Healthcare Institutions – The Highest Value Data for Cyber-attackers
The healthcare industry is experiencing ever increasing levels of cyber-attack on a global basis. The trend is expected to continue with no end in sight. The Federal Bureau of Investigation (FBI) went on record in April, 2014 that made clear an expectation to see increased cyber-attacks against the healthcare infrastructure in the United States. The FBI observed this increase to be both a function of less than rigorous cyber security standards and the very obvious high financial value received for stolen medical records. This year, the US National Security Agency (NSA) warned of the increasing danger of destructive cyber-attacks by nation states. Richard Ledgett, the deputy director of NSA said, "If you are connected to the Internet, you are vulnerable to determined nation-state attackers." To put this in context, per the Identify Theft Resource Center (ITRC), 32.7 percent of all data breach incidents happened within the healthcare industry. That's many millions of medical records in the first quarter of 2015 alone.
The economic incentive driving all of this is huge and compelling. Healthcare data is tremendously valuable to cyber-attackers. Cybersecurity firm Dell Secure Works reported that successful cyber-attackers were receiving as much as $20 to $40 for health insurance credentials alone. Compare this with industry data on the value of stolen credit card numbers. Stolen credit card numbers are often valued between $1 to $2 each when sold on the dark web or black market. Health insurance credentials have a value perhaps of 10 times to 20 times that of a credit card. Cyber-attackers know that healthcare networks are quite vulnerable and offer considerable reward.
This has positioned healthcare institutions as one of the primary targets of choice for cyber-attackers. Hospitals now face a very high risk for damage to reputation, loss of patient data and the exposure to HIPAA violation penalties, let alone expensive litigation liability. These risks have never been higher for the industry.
Why Healthcare Networks are so Vulnerable
The basic tools and defenses that security teams have within healthcare are no longer effective against many attackers. These traditional defense-in-depth cyber tools are falling to attackers at an increasing rate. The legacy architectures in cyber defense that depend on the notion of defending a perimeter around the enterprise don't work well anymore against many of these sophisticated modern attackers. For these reasons it is very likely most hospitals are truly unaware of active and successful attackers already inside their networks.
Further, healthcare networks have additional points of vulnerability that make them even more susceptible to a well targeted attack. Research has identified medical devices as primary targets well known to attackers. This medical device attack vector, otherwise known as medical device hijack (or MEDJACK), enables an attacker to penetrate cyber defenses and then to stay undetected within the medical device for an extended period of time during which data may be identified and stolen. Medical devices are the key nodes for an attack and provide a protected harbor in which attackers may open "back doors" to continue their extended attacks.
There are virtually no diagnostic cyber security tools that a hospital security team can use to find an attacker active within a medical device. Users of these devices usually cannot install additional security layers, such as antivirus or intrusion prevision, onto the product, mainly due to the fact that healthcare institution information technology teams do not have access to the device's operating system or its internal software. In most cases, manufacturers block access to the operating system within the medical device. The reason for this is because further modifying or changing the software within an FDA approved device might affect operation in a negative or unpredictable way. Hospitals are concerned about liability, especially in a situation where loading software could accidentally or unintentionally change the behavior of the device. This FDA approval process is designed to ensure that medical devices meet necessary standards of manufacture, deliver required product performance, and meet safe use for consumers. FDA guidance directs that the installation of updates and patches to software to protect against malware threats are important. The FDA has published a guidance document for manufacturers on the cybersecurity of medical devices. The goal is for manufacturers to stay focused on developing and maintaining adequate cyber defense capabilities in their medical device platforms. The FDA clearly states that they don't expect healthcare institutions to have the expertise of the manufacturer and provides explicit direction to work with the device maker directly to deal with recognized cybersecurity vulnerabilities.
