Security Trends and Emerging Threats in Healthcare IT

Security

By David Gailey

The risk and potential consequence for serious security data breach or other cyberattack within the healthcare industry is not only a reality of our time, but is becoming the norm. In response to changes in the overall threat landscape, the U.S. government has issued new security requirements to HIPAA and the HITECH Act that require healthcare entities to strengthen their cybersecurity practices. As organizations adapt these new requirements, legislation encourages yet other providers to demonstrate “meaningful use” by becoming network integrated as they transition to electronic based systems. Nevertheless, as cybercriminals discover ways to circumvent safeguards, awareness in cybersecurity trends, emerging threats, and best practices is becoming both increasingly difficult yet important.

In February 2016, a Los Angeles based hospital became the victim of a ransomware attack that blocked access to patient records for 10 days until a 40 bitcoin ($17,000) ransom could be paid. During the attack, hospital staff had to revert to pen and paper for record keeping. While hospital executives and technology experts determined that paying the ransom was the most expeditious way to restore service, the real cost of the attack would need to also account for the 10 days of lost revenue, damage to their reputation as well as the potential for a secondary infection. This ransomware attack is one among many according to recent reports that show that the healthcare industry accounted for 88% of all ransomware attacks in the U.S. last year.

This increase is part of an emerging trend. The Ponemon Institute, a security research and consulting firm, reported that 89% of studied healthcare organizations experienced a data breach involving patient data that was either stolen or lost over the past two years. As hospitals and providers experience fewer data breaches due to employee negligence, there is a marked increase in malicious and criminal security threats. If this trend is to continue, it is no longer a question of whether a breach will occur, but what to do once it has happened.

In August of 2014, the FBI reported that healthcare cybersecurity systems are lax when compared to the financial and retail sectors. According to Tom Kellerman, CTO, Strategic Cyber Ventures, most hospitals spend less than 5% of their IT budgets on cybersecurity. This is a stark contrast to the value of lucrative health data which sells for “$70 a record, as opposed to $5 to $20 for credit card and financial records,” says Kellerman. The reason why health data is more valuable is due to the potential to carry out multiple exploits such as identity theft, medical fraud and more, according to Raj Mehta, a partner at Deloitte & Touche’s Cyber Risk Services practice. Making matters worse, health records tend to include pertinent information such as emergency contacts and other details that may lend to the ability of an attacker to gain the confidence of a victim through a phishing attack or other means. 

While an increase in funding for cybersecurity is generally recommended, spending alone is not sufficient to prevent an attack. The healthcare industry is plagued by long an arduous adoption times for the implementation of new technology. In some cases, these processes may be overly complex or subjected to layers of controls that hinder the agility of the organization to rapidly respond. In addition, once a solution has been implemented, organizations are challenged to keep software current and up to date. If a provider lags on routine patch cycles, for example, they may be at an elevated risk for becoming the target of an attack.

The proliferation of medical and IoT devices has also contributed to a widening in the attack surface for healthcare organizations and an increase in their overall risk exposure. According to Gartner, there will be 20 billion connected devices by the year 2020. Of these, six billion will be deployed in businesses as integral parts of business systems. Nevertheless, an HP study revealed that about 70% of IoT devices have been found to be vulnerable. In addition, a Dark Reading study found that IoT devices contain an average of 25 vulnerabilities each. IoT devices are also highly connected utilizing a variety of network interfaces. Traditional security tools generally do not have visibility across all network types (e.g. Bluetooth, WiFi, Ethernet, NFC, RF) leaving organizations in the dark as to the number and types of devices in their IoT network. Moreover, since IoT devices are becoming more and more commonplace, both healthcare employees and patients represent potential attack vectors for breach of health data through mere exposure and proximity to corporate systems.

That the risk presented by medical and IoT devices is both real and relevant is evidenced in the FDA report titled “Cybersecurity Vulnerabilities Identified in St. Jude Medical’s Implantable Cardiac Devices and Merlin@home Transmitter: FDA Safety Communication” dated January 9, 2017. According to the report: “Many medical devices—including St. Jude Medical’s implantable cardiac devices—contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits. As medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices, and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates.” The report confirms the existence of a vulnerability within the Merlin@home Transmitter and documents the steps taken to remediate the problem.

Other types of attacks faced by healthcare organizations include social engineering attacks. During a penetration test by a white hat hacker, a call was placed to the corporate help desk using a spoofed internal number. When the help-desk technician answered, the would-be employee stated that he had a presentation he was preparing for but was having trouble accessing a specific website. The help-desk employee responded that he would browse to the site to see if he could identify the problem, however, experienced no issues as he did so. The would-be employee responded that the site just started to work for him just then also and thanked the help-desk employee for his time. What the help-desk employee was not aware of, however, was that the site he went to contained malicious code that installed in the background compromising his system. In this way, social engineering attacks can be difficult to prevent and generally require significant user awareness and training to be effective.

In addition to the attacks described above, there are yet many other forms and types of cyberattacks possible. In January of this year, flaws were discovered in several processors from Intel, ARM and AMD. If leveraged, these vulnerabilities, titled Meltdown and Spectre, could allow hackers to access passwords, encryption keys and other private information. The significance of their discovery is due to the sheer number of potential systems impacted, affecting every intel processor since 1995. While security patches exist that mitigate the risk of each exploit, a lack of awareness or delays in patch cycles could result in increased risk of becoming a target of Malware designed to leverage either exploit.

Among preventative and countermeasures, maintaining up to date patch levels on all systems remains key to preventing many exploits including those resulting from ransomware. Additional countermeasures may include intelligent firewalls to stop malware from downloading, intrusion detection software to monitor illegal activities on computer networks, and anti-virus, anti-malware, or application whitelisting software to stop malware from executing on desktop computers. Network segregation so that medical devices are not accessible from the administrative network may also be effective in addition to establishing least-privileged access and privileged account management (PAM) solutions. A holistic tool set with a solid reputation may also be worth evaluating.

Traditional preventative countermeasures should also not be ignored such as maintaining off-site file system back-ups. Staff and employees should also be trained on how to avoid letting a cyberattack into the hospital’s system by not downloading, clicking on links, or running unknown USB devices on corporate computer systems. Staff should also be trained on mobile device security and the proper use of their phone while at work.

There are two primary drivers resulting in increased risk exposure of healthcare organizations to cyberattacks. The first is the rapid rate of change within the technological landscape causing new threats to emerge including ransomware. While traditional attack vectors remain relevant, the systems and countermeasures used to address them are becoming outdated as new technologies emerge faster than the same systems can be updated or created new to protect them. With the rapid expansion of medical and IoT devices, hospital IT systems are exposed to yet another attack surface. As IoT vendors continue to fail to address security concerns such as those resulting from network integration of medical devices, there are growing concerns that recent trends will convince cybercriminals to begin targeting medical devices. The second primary driver is legislation within the United States promoting increased use of technology by healthcare institutions. As organizations increasingly adopt network integration, the risk of a potential cyberattack also increases. It is imperative that organizations remain current on cybersecurity trends, emerging threats, and best practices in addition to remaining agile with adequate funding and resources if they are to prepare and prevent cyberattacks.