Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:16 PM

FBI Warning Highlights Healthcare's Security Infancy

Cyberattacks likely to increase against healthcare providers, FBI warns, and experts say it's no surprise since industry's security posture is about a decade behind that of the financial services sector.

Hospitals may be able to give a clean bill of health to their patients, but infections from malware require a diagnosis of a different kind.

Earlier this month, the FBI issued a warning to healthcare providers that the industry was not as prepared to deal with cyberattacks as the financial and retail sectors, and the possibility of increased attacks is likely.

The threat to the healthcare industry can come in all shapes and sizes. St. Joseph Health System in Texas, for example, acknowledged in February it was hit by an attack in December that exposed information on 405,000 employees and their beneficiaries as well as current and former patients. More recently, there have been reports about attacks on Boston Children's Hospital suspected by some to have been carried out by hacktivists in the Anonymous collective.

According to Verizon's latest data breach report, the firm analyzed 26 breaches of healthcare organizations in 2013. Seven of these incidents were confirmed to have resulted in the loss of data, the report notes. The two main reasons for data breaches in the industry cited in the report were physical loss or theft of a device and miscellaneous errors where unintentional actions directly compromised security.

"The [FBI] warning is just bringing additional awareness to a healthcare market that has really reflected the industry's lack of awareness to date of the cyber threat they face," says Mick Coady, PricewaterhouseCoopers (PwC) Health Information Privacy and Security Partner. "Healthcare is where the financial industry was 10- to 12 years ago in terms of IT security."

Late last year PwC released a survey that provided two key takeaways: Security programs have not been particularly effective at blocking actual incidents and more than two thirds of respondents said current or former employees were likely the source of security incidents that were detected, Coady says.

Then there are issues such as access management, the prevalence of the bring-your-own device trend, and slow patch cycles, adds Coady:

But we also need to recognize that medical devices in the provider environment are also a major issue currently affecting the industry. And an equally big issue is the general lack of awareness of the overall threat landscape at healthcare institutions. In part, that's an issue caused by the lack of maturity in the healthcare industry -- the lack of understanding that today's cyber threat models now include healthcare. Frankly, academic medical institutions are even less prepared than the average. Given that most of the attacks in the US recently, and not just in healthcare, have been launched from academic or academic medical institutions. I'd say a problem is attitudinal -- the "wide openness" ethos of academia.

Part of the problem is simply experience, argues Jeff Harrell, senior director of product marketing at security vendor Norse.

"The finance industry, for example, has had years of using networks to transfer money to ensure those transactions are secure, while many healthcare organizations are just now digitizing all their records," he explains. "Healthcare organizations are simply behind."

That existing compliance regulations have not fully prevented this situation comes as no surprise, he says.

"While healthcare has fallen under HIPAA regulation for over ten years, HIPAA [Health Insurance Portability and Accountability Act] is not very prescriptive and it's easy to be compliant without actually being secure," he says. "HIPAA was one of the first regulations that covered security, and really needs to be updated to include more prescriptive controls."

Still, it is imperative that healthcare organizations conform to the basic three HIPAA HITECH regulations in order to get a measure on their security compliance posture, says Christopher Strand, senior compliance director at Bit9.

"The 'Privacy Rule' will enable them to prove that they have full control over the use and disclosure of PHI," he says. "The 'Security Rule' will guide them to have adequate security controls in place to fully protect their systems, and the 'Breach Notification Rule' will ensure they can provide full burden of proof in the event of an incident."

"Compliance, however, is only the first step," he adds. "It does not equal security."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
4/29/2014 | 11:31:09 AM
same theme, different industry
So much of what I see and hear about healthcare lagging in security comes down to the same issues dogging enterprises in all industries: users not wanting security to get in the way of them doing their jobs, and orgs not able to get on top of striking that balance. There's still a lot of denial out there about risks & threats, but at the end of day, everyone seems a lot more concerned with doing their daily work first and thinking of security second (if at all). The problem with healthcare, of course, is that these orgs are handling very personal and highly sensitive information about patients.
Robert McDougal
Robert McDougal,
User Rank: Ninja
4/28/2014 | 10:16:53 AM
I have spent a large portion of my career in Healthcare information security and I think I can shed some light on why HIPAA has been ineffective in securing the healthcare industry.  The issue is that in many large hospitals and healthcare facilities exists a culture of doctor worship.  In the organization I worked at there was a fear of upsetting the doctors by implementing security controls and procedures required by HIPAA, FISMA, and meaningful use.  As a result, if a doctor didn't want a specific control implemented, our administration wouldn't push the issue, even though we were required by law to have the control in place.
User Rank: Ninja
4/27/2014 | 9:48:48 AM
Working in Healthcare
I have seen many of the issues delineated in the article working in a Healthcare Network. We are trying to limit the scope of physical access through virtualization and restrictive controls. BYOD still provides a large issue but we are defining policies that are going to allow us to succesfully incorporate an EMM. Other security measures that have been taken in my organization include web filtering, DLP, and IPS/IDS. We are not a large security group and I recognize that healthcare is behind but what steps can be taken to close these gaps?
User Rank: Apprentice
4/25/2014 | 7:58:07 PM
The HIPAA security rule has been around for years, so it's discouraging that so many health care companies lag when it comes to information security. But as is noted in this article, HIPAA didn't offer much in the way of prescriptive rules.
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...