Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/23/2015
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Healthcare Organizations Twice As Likely To Experience Data Theft

Bad guys very willing to invest in attacking medical data, but healthcare not very willing to invest in defending it.

Healthcare institutions are twice as likely to experience data theft than other sectors, and already see 3.4 times more security incidents, according to a study released today by Raytheon and Websense.

Why is healthcare so popular with attackers? Perhaps because the balance sheet tips in their favor. Medical records are very desirable on the black market, because medical records, themselves, may be a treasure trove of PII, financial information, and insurance numbers.

The exact figures vary, but while basic PII may run for just $1 on the black market these days, Jim Trainor of the FBI Cybersecurity Division told CBS News in February that "PHI records can go from 20 say up to -- we've even seen $60 or $70." A new report released by BitSight today references a recent report by NPR's "All Things Considered" which found a "value pack" of just 10 Medicare numbers that sold for about $4,700.

Yet, security measures that ensure those records stay confidential can inhibit patient care -- or at least that's how it seems to some medical professionals. Nurses and physicians fully understand the importance of data availability, but when patients' lives are on the line, data confidentiality takes a back seat.

According to the Raytheon Websense report, healthcare professionals "have an increased tendency to try and get around IT security policy in order to better serve their patients" and "up to 75 percent of hospital network traffic goes unmonitored by security solutions out of fear that improperly configured security measures or alarming false positives could dramatically increase the risk to patient health or well-being." 

"Outside of stock trading, I can't think of another industry where you have to err on the side of openness," says Bob Slocum, senior product marketing manager of data and endpoint security for Websense. Further, there is no other industry, he says, where an employee (like a doctor) can routinely trump a security policy.

The end result is that attackers are far more willing to invest in stealing medical records than healthcare institutions are willing to invest in protecting them from being stolen.

As the Raytheon Websense report references, the average healthcare organization only spends about 3 percent of its IT budget on security, even though HIMSS recommends they spend at least 10 percent. Bitsight reports that while healthcare has done a good job closing up those Heartbleed vulnerabilities (only 4.4 percent), it's still wide open to FREAK (43.4 %) and POODLE (73.5 %).

Conversely, attackers will bring their best tools to bear. According to Raytheon and Websense, healthcare organizations are four times as likely to be hit with advanced malware -- particularly the CryptoWall ransomware (450% likelier), Dyre Trojan (300% likelier), and stealthy Dropper (376% likelier), which opens backdoors and drops other assorted payloads.

Healthcare is also 14 times as likely to be hit by the Andromeda botnet -- which has a particularly stealthy loader with anti-VM and anti-debug capabilities that can stay silent for months before it communicates with its command and control server, according to Raytheon and Websense.

Slocum says that he expected the numbers to be bad, and but not quite as "astronomically bad" as they were.

Plus, while outside attackers barrage them with malware, medical institutions also have malicious insiders to worry about. According to a report released yesterday by Trend Micro, healthcare has a larger insider leak problem than any other sector, attributing 17.5% of its breaches over the past 10 years to it. Insider leaks were the primary source of identity theft cases (44.2%) and healthcare was hit harder by identity theft than any other sector, accounting for 29.8% of cases.

The Bitsight report has declared healthcare the second-worst industry performer in data security, ahead of only education. According to Trend Micro, more than one-quarter (26.9%) of the data breaches reported in the past 10 years were in the healthcare sector.

And it isn't only an American problem; as the Raytheon Websense report cites, the U.K.'s National Health Services has been fined £1 million for its data security transgressions.

Complexity contributes to the problem. Multiple hospitals, labs, imaging centers, and pharmacies in multiple locations share data and computing resources.

The complexity just increases as the early-adopting industry hooks more medical devices into the Internet of Things. As guests of today's Dark Reading Radio episode on "Fixing IoT Security" remarked, one of the challenges of the IoT is installing software security updates -- something that is infinitely more complicated when the device needing the update resides within a patient's body.

Slocum says he takes the issue to heart, being a diabetic himself, but that medical device manufacturers he's spoken to have been very proactive about security -- not only by inviting ethical hackers to try to break into their devices, but by securing their other systems extra carefully, knowing that any sort of breach would damage their brand reputation and thus people's trust in their devices.

Slocum says there's some reason for optimism. He says that IT leaders in healthcare oganizations have been "beating the drum" and asking their CEOs for cybersecurity funding for years, to no avail; but since the Anthem breach, the conversation has changed.

"I believe they're going to get more [money] and executive support," he says. He recommends that they direct some of these funds to more unified solutions that can manage complex environments and to better end user awareness training.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/27/2015 | 11:11:46 PM
Re: Healthcare is unique
Indeed, two years ago, Dell SecureWorks reported that full PHI records netted about $20 per on the black market -- much more valuable than simple credit cards (except high-balance cards and the like).
UlfM645
50%
50%
UlfM645,
User Rank: Apprentice
9/25/2015 | 12:30:51 PM
Healthcare is unique
I agree that Medical records are very desirable on the black market, because medical records, themselves, may be a treasure trove of PII, financial information, and insurance numbers."

I think that healthcare is unique in that there are a greater number of people who come in contact with sensitive information during the course of normal business operations than in other industries.

So, when you combine the number of people involved with handling multiple forms of PHI records, along with the immaturity of the data security systems and practices that are in place, there are so many opportunities for mistakes or

intentional breaches to take place.

The attraction of PHI is that its value does not degrade as rapidly as credit card data, which can be changed or updated quickly.

I recently read a study from Aberdeen Group that revealed "a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data" and that half of the organizations are using data tokenization

for PII and PHI data. The name of the study is "Tokenization Gets Traction".

This is a short list of effective measures that I suggest organizations should take:

1. Fine-grained de-identification of both PII (Personally Identifiable Information) and PHI.
2. Fine-grained tokenization of PHI, to alleviate the need for plain-text data and exposure in-memory across the entire data flow.
3. Strong credentials, including password improvement and rotation, plus separation of duties to prevent privileged users, such as database administrators or system administrators, from accessing sensitive data.
   
Secure the data to the point that it is useless to a potential thief. Modern solutions such as tokenization provide better security than encryption, while retaining usability for analytics and monetization.

Ulf Mattsson, CTO Protegrity
<<   <   Page 2 / 2
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16649
PUBLISHED: 2019-09-21
On Supermicro H11, H12, M11, X9, X10, and X11 products, a combination of encryption and authentication problems in the virtual media service allows capture of BMC credentials and data transferred over virtual media devices. Attackers can use captured credentials to connect virtual USB devices to the...
CVE-2019-16650
PUBLISHED: 2019-09-21
On Supermicro X10 and X11 products, a client's access privileges may be transferred to a different client that later has the same socket file descriptor number. In opportunistic circumstances, an attacker can simply connect to the virtual media service, and then connect virtual USB devices to the se...
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.