Security Experts:

Healthcare Industry Woefully Ill-Prepared to Combat Cyber Attacks: Report

Attacks against medical devices and critical health care systems are no longer theoretical. In fact, according to a report from the SANS Institute, poorly protected health care systems are not able to fight off the barrage of attacks.

A staggering 94 percent of all healthcare organizations admit they have been victims of data breaches at some point, the SANS Institute found in its “Health Care Cyberthreat Report,” released Wednesday. What's even more disconcerting that despite the high number, organizations that have been breached but haven't disclosed the incidents, or haven't discovered it yet, aren't included in the tally.

Many networked medical devices, such as radiology imaging software, video conferencing systems, mail and VOIP servers, digital surveillance cameras, call contact software, and networked printers and fax machines were being compromised.

Healthcare IT Security Posture"Once compromised, these networks are not only vulnerable to breaches, but also available to be used for attacks such as phishing, DDoS and fraudulent activities launched against other networks and victims," the report found.

Existing Security Not Enough

Security products weren't sufficient to keep out the bad traffic. In fact, when SANS researchers examined device-based and organizational sources of malicious traffic, they found that most of the malicious traffic passed through some kind of security solution. For example, firewalls let through 16 percent of malicious traffic and 33 percent traveled over a virtual private network, the report found. Reuters and enterprise network controllers accounted for nine percent of malicious traffic.

These findings are worrisome in light of the fact that many of the healthcare-related organizations believe existing security controls such as a firewall are sufficient to protect against attacks. Considering many of these organizations have already been breached, the assumption appears to be naively optimistic.

The researchers found 49,917 unique malicious events, 723 unique malicious source IP addresses, and information about 375 U.S.-based compromised healthcare organizations while preparing the report. The data was collected between September 2012 and October 2013 by healthcare security and anti-fraud company Norse as part of its threat intelligence network.

“The sheer volume of IPs detected in this targeted sample can be extrapolated to assume that there are in fact millions of compromised healthcare organizations, applications, devices, and systems sending malicious packets from around the globe,” the report found.

Compliance != Security

The healthcare industry in the U.S. is among the most regulated, but even so, organizations are not secure, the report said. Existing best practices have no kept up with evolving attack techniques, and organizations are failing to protect patient data, intellectual property, and payment information, along with the systems themselves. Once a breach occurred, attackers regularly launched phishing and distributed denial of service attacks, researchers found.

“From a compliance standpoint, the findings demonstrate that healthcare organizations could continue to find themselves in the same situation as healthcare companies such as the one WellPoint Inc. found itself in — on the receiving end of HIPAA fines reaching almost $2 million after exposing hundreds of thousands of ePHI,” the report found.

Attackers Exploiting Network

Network devices are frequently shipped from the vendor with a default configuration, which is generally insecure. Administrators are increasingly getting better about changing the configurations on their firewalls and other network devices so that default accounts don't have easily guessable passwords, according to the report. However they are overlooking some types of devices, and attackers are taking advantage of that mistake. As far as the attacker is concerned, compromising a fax machine is just as effective as compromising a server.

“This level of compromise and control could easily lead to a wide range of criminal activities that are currently not being detected. For example, hackers can engage in widespread theft of patient information that includes everything from medical conditions to social security numbers to home addresses, and they can even manipulate medical devices used to administer critical care,” said Barbara Filkins, a senior SANS analyst and principal author of the report.

An overhaul in how the healthcare industry approaches security is necessary, according to the report. Organizations need to perform a thorough assessment to identify all the devices connected to the network and to flag all the older, vulnerable software and networked equipment which need to be replaced, the report recommended. Once organizations know what is on their network, they can figure out ways to secure them. Healthcare organizations also need to step up and maintain ongoing patch management and vulnerability assessments.

“Although the healthcare industry continues to search for ways to protect its data, many organizations are still not able to properly safeguard critical data, and both companies and consumers are paying the price,” said Norse's Glines.

While this report put the healthcare industry under the microscope, we must ask, are other industry verticals much better off?

The full report is available online.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.