Recent research on the healthcare IT industry, sponsored by Norse and written by SANS using data from the Norse Live Threat Intelligence Platform, has created a fair amount of buzz in the security and the healthcare industries. The data and statistical analysis conducted reveal - and provide concrete backing to - some of the previously expressed fears surrounding the state of IT security in the healthcare industry. What was clear from the data and report is that this is an industry having trouble implementing and maintaining many basic IT security best practices. If the situation is not improved, it is just a matter of time until the industry will face a crisis of confidence from patients and lawmakers alike.
Last week we discussed exactly who is feeling the pain of the lack of security of patient data; during our yearlong monitoring of healthcare organizations, tens of thousands of malicious events were captured through the Norse Live Threat Intelligence Platform. We will discuss in this blog some of the sources and culprits behind these malicious events and what IT departments should be on the lookout for.
The following statistics will help readers understand the focus of the Norse research, which found:
- 49,917 unique malicious events
- 723 unique malicious-source IP addresses
- 375 compromised U.S.-based healthcare-related organizations
The results yielded alarming conclusions, including the following:
- The sheer volume of IP addresses detected in the targeted sample can be extrapolated to assume that millions of compromised healthcare organizations, applications, devices and systems are sending malicious packets from around the world.
- Current security practices and strategies in the healthcare industry are not keeping pace with the volume of attacks.
- Personal healthcare information, organizational intellectual property, and medical billing and payment information are all increasingly at risk of data theft and fraud due to the volume of attacks and lack of adequate security.
- The cost of compromises and failed compliance audits is increasing; these costs include regulatory fines, notification of victims, immediate remediation costs, brand damage, class-action lawsuits and more.
In short, organizations need to realize that meeting regulatory compliance obligations is not enough and does not equal security. But something even more frightening is this: some of the security controls that healthcare organizations most rely on to protect them against these threats also represent the largest sources of malicious traffic coming from their networks. What does this mean? At least in part it means that cybercriminals are breaching these networks by exploiting improperly configured and poorly managed network and security controls like firewalls, UTM appliances, etc. This is frustrating since it means that many of these compromises and breaches could easily be avoided.
Which devices and applications did Norse find emitting the malicious traffic?
Connected medical endpoints: The study findings showed that 7 percent of malicious traffic was coming from radiology imaging software, another 7 percent originated from videoconferencing systems, and another 3 percent came from digital video systems that are likely used for remote procedures and consults. Some of the most vulnerable devices are also among the most common, such as network-attached printers, faxes and surveillance cameras, as they are often overlooked when it comes to security.
Internet-facing personal health data: In its 2013 Survey on Medical Identity Theft, the Ponemon Institute estimated that nearly 2 million Americans will spend over $12 billion out of pocket in 2014 dealing with the consequences of their compromised medical or insurance files. This is at least partially due to the potential for a personal health record (PHR) system being breached. Consumers’ personal health records are not necessarily tethered to an electronic health record (EHR) system, which means the records are neither certified under U.S. standards nor regulated under HIPAA/Health Information Technology for Economic and Clinical Health (HITECH) Act legislation. As a result, many consumers will find they have no recourse and will be forced to bear the cost of compromised files themselves.
Security systems and edge devices: The study also showed that malicious traffic was passing through or being transmitted from VPN apps and devices, firewalls, routers and enterprise network controllers (ENCs). This means that the security apps and devices themselves were either compromised or that these “protection” systems are not detecting malicious traffic coming from network endpoints inside the protected perimeter – inside the firewall or behind the VPN concentrator. If they are not detecting, they are not reporting—and that means they are out of compliance with privacy and security regulations for patient data.
The “we’re secure” perception some healthcare organizations possess is dangerous, as organizations are being breached at a troubling rate. There is a gap between reality and practice, as it’s clear that complying with legislation such as HIPAA, the HITECH Act and related regulations is not sufficient for healthcare organizations looking to secure their patient data.
It’s clear that as a whole healthcare organizations must do more to shore up their IT security and protect patient data. All organizations and industries deal with budgetary constraints when it comes to IT and security spending. In the case of healthcare however, increased budgets are not the total answer. To effect real change and improvement in security and data privacy requires a change in mindset and culture within these organizations so that every employee understands the importance of protecting patient data and is trained in best practices related to their job function. Unfortunately, changing company culture and employee mindsets is difficult and will require a long-term view and commitment from the leaders of these organizations. Let’s hope that the leaders of our healthcare organizations will address and rise to this challenge before the industry is forced to by crisis.
Tweet This: #ThreatThursday by @NorseCorp: Security for healthcare orgs provide biggest path for malicious traffic - http://www.norse-corp.com/blog-index.html
The SANS-Norse Healthcare Cyberthreat Report can be found here: http://norse-corp.com/HealthcareReport2014.html
We will continue to delve deeper into the report for our readers, pulling out relevant points of information over the next couple of weeks.