groups and healthcare testing, analysis and technology companies surged 600 percent. This increase, due in large part to the factors described earlier here was exacerbated by financial, banking and retail sectors improving their defenses and making them more difficult to attack, while healthcare networks continued to remain mired in a following position. The healthcare industry is more than 200 percent more likely to encounter Data Theft and experiences over 300% more security incidents and attacks than the average industry. Healthcare records more than any other, hold a treasure trove of Personally Identifiable Information (PII) that can and has been used in a multitude of different follow-up attacks and various types of fraud.
The combination hack of United Airlines, Anthem, OPM and TSA led to a personal dossier of every US intelligence agent and his or her travel itineraries for the immediate future. Those hacked health records contained key information on the iden-tity of those individuals (name, address, social security) which acted as pointers into the OPM databases and then became enriched with United Airlines Manifest travel data tied to their TKN (Transportation Security Agency codes assigned to each high profile secured traveler in the US Government).
A more frequent and common example is the patient PII used for identity fraud in association with financial data
ob-The healthcare industry
is more than 200
percent more likely to
encounter Data Theft
and experiences over
300% more security
incidents and attacks
than the average
industry.
tained through independent attacks and then leveraged to create new credit accounts and the procurement of drugs and perpetration of insurance fraud.
The Health & Human Services’ Office of Civil Rights (OCR) estimates that the personal health data of up to 30 million Americans has been compromised since 2009; in fact, as of September 15 of this year, 185 hacking incidents involv-ing unauthorized access to the personal health information of 500 or more patients have so far been documented. In a June 2015 Healthcare Information and Management Systems Society (HIMSS) survey, a remarkable two-thirds of the HealthCare companies surveyed reported that they had experienced a significant security incident.
budgeT, human resources and
Technology
Another reason why HealthCare is so vulnerable is that they generally lack the technical andorganizational skills and resources necessary to detect, mitigate and prevent cyberattacks. In a 2015 KPMG Healthcare Cybersecurity survey, only 50% of healthcare providers surveyed said they were prepared to defend against cyber-attacks, and over 75% cited budgetary and resource constraints as the primary stumbling blocks, preventing them from implementing even the most basic defenses.
According to the HIMSS (the Healthcare Information and Management Systems Society), HealthCare organizations are spending just 3% of their IT budget on security when they should be spending at least 10 percent.
The good news is that almost 80% of the “Most Wired” medical institutions and hospitals have identified security incident response as a top priority in 2016, the bad news is
HealthCare
organizations are
spending just 3% of
their IT budget on
security when they
should be spending at
that for the other “not-wired” hospitals, security is a priority in less than 40% of those organizations. The really bad news is that many of those have yet to implement even the most basic preventative measures such as intrusion detection systems, infrastructure security assessments, remote data wiping of mobile devices, or encryption.
Even though encryption is not required (yet) under HIPAA or the HITECH Act, it is estimated that at least 60 percent of healthcare data breaches since 2009 could have been prevented through encryption techniques.
Budget focus and allocation is also contributing to internal attacks in a big way. Inadvertent internal threats result from a lack of security training and awareness on behalf of employees and staff. The healthcare sector is 75% more likely to be impacted by
phishing schemes and more than 200% more exposed to email fraud. Security training programs can go a long way toward raising awareness and encouraging best practices that will result in reducing this number and curtailing the incidents of email associated breaches.
Compromised endpoints are another huge problem in healthcare organizations. Studies show that naverage of 50,000 botnet encounters and incidents affect healthcare on a given day. Not only is the number of encounters high, which require significant man-hours to identify, mediate and reimage infected endpoints, but large spikes in this activity result in increased malware perniciousness and in the number of endpoints compromised.
As an example, the healthcare industry is infected with the Andromeda botnet 14 times more than any other industry sector. The Andromeda botnet is highly sophisticated and can avoid detection, regularly evades even the most advanced sandboxing and embeds itself on host systems remaining dormant for months at a time before reaching out to its command and control server. It is also very effective at creating network backdoors providing entry points for additional data-theft malware.
