“Wanna Cry” Exposes Weakness in Health Sector Cyber Security Controls

Critical Flaws in 4 Smart City System 5/5 (1)

The recent outbreak of “WannaCry” Ransomware has thrown lights on how serious is the cyber security risks to the health sector. UK National Health Care centers were the biggest casualty of the malware infection, which impacted several hospital operations, including emergency services.

Information security professionals in the health sector have enormous challenges ahead, considering e-services and digitization of medical records (Electronic Health Records – EHR) in the hospital sector. Moreover, advanced medical equipment for various tests and assessments are computer driven and network connected, which eventually make them vulnerable to online threats.

Health and Fitness gadgets which have made quite a trend amongst the youth are also vulnerable to security threats. Security breaches of these gadgets can also pose harm to user’s physical security. Many hospitals and medical equipment manufacturers do not have the ability to tackle the associated security risks.

More than 90% of health organization had security breaches in the last couple of years, at an average cost of $2.2 million per incident.

Recently, US regulatory bodies have been taking severe actions to punish many entities who were lax at security patient data and violated the HIPAA (Health Sector Regulation) privacy and security policies

 

However, despite heightened awareness and concern among the healthcare industry over its ability to thwart cyber crime, insider mistakes, and ransomware attacks, healthcare budgets for security have either dropped or remained the same in the past year.

Cybersecurity expert says ‘almost everything can be hacked’ and endpoint protection is not enough. Healthcare organizations need to implement high-end security monitoring and anomaly detection, according to Core Security general manager Chris Sullivan.

Cyber criminals are nailing healthcare with the insidious form of malware and CryptoWall is the most common type of ransomware detected in the second quarter, a new report finds.  The report excludes the “Wanna Cry” impact.

The most commonly exposed data in healthcare breaches are medical records, followed by billing and insurance records, and payment information. Some 64% of attacks targeted medical files and billing and insurance records, up from 45%. Nearly 40% of healthcare organizations and 26% of their business partners say they know of medical identity theft incidents affecting their patients and customers. However, 64% of healthcare organizations do not offer credit protection services for victims, and 67% of business partners do not have procedures in place to correct errors in medical records. This gap in the process could be life-threatening in the case of an identity thief using a patient’s medical information for fraudulent purposes.

Distributed denial-of-service (DDoS) attacks are the biggest security risks to healthcare organizations (48%). DDoS followed by ransomware (44%), malware (41%), phishing (32%), advanced persistent threats (16%), rogue software (11%), and password attacks (8%).

 

There were 44 reports of data breaches in August 2015, and 233 from January through August, according to the monthly Protenus Breach Barometer. A recent Cybersecurity Ventures report, sponsored by security firm Herjavec Group, also found global cyber security defense costs to exceed $1 trillion over the next five years.

 

For example, in August 2015, Cancer Care Group, P.C., based in Indianapolis, agreed to pay $750,000 to settle potential HIPAA violations that occurred three years earlier when someone stole a laptop bag from an employee’s car. The bag contained the employee’s computer, which held unencrypted backup media containing the names, addresses, dates of birth, Social Security numbers, insurance information and clinical data of approximately 55,000 current and former Cancer Care patients.

Another incident in July 2015 highlighted security lapses at St. Elizabeth’s Medical Center in Boston, which agreed to pay $218,400 to settle potential HIPAA violations that occurred in 2012 when workers used a Web-based document sharing application to store files containing the electronic protected health information (PHI) of at least 498 individuals.

In a separate incident, another breach got uncovered through the revelation that unsecured PHI stored on a former employee’s laptop and USB flash drive, affecting 595 individuals.

As health workers can access patient data anytime and anywhere, vulnerabilities have increased, and PHI is no longer managed within the four walls of a healthcare facility, said Mr. Sriram Bharadwaj, Director of information services at University of California (UC) Irvine Health in Orange, California. “In the old days, you accessed electronic health records from a PC at your desk. There were a minimal number of laptops, and login onto the system was controlled,” Bharadwaj said. “Today, that same information is available in a broader, less controlled way, and multiple devices can be used to access the same data because all of these applications are now mobile compatible.”

