Attacks/Breaches
4/25/2014
06:16 PM
Connect Directly
RSS
E-Mail
50%
50%

FBI Warning Highlights Healthcare's Security Infancy

Cyberattacks likely to increase against healthcare providers, FBI warns, and experts say it's no surprise since industry's security posture is about a decade behind that of the financial services sector.

Hospitals may be able to give a clean bill of health to their patients, but infections from malware require a diagnosis of a different kind.

Earlier this month, the FBI issued a warning to healthcare providers that the industry was not as prepared to deal with cyberattacks as the financial and retail sectors, and the possibility of increased attacks is likely.

The threat to the healthcare industry can come in all shapes and sizes. St. Joseph Health System in Texas, for example, acknowledged in February it was hit by an attack in December that exposed information on 405,000 employees and their beneficiaries as well as current and former patients. More recently, there have been reports about attacks on Boston Children's Hospital suspected by some to have been carried out by hacktivists in the Anonymous collective.

According to Verizon's latest data breach report, the firm analyzed 26 breaches of healthcare organizations in 2013. Seven of these incidents were confirmed to have resulted in the loss of data, the report notes. The two main reasons for data breaches in the industry cited in the report were physical loss or theft of a device and miscellaneous errors where unintentional actions directly compromised security.

"The [FBI] warning is just bringing additional awareness to a healthcare market that has really reflected the industry's lack of awareness to date of the cyber threat they face," says Mick Coady, PricewaterhouseCoopers (PwC) Health Information Privacy and Security Partner. "Healthcare is where the financial industry was 10- to 12 years ago in terms of IT security."

Late last year PwC released a survey that provided two key takeaways: Security programs have not been particularly effective at blocking actual incidents and more than two thirds of respondents said current or former employees were likely the source of security incidents that were detected, Coady says.

Then there are issues such as access management, the prevalence of the bring-your-own device trend, and slow patch cycles, adds Coady:

But we also need to recognize that medical devices in the provider environment are also a major issue currently affecting the industry. And an equally big issue is the general lack of awareness of the overall threat landscape at healthcare institutions. In part, that's an issue caused by the lack of maturity in the healthcare industry -- the lack of understanding that today's cyber threat models now include healthcare. Frankly, academic medical institutions are even less prepared than the average. Given that most of the attacks in the US recently, and not just in healthcare, have been launched from academic or academic medical institutions. I'd say a problem is attitudinal -- the "wide openness" ethos of academia.

Part of the problem is simply experience, argues Jeff Harrell, senior director of product marketing at security vendor Norse.

"The finance industry, for example, has had years of using networks to transfer money to ensure those transactions are secure, while many healthcare organizations are just now digitizing all their records," he explains. "Healthcare organizations are simply behind."

That existing compliance regulations have not fully prevented this situation comes as no surprise, he says.

"While healthcare has fallen under HIPAA regulation for over ten years, HIPAA [Health Insurance Portability and Accountability Act] is not very prescriptive and it's easy to be compliant without actually being secure," he says. "HIPAA was one of the first regulations that covered security, and really needs to be updated to include more prescriptive controls."

Still, it is imperative that healthcare organizations conform to the basic three HIPAA HITECH regulations in order to get a measure on their security compliance posture, says Christopher Strand, senior compliance director at Bit9.

"The 'Privacy Rule' will enable them to prove that they have full control over the use and disclosure of PHI," he says. "The 'Security Rule' will guide them to have adequate security controls in place to fully protect their systems, and the 'Breach Notification Rule' will ensure they can provide full burden of proof in the event of an incident."

"Compliance, however, is only the first step," he adds. "It does not equal security."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/29/2014 | 11:31:09 AM
same theme, different industry
So much of what I see and hear about healthcare lagging in security comes down to the same issues dogging enterprises in all industries: users not wanting security to get in the way of them doing their jobs, and orgs not able to get on top of striking that balance. There's still a lot of denial out there about risks & threats, but at the end of day, everyone seems a lot more concerned with doing their daily work first and thinking of security second (if at all). The problem with healthcare, of course, is that these orgs are handling very personal and highly sensitive information about patients.
Robert McDougal
100%
0%
Robert McDougal,
User Rank: Ninja
4/28/2014 | 10:16:53 AM
Re: HIPAA
I have spent a large portion of my career in Healthcare information security and I think I can shed some light on why HIPAA has been ineffective in securing the healthcare industry.  The issue is that in many large hospitals and healthcare facilities exists a culture of doctor worship.  In the organization I worked at there was a fear of upsetting the doctors by implementing security controls and procedures required by HIPAA, FISMA, and meaningful use.  As a result, if a doctor didn't want a specific control implemented, our administration wouldn't push the issue, even though we were required by law to have the control in place.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/27/2014 | 9:48:48 AM
Working in Healthcare
I have seen many of the issues delineated in the article working in a Healthcare Network. We are trying to limit the scope of physical access through virtualization and restrictive controls. BYOD still provides a large issue but we are defining policies that are going to allow us to succesfully incorporate an EMM. Other security measures that have been taken in my organization include web filtering, DLP, and IPS/IDS. We are not a large security group and I recognize that healthcare is behind but what steps can be taken to close these gaps?
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
4/25/2014 | 7:58:07 PM
HIPAA
The HIPAA security rule has been around for years, so it's discouraging that so many health care companies lag when it comes to information security. But as is noted in this article, HIPAA didn't offer much in the way of prescriptive rules.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.