Attacks/Breaches
4/25/2014
06:16 PM
50%
50%

FBI Warning Highlights Healthcare's Security Infancy

Cyberattacks likely to increase against healthcare providers, FBI warns, and experts say it's no surprise since industry's security posture is about a decade behind that of the financial services sector.

Hospitals may be able to give a clean bill of health to their patients, but infections from malware require a diagnosis of a different kind.

Earlier this month, the FBI issued a warning to healthcare providers that the industry was not as prepared to deal with cyberattacks as the financial and retail sectors, and the possibility of increased attacks is likely.

The threat to the healthcare industry can come in all shapes and sizes. St. Joseph Health System in Texas, for example, acknowledged in February it was hit by an attack in December that exposed information on 405,000 employees and their beneficiaries as well as current and former patients. More recently, there have been reports about attacks on Boston Children's Hospital suspected by some to have been carried out by hacktivists in the Anonymous collective.

According to Verizon's latest data breach report, the firm analyzed 26 breaches of healthcare organizations in 2013. Seven of these incidents were confirmed to have resulted in the loss of data, the report notes. The two main reasons for data breaches in the industry cited in the report were physical loss or theft of a device and miscellaneous errors where unintentional actions directly compromised security.

"The [FBI] warning is just bringing additional awareness to a healthcare market that has really reflected the industry's lack of awareness to date of the cyber threat they face," says Mick Coady, PricewaterhouseCoopers (PwC) Health Information Privacy and Security Partner. "Healthcare is where the financial industry was 10- to 12 years ago in terms of IT security."

Late last year PwC released a survey that provided two key takeaways: Security programs have not been particularly effective at blocking actual incidents and more than two thirds of respondents said current or former employees were likely the source of security incidents that were detected, Coady says.

Then there are issues such as access management, the prevalence of the bring-your-own device trend, and slow patch cycles, adds Coady:

But we also need to recognize that medical devices in the provider environment are also a major issue currently affecting the industry. And an equally big issue is the general lack of awareness of the overall threat landscape at healthcare institutions. In part, that's an issue caused by the lack of maturity in the healthcare industry -- the lack of understanding that today's cyber threat models now include healthcare. Frankly, academic medical institutions are even less prepared than the average. Given that most of the attacks in the US recently, and not just in healthcare, have been launched from academic or academic medical institutions. I'd say a problem is attitudinal -- the "wide openness" ethos of academia.

Part of the problem is simply experience, argues Jeff Harrell, senior director of product marketing at security vendor Norse.

"The finance industry, for example, has had years of using networks to transfer money to ensure those transactions are secure, while many healthcare organizations are just now digitizing all their records," he explains. "Healthcare organizations are simply behind."

That existing compliance regulations have not fully prevented this situation comes as no surprise, he says.

"While healthcare has fallen under HIPAA regulation for over ten years, HIPAA [Health Insurance Portability and Accountability Act] is not very prescriptive and it's easy to be compliant without actually being secure," he says. "HIPAA was one of the first regulations that covered security, and really needs to be updated to include more prescriptive controls."

Still, it is imperative that healthcare organizations conform to the basic three HIPAA HITECH regulations in order to get a measure on their security compliance posture, says Christopher Strand, senior compliance director at Bit9.

"The 'Privacy Rule' will enable them to prove that they have full control over the use and disclosure of PHI," he says. "The 'Security Rule' will guide them to have adequate security controls in place to fully protect their systems, and the 'Breach Notification Rule' will ensure they can provide full burden of proof in the event of an incident."

"Compliance, however, is only the first step," he adds. "It does not equal security."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/29/2014 | 11:31:09 AM
same theme, different industry
So much of what I see and hear about healthcare lagging in security comes down to the same issues dogging enterprises in all industries: users not wanting security to get in the way of them doing their jobs, and orgs not able to get on top of striking that balance. There's still a lot of denial out there about risks & threats, but at the end of day, everyone seems a lot more concerned with doing their daily work first and thinking of security second (if at all). The problem with healthcare, of course, is that these orgs are handling very personal and highly sensitive information about patients.
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
4/28/2014 | 10:16:53 AM
Re: HIPAA
I have spent a large portion of my career in Healthcare information security and I think I can shed some light on why HIPAA has been ineffective in securing the healthcare industry.  The issue is that in many large hospitals and healthcare facilities exists a culture of doctor worship.  In the organization I worked at there was a fear of upsetting the doctors by implementing security controls and procedures required by HIPAA, FISMA, and meaningful use.  As a result, if a doctor didn't want a specific control implemented, our administration wouldn't push the issue, even though we were required by law to have the control in place.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/27/2014 | 9:48:48 AM
Working in Healthcare
I have seen many of the issues delineated in the article working in a Healthcare Network. We are trying to limit the scope of physical access through virtualization and restrictive controls. BYOD still provides a large issue but we are defining policies that are going to allow us to succesfully incorporate an EMM. Other security measures that have been taken in my organization include web filtering, DLP, and IPS/IDS. We are not a large security group and I recognize that healthcare is behind but what steps can be taken to close these gaps?
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
4/25/2014 | 7:58:07 PM
HIPAA
The HIPAA security rule has been around for years, so it's discouraging that so many health care companies lag when it comes to information security. But as is noted in this article, HIPAA didn't offer much in the way of prescriptive rules.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: You should see what I wear on my work from home days!
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.