Healthcare institutions are twice as likely to experience data theft than other sectors, and already see 3.4 times more security incidents, according to a study released today by Raytheon and Websense.
Why is healthcare so popular with attackers? Perhaps because the balance sheet tips in their favor. Medical records are very desirable on the black market, because medical records, themselves, may be a treasure trove of PII, financial information, and insurance numbers.
The exact figures vary, but while basic PII may run for just $1 on the black market these days, Jim Trainor of the FBI Cybersecurity Division told CBS News in February that "PHI records can go from 20 say up to -- we've even seen $60 or $70." A new report released by BitSight today references a recent report by NPR's "All Things Considered" which found a "value pack" of just 10 Medicare numbers that sold for about $4,700.
Yet, security measures that ensure those records stay confidential can inhibit patient care -- or at least that's how it seems to some medical professionals. Nurses and physicians fully understand the importance of data availability, but when patients' lives are on the line, data confidentiality takes a back seat.
According to the Raytheon Websense report, healthcare professionals "have an increased tendency to try and get around IT security policy in order to better serve their patients" and "up to 75 percent of hospital network traffic goes unmonitored by security solutions out of fear that improperly configured security measures or alarming false positives could dramatically increase the risk to patient health or well-being."
"Outside of stock trading, I can't think of another industry where you have to err on the side of openness," says Bob Slocum, senior product marketing manager of data and endpoint security for Websense. Further, there is no other industry, he says, where an employee (like a doctor) can routinely trump a security policy.
The end result is that attackers are far more willing to invest in stealing medical records than healthcare institutions are willing to invest in protecting them from being stolen.
As the Raytheon Websense report references, the average healthcare organization only spends about 3 percent of its IT budget on security, even though HIMSS recommends they spend at least 10 percent. Bitsight reports that while healthcare has done a good job closing up those Heartbleed vulnerabilities (only 4.4 percent), it's still wide open to FREAK (43.4 %) and POODLE (73.5 %).
Conversely, attackers will bring their best tools to bear. According to Raytheon and Websense, healthcare organizations are four times as likely to be hit with advanced malware -- particularly the CryptoWall ransomware (450% likelier), Dyre Trojan (300% likelier), and stealthy Dropper (376% likelier), which opens backdoors and drops other assorted payloads.
Healthcare is also 14 times as likely to be hit by the Andromeda botnet -- which has a particularly stealthy loader with anti-VM and anti-debug capabilities that can stay silent for months before it communicates with its command and control server, according to Raytheon and Websense.
Slocum says that he expected the numbers to be bad, and but not quite as "astronomically bad" as they were.
Plus, while outside attackers barrage them with malware, medical institutions also have malicious insiders to worry about. According to a report released yesterday by Trend Micro, healthcare has a larger insider leak problem than any other sector, attributing 17.5% of its breaches over the past 10 years to it. Insider leaks were the primary source of identity theft cases (44.2%) and healthcare was hit harder by identity theft than any other sector, accounting for 29.8% of cases.
The Bitsight report has declared healthcare the second-worst industry performer in data security, ahead of only education. According to Trend Micro, more than one-quarter (26.9%) of the data breaches reported in the past 10 years were in the healthcare sector.
And it isn't only an American problem; as the Raytheon Websense report cites, the U.K.'s National Health Services has been fined £1 million for its data security transgressions.
Complexity contributes to the problem. Multiple hospitals, labs, imaging centers, and pharmacies in multiple locations share data and computing resources.
The complexity just increases as the early-adopting industry hooks more medical devices into the Internet of Things. As guests of today's Dark Reading Radio episode on "Fixing IoT Security" remarked, one of the challenges of the IoT is installing software security updates -- something that is infinitely more complicated when the device needing the update resides within a patient's body.
Slocum says he takes the issue to heart, being a diabetic himself, but that medical device manufacturers he's spoken to have been very proactive about security -- not only by inviting ethical hackers to try to break into their devices, but by securing their other systems extra carefully, knowing that any sort of breach would damage their brand reputation and thus people's trust in their devices.
Slocum says there's some reason for optimism. He says that IT leaders in healthcare oganizations have been "beating the drum" and asking their CEOs for cybersecurity funding for years, to no avail; but since the Anthem breach, the conversation has changed.
"I believe they're going to get more [money] and executive support," he says. He recommends that they direct some of these funds to more unified solutions that can manage complex environments and to better end user awareness training.