IoT and FuTure ThreaTs
According to a December 2014 Gartner forecast, digital and connected diagnostic and screening sys-tems in the healthcare field will reach more than 40 percent global penetration by 2020.These con-nected diagnostic and screening systems’ vulnerabilities can jeopardize a hospital’s entire information system, with possible implications for patient safety as well as security of information.
In a fairly common example, the University of Pittsburgh’s Medical Center has a connected network of 22 hospitals, 4,000 physicians, imaging centers, labs and others using dozens of different IT systems. The pervasive use of mobile devices by everyone from administrators to doctors and nursing staff, as well as emergency responders only further expands the exposed attack surfaces for cybercriminals to negotiate. These connected systems enable devices or an entire hospital network to be compromised. A variety of exercises have been conducted by security researchers to demonstrate the vulnerabili-ties associated with connected systems. In a recent controlled exercise, a healthcare organization’s incorrectly configured internet-connected computer exposed the data of 32 pacemaker systems, 21 anesthesiology systems, 488 cardiology systems and 323 radiology systems along with telemetry systems for monitoring the movement of elderly patients to potential attack. And because the network was connected to third-party providers common to hospitals – like pharmacies and laboratories – the exposure was increased several fold.
These are very real and very current vulnerabilities which will only increase geometrically as more devices are connected with host systems across the healthcare treatment landscape.
Historically, Healthcare professionals have demonstrated an increased tendency to try and get around IT security policy in order to better serve their patients; when a doctor or nurse needs access to com-puting resources or data because a patient’s health is at risk, IT policy takes a back seat in the heat of the moment and can lead to increased risk to cyber threats or insecure access and storage of sensi-tive information. Cyber-criminals know this and it may be one of the causes of the dramatic vulnerabil-ity exposure in Healthcare as compared to other industry sectors.
Compounding the problem, many of the new network-connect-ed devices in a hospital setting have machine-assistnetwork-connect-ed or deter-mined sharing of information. EKG monitors, blood pressure and intensive care assisted breathing machines automatically send patient data elsewhere for monitoring at a separate location. Hospitals are hesitant to put security measures in between these devices and the network because a false positive of a threat could potentially disrupt the function of the equipment. Security analysts and researchers suggest that up to 75 percent of hospital network traffic goes unmonitored by security
solu-tions out of fear that improperly configured security measures or alarming false positives could dramatically increase the risk to patient health or well-being.
The combination of challenges confounds security efforts and is likely to increase the prevalence of both attacks and sub-sequent data loss or theft. With adoption patterns mimicked closely in other industries, this might be said to be a danger for any industry adopting an Internet of Things environment if proper security measures are not established before wide-spread deployments.
conclusIon
The amount of personally identifiable and proprietary patient care information available and inherent aspart of the healthcare industry will assure that it remains a highly attractive target to at-tackers both externally as well as internally.
The continued budget pressure away from security will sustain the lack of employee and staff awareness that could seriously reduce the number of phishing and email fraud attack vectors. The attraction of quick and easy profit from the sale of personal health information on the dark web will continue to attract data theft by internal sources.
Complex and multi-faceted connectivity of both systems and devices along with third-party software will continue to com-pound cyber-attack exposures as IoT increases its presence in hospitals and treatment centers.
HIPAA and HITECH will continue to evolve and catch up with current threat sophistication and advanced attack techniques refining and expanding its regulatory requirements to address greater security controls over more attack surfaces in an ex-panded universe of settings.
Complex and
multi-faceted connectivity
of both systems and
devices along with
third-party software
will continue to
compound
cyber-attack exposures
as IoT increases its
presence in hospitals
and treatment centers.
There are five specific areas that today’s Healthcare IT and operational administrators must address to assure that information systems and patient information is protected in the best and most reliable manner possible.
1) Protection and prevention from external threats through web applications and end-points; it isrelatively easy for attackers to penetrate web applications which are heavily used for the transmission of patient information ranging from cancer screening and specimen test-ing to treatment histories and hospital records, and there are so many end-points from which to attack whether they be mobile devices or network connected admittance servers, attack-ers have a broad range of choice when it comes to selecting an entry point.
