Widespread security issues put systems, patients at risk

Consider yourself warned.

A white paper released earlier this year by SANS, a global leader in cybersecurity research, training and certification, painted a bleak picture of where those in the healthcare industry currently stand in terms of keeping protected information safe and secure. The report was created using healthcare-specific data provided by Norse, a live threat intelligence and security solutions firm, from September 2012-October 2013. The eye-opening results underscored the vulnerability of providers, payers, business associates and patients.

Authored by Barbara Filkins, a senior SANS analyst and healthcare specialist, the report detailed the widespread problem. In analyzing the Norse data collected during the 13-month sample, the intelligence found:

49,917 unique malicious events,

723 unique malicious source IP addresses, and

375 US-based healthcare-related organizations compromised … averaging about one a day.

Filkins wrote, “The data analyzed was alarming. It not only confirmed how vulnerable the industry had become, it also revealed how far behind industry-related cybersecurity strategies and controls have fallen.”

Furthermore, the analysis made it clear that the threats aren’t unique to any one type of healthcare company, but providers are seemingly the most vulnerable. In looking at the sectors compromised by malicious traffic, healthcare providers led the way with 72 percent. Business associates accounted for 9.9 percent of the malicious traffic, health plans 6.1 percent, healthcare clearinghouses 0.5 percent, pharmaceuticals 2.9 percent, and other related entities 8.5 percent. Most alarming, noted Filkins, was the level of activity found in what was just a sample set.

Speaking to Medical News from her California office, Filkins said ‘malicious events’ are defined as an outside threat or event that might have penetrated the system and could range from hijacking contacts to pushing sensitive information outward. She noted that many companies, practices and facilities have policies in place warning employees not to click on an unknown email or link. (And who hasn’t received a suspicious link under the guise of coming from a friend or colleague?) Yet, she said, “People need to be looking at not only what comes into their network, but what goes out of their network.”

To find and address malware typically requires a HIT professional. “A lot of times an attacker will use a very common protocol so it might look like someone is browsing the web, but you might have to dig a little deeper under the covers,” she noted of finding and locating problems. “A lot of these events continued not just for days … but for months,” she added.

Locking the Front Door, Leaving the Back Wide Open

Oftentimes the point of entry for attackers was not the main information system. Instead, those with malicious intent entered through peripheral surfaces like network printers, call contact software, routers, medical devices, and … ironically … security cameras. While the main system was securely locked and password protected, many times, Filkins said, the default password remains on these add-on surfaces. Finding the admin password, she continued, is as easy as doing a quick Internet search for the device in question.

“There are some very basic things that can be done to get started with protection,” Filkins noted. The most obvious … but clearly overlooked … is to change those default passwords. However, she continued, changing to an easily deciphered password isn’t much help. Avoid using your children’s names, street address, pet names, combined physician names, name of the practice, or other easily discernable choices. The best passwords, Filkins said, include numbers and unique characters.

Mobile devices can also cause headaches … in part because of unrealistic expectations and policies. “Everyone uses mobile devices,” Filkins stated. “Rather than trying to bury that and say, ‘oh, we never use mobile devices,’ maybe relax the punitive policies and instead say, ‘let’s get honest and figure out how to make them more secure.’”

Measures to Improve Security

“Know what’s on your network,” Filkins said. “Make sure your network is configured properly and devices are configured properly.” She added it’s important to know who is using what and how it’s being used. Having a strong password policy is critical to proper configuration.

“Think like an attacker,” she continued. “And if you can’t do it, get someone who can.” There are numerous resources and companies that can help with this task. It boils down to being aware, Filkins noted. “It’s basic awareness but in a digital world.”

She continued, “Know what your network pathways are for your organization.” Filkins said that often there’s an emphasis on protection for “bad things coming in” … but if something does penetrate the system, there isn’t much monitoring of outbound traffic. Egress filtering is as important as ingress protection.

The Cost of Failure

The healthcare industry is particularly attractive to cyber attackers because of the type of information housed on servers. With medical identity theft, the victim is responsible for costs related to a compromised medical insurance record. A survey by the Ponemon Institute last year estimated that cost to be $12 billion in 2013.

Security breaches also represent major costs to the compromised entity. Steep fines, incidence handling, victim notification, credit monitoring for victims, and potential legal action represent direct out-of-pocket expenditures. In addition, a data breach could also significantly harm reputation and future business opportunities.

The greatest cost, however, is to a patient who winds up with inaccuracies in his medical record that could result in a misdiagnosis or wrongly prescribed medication.

The Takeaway

“Today compliance does not equal security,” Filkins wrote. “Organizations may think they’re compliant, but this data shows that they are not secure.”