The IS office at UC Irvine Health – which operates a cancer center, adult, and pediatric trauma center, and a stroke and cerebrovascular center – currently manages more than 1,000 devices. These tablets, laptops and other devices are used not only by physicians, nurses and other employees but also by medical students in residency programs. Given the frequent rotation of people logging onto the network and the tendency to bring their own devices to work, which increases the risk of a healthcare data breach, developing the right BYOD strategy is critical, Bharadwaj said.

Most recently,  the cybercriminal group ‘Tsar Team’ hacked the World Anti-Doping Agency’s database and leaked confidential records of Rio 2016 athletes – including Serena Williams and Simone Biles.

To better secure its network, the medical facility developed what Bharadwaj said is the first-of-its-kind solution at a health system by creating middleware that links facilities’  mobile device management software with a network access control application. When users bring their own devices and attempt to connect to the network, they must receive service activation from both the software and network access app before they can gain access to the hospital system’s network.

It is no mystery that attackers and their methods are increasingly sophisticated. One such method is spear phishing, where fraudulent emails appear to originate from a known business or colleague but are, in reality, sent by criminals seeking elevated network credentials or other personal information from the targeted individual. Once an attacker obtains such credentials, rather than immediately launching an online attack, the attacker may plant advanced persistent threats.  “They have some characteristics that are particularly scary. They hide well, either in computer memory or on disk storage. They are likely going to exist in your environment undetected, could be for years sometimes.”

Ensuring the complete security of healthcare information may be an impossible task due to the naturally open access of a healthcare facility and the sheer number of people who come and go every day.

To tackle this problem, hospitals and other healthcare agencies have begun hiring IT Security professionals. However, new clinical informatics positions at hospitals are proving difficult to fill, according to a new study from Hay Group. Forty-seven percent of healthcare organizations reported challenges with recruitment, retention or both.

Eighty-two percent of respondents said the positions are designed to be filled by full-time employees, rather than by consultants, and many healthcare organizations indicated the posts originated with interim agreements. “These posts are so new and so specialized that it is not surprising to see these professionals capitalizing on the market demand for their services,” said Dan Mayfield, a healthcare consultant with Hay Group. “Retention will be tough until more talent develops in the market. Also, programmers tend to enjoy the design and implementation project phases, rather than the maintenance and utilization of systems. We see this difference in IT positions across all industries.”

A surge in interest regarding clinical informatics positions was created in response to the American Recovery Act’s push to implement electronic medical record systems to create efficiencies in healthcare, but also to create jobs.

Computrace Persistence Technology introduced in 2005, includes data and device security capabilities that block access to an electronic device and remove sensitive data before they can be breached. Depending on the situation, customers can remotely delete sensitive data and produce an audit log of the deleted files to prove compliance with healthcare privacy regulations, says  Stephen Midgley, vice president, Global Marketing, Absolute Software. “Device Freeze and Intel AT Lock will freeze the computer and display a message to the user to validate the status of the instrument before access is reinstated. Remote file retrieval is also possible for those instances where the computer contains unique information that will be difficult to replace,” he says.

Other technologies and techniques that are deployed to strengthen endpoint security defenses include the following:

  • Full disk encryption
  • Antivirus software
  • Workstation timeouts
  • Multifactor authentication
  • Single sign on
  • Data loss prevention technology
  • Security information and event management
  • Firewalls

As smartphones and tablets proliferate in hospitals – increasing the risks of an endpoint security breach – health IT executives must broaden and harden their defenses. While the report indicates real progress in some critical security areas, there is still a lot that can be done to modify behavior and educate employees.  Ultimately, everyone is responsible for protecting sensitive business information. Knowing there is ambiguity between how different users may approach this requirement, IT leaders need to provide meaningful guidance and training that reinforces this mutual accountability.

 

Comments

Please rate this content