2) Detection of network infection is crucial to assure that attackers have not by-passed traditionalperimeter defense solutions through an email phishing attack, rogue browser malware, an unprotected third party diagnostic device or simply corrupted USB memory sticks. There are an increasing number of ways onto your network that won’t be detected by anti-malware or anti-virus software.
3) Identification of internal threats before a breach occurs by monitoring and alerting anomalistic behavior surrounding internal as well as external employees and staff and systems and databases. The value of a personal healthcare record on the black market is $50 these days, and it is far more valuable than that of financial or credit care data and because the dark web markets are so easily accessible now, it also far more tempting to a low wage earning hospital or diagnostic staffer.
4) Many attacks can be avoided through education and continual awareness programs designed to help employees and staff understand and identify malware infected urls, browser-based malicious adware techniques, email-based phishing attempts, spoofed credential sharing processes to avoid, etc. These programs are highly affordable and most are continuous in nature so that employees are randomly tested throughout the year assuring that their awareness remains keen and focused. This goes a long way toward breach prevention.
5) Regulatory compliance is already sufficiently comprehensive that most companies processing healthcare information are out of compliance and probably don’t realize it.
Understanding the actual requirements in HIPAA/HITECH regulations is critical to any health-care industry participant not just from a fine-avoidance point of view but from a reputational value consideration as well.
One vendor and partner of ours who has a great compliance solution is a company called Cavirin. The Cavirin solution can verify your system and server patches are up to date and your firewall and OS configurations are audited against best practices and regulatory poli-cies, such as HIPAA, on a continuing basis.
Cavirin’s Automated Risk Analysis Platform (ARAP) is an agentless and cost-effective solution, which provides continuous visibility and policy-driven security for cloud, hybrid, and on-prem environments, and their associated workloads inside and outside of the container. It auto-mates audit compliance, helps organizations avoid hefty fines, and reduces the time and financial burden on internal staff.
None of us want to be on the front page of the Wall Street Journal.
abouT neTsWITch
Netswitch is one of the world’s leading Managed Security Service Providers (MSSP) and the 4th fastest growing MSSP in the world; ranked by MSPmentor’s 2015 annual top global 501 MSSP rankings.
We developed MADROC® as the foundation for changing the way that businesses achieve their IT security goals by providing the most advanced cloud-based solutions to monitor and protect critical information assets without adding headcount or expensive hardware and software licenses.
In business since 2000, with offices in San Francisco, Chicago, Thailand, Beijing, Hong Kong and Shanghai, we provide our customers with experience and expertise in managing their IT infrastructure and defending their networks and applications from cyber-attacks and data breaches.
Small, medium and large companies have all partnered with Netswitch including global clients such as Verizon Wireless, Wells Fargo Bank, Charles Schwab, eBay, Vodafone Americas, Inc., and the Hong Kong & Shanghai Hotels Limited.
At the end of the day, our customers enjoy the peace of mind they get through knowing we are looking out for them 24x 7×365 days a year.
headquarTers:
Netswitch Technology Management
400 Oyster Point Boulevard, Suite 228 South San Francisco, CA 94080
415-566-6228 tel 415-566-4226 fax
hong kong oFFIce:
Level 19, Two International Finance Centre 8 Finance Street, Central
Hong Kong, China +852-2251-8826 tel +852-2251-8827 fax
shanghaI oFFIce:
Level 33, Citigroup Tower 33 Huayuanshiqiao Road
Shanghai, Pudong 200120, P.R.C. China +86-21-6101-0473
+86-21-6101-0220
beIjIng oFFIce:
L24, Tower 3, China Central Place 77 Jianguo Road, Chaoyang District
Beijing 100025, China +86-10-8587-2356 tel +86-10-8588-0220 fax
ThaIland oFFIce:
299/183 Moo 4 Vipavadi Rangsit Road Talad Bangkaen, Laksi Bangkok 10210 Thailand