MEDJACK is very difficult to detect and often more difficult to remove. The security technology team in the hospital is almost totally dependent on the manufacturers to maintain security within their devices. Even when suspected, most healthcare security teams have to get the medical device manufacturer's support in order to get forensic data from these devices for analysis. The medical devices do not have the necessary cyber defense software to detect the MEDJACK attack vector. Finally, the hospital's standard cyber security environment cannot access the internal software operations of medical devices. Detection, remediation and re-provisioning of the medical device almost always requires the manufacturer's involvement. Since the infected medical device may run diagnostics that show the device is fine, some manufacturers of these devices may choose not to repair or remediate the device. Many of the maintenance and support contracts for medical devices do not yet cover cyber security issues directly.
Finally, the out-of-date operating systems used within medical devices make them even more susceptible to attack. Most medical devices are running insecure operating systems such as windows 2000, windows XP or Linux. Attackers use known and unpatched vulnerabilities in these operating systems as a wide open door to gain a persistent and undetectable "backdoor" within the medical devices, which is why the MEDJACK attack vector presents a highly attractive target to attackers.
Recommendations
Hospitals and major healthcare institutions should implement the following recommendations for securing their medical devices:
• Implement a strategy to deploy software and hardware fixes provided by the manufacturer of your medical devices
• Implement a strategy to acquire medical devices after a comprehensive review with the manufacturer regarding cyber security processes and protections
• Implement a strategy to review and upgrade protection for your existing medical devices now. Understand the risk these pose to your network today
• Implement a strategy to update your existing medical device vendor contracts for support and maintenance and specifically address malware remediation
• Given the very high risk of data breach, major healthcare institutions should consider the possibility of being cited for significant HIPAA violations and seek the advice of HIPAA consultants that can provide guidance in compliance with the HIPAA requirements
• Move to medical device vendors that utilize digitally signed software. Software signing is a mathematical technique used to validate the authenticity and source of the software. All internal data related to test results and patient records should be encrypted at all times when stored
• Evaluate prospective vendors very carefully with respect to cyber security. Run stringent security tests to discover vulnerabilities before you bring these devices into your networks
• Medical devices should be inside a secure network zone protected with a firewall that restricts access other than by designed IP addresses
Conclusion
The presence of medical devices on healthcare networks makes them much more vulnerable to successful cyber-attack. The data stored within healthcare networks is a highly valuable target for attackers.
Medical devices are generally closed FDA certified systems and as such are not easily accessible by 3rd party cyber defense software. Further, vulnerabilities within medical devices will likely render components of the hospital's cyber security technology ineffective. Hospital security teams cannot easily detect malware on a system which is closed and which they cannot scan for malware or the presence of an attacker's "back door."
Understanding the problem is the first step. There are many positive actions healthcare institutions can take to increase their protection against advanced attackers and the MEDJACK attack. Healthcare institutions can benefit significantly from the recommendations listed above. Given the very high risk of data breach, healthcare IT teams should identify and acquire technologies designed to identify attackers that have already bypassed an organization's primary defenses. New technologies such as deception technology can provide this advantage for security operations center (SOC) teams or managed security service providers (MSSPs). Deception technology can substantially reduce the time to breach detection and perhaps be one of the key factors that protects organizations from the liability and expense of a major data breach.
http://www.bbc.com/news/world-us-canada-34641382
Carl Wright is general manager and executive vice president worldwide sales at TrapX. Wright is a seasoned entrepreneur and executive with experience in the security, storage, virtualization and software sectors. Prior to joining TrapX he held executive operational roles at Securify, Decru, and Kidaro, where he contributed to rapid growth and subsequent acquisition by, respectively, Microsoft, Network Appliance and Secure Computing. He has extensive experience in all aspects of enterprise information technology deployments and has held key IT operational roles, including chief information security officer for the U.S. Marine Corps. He holds a bachelor's degree in management from Augsburg College and a master's degree in information technology management from the Naval Postgraduate School. In 1999, he was awarded the National Security Agency's Frank B. Rowlett Trophy for Worldwide Information Security Professional of the year by General Michael Hayden (U.S. Air Force Ret.).