Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/10/2019
05:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Industry Insight: Checking Up on Healthcare Security

Modern threats putting healthcare organization at risk, how they're improving their security posture, and where many fall short.

At a time when organizations across all industries fear data breaches and cyberattacks, those in healthcare have greater reason to be on edge. Troves of sensitive health data, a wealth of connected medical devices, and poor risk management practices make healthcare a hot target.

Between 2009 and 2018, there have been 2,546 healthcare data breaches involving more than 500 records, HIPAA Journal reports. These incidents have led to the exposure of 189,945,874 healthcare records. While 2015 has been the worst year on record, with some 113.3 million records exposed, there has been a general upward trend in the amount of compromised data.

For cybercriminals, health data is far more valuable than other types of information they sell for profit. A protected health information (PHI) record, for example, is worth 100 times as much as a credit card number on the Dark Web, Bugcrowd states in its recently published "State of Healthcare Security 2019" report. More than half of healthcare organizations lack strong confidence in medical device security.

Organizations that handle PHI must have physical, network, and operational security measures to ensure HIPAA compliance. Checking the boxes isn't easy: Despite standards like ISO/IEC 800001 and the NIST Cybersecurity Framework pushing to change healthcare tech, the industry's increasing digitization is putting sensitive data at risk.

"The big issue is the widespread use of medical devices and IoT devices connected through the Internet," says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, which published "The Economic Impact of Third-Party Risk Management in Healthcare" on behalf of Censinet. Large healthcare organizations like the Cleveland Clinic are taking this seriously and investing more resources into securing their devices; however, smaller institutions typically can't afford to do the same.

Cloud adoption is another barrier in healthcare. "For a long time, healthcare organizations have been laggards in terms of deployment to the cloud," Ponemon explains, as many feared data would fall into the wrong hands. While more have realized the cloud can strengthen security, bringing applications to the cloud requires a formal process to reduce the risk of migration.

"Most organizations don't have the resources or internal knowledge to do that very well," he adds. "It's creating a lot of internal risk during these transitions." Researchers found 72% of 554 healthcare IT and security pros say increasing reliance on third-party connected medical devices is risky, and 68% say moving to the cloud while connecting these devices creates significant risk.

Risk management was the crux of the Ponemon Institute's research, which specifically digs into how partnerships with third-party organizations are a growing threat to healthcare data. Third-party vendor incidents cost the industry $23.7 billion annually, they report.

Partnerships Come at a Price
Each data breach costs healthcare providers $2.9 million, Ponemon researchers found, which is far less than the $3.8 million in hidden costs related to managing vendor risk. In the last two years, 56% of healthcare firms have suffered a breach introduced by one or more vendors.

A recent example was reported this week: The Nemadji Research Corp., which contracts with the L.A. County Department of Health Services, was hit with a phishing attack that allowed external actors to access medical information belonging to 14,591 patients. Data included names, addresses, birth dates, medical record numbers, and Medi-Cal identification numbers.

"A constant finding was that most organizations have a really hard time managing vendors or just in general, third-party relationships," says Ponemon. Eighty percent say prioritizing vendor risk is very important, but only 36% say it's very effective. More than half (52%) allocate an average of 17% of their budget to vendor risk management. The average organization has 3.21 full-time staffers spending 500+ hours each month on vendor risk assessment, they report.

All respondents in the survey had a vendor risk assessment program in place; however, these had security gaps. Researchers found vendor risk management controls and practices are only partially deployed or not deployed at all. When assessments are conducted, 60% don't find the information valuable and many don't act on it: only one-third of respondents would mitigate security gaps, and 28% would terminate a relationship with a vendor that didn't meet standards.

"The whole idea of an assessment is to recognize the negative and positive things vendors are doing, and doing [this] in a way that helps change the organization's process when they identify a practice that is unacceptable or doesn't meet the control standard," Ponemon says.

Catching and Squashing Healthcare Bugs
Nearly all medical devices are, in some way, connected to the Internet, the Bugcrowd report says. It's one of many factors healthcare cybersecurity teams are worried about, along with a rise in mobile digital health applications and electronic patient records moving to the cloud.

From 2017 to 2018, researchers saw 340.6% growth in vulnerability submissions for healthcare organizations. Bugcrowd chief security officer David Baker partly attributes this to rapid adoption of crowdsourced security. "The speed at which healthcare is adopting crowdsourced security [is] much faster than I've seen them adopt other security solutions," he says. While medical devices aren't yet included in bug bounty programs, websites, and mobile apps are.

Most organizations are concerned about the loss of PHI, and the loss of personally identifiable information (PII) that correlates with the PHI, Baker says. More health companies are connecting APIs into health applications, which collect patient data to send to physicians. The loss of PHI is "pretty catastrophic," he adds, citing the penalties and fines associated with it.

Nearly 75% of healthcare program submissions involve website targets, Baker says, a large majority compared with IoT (4.8%), Android (3.6%), and API (3%). About 42% fell in the P3-level criticality, 12.2% were classified P1 (highest severity), and 11.3% classified P5 (lowest severity).

P3 vulnerabilities are considered to be medium severity, he explains. They don't necessarily relate to PHI or PII disclosure, but they relate to details of the app itself. These bugs might involve cross-site scripting or request forgery; they're often found in Web-facing technologies. When multiple P3s are chained together, it can lead to potentially severe consequences.

While the trend of crowdsourced security indicates healthcare organizations have security, Baker says they also need to strengthen their ability to address the vulnerabilities they find.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
7/16/2019 | 10:05:22 AM
Are Hospitals part of GDPR?
From my understanding, most organizations are part of this GDPR group? Health care agencies have experienced a number of hacks where they have lost more PII data than any organizational group.

If this aspect is one of their main concerns, why don't they bring in third-party consultants to address some of their issues? A number of health-care agencies have a direct relationship with the university's CIS or IT divisions. It would make sense to tap into that knowledge base on campus (i.e. CIS - Computer Information Systems). The university's IT group could help address some of the IT security issues, not sure if they are but it would be interesting to see what they are doing to protect this data?

Please review the top NAC solutions (comparison listed below), it is imperative because NACs ensure isolated access to medical devices.



NAC Device Comparison Reference

Per the conversations on DR (Dark Reading), it is imperative to put the medical devices on their own network (network segmentation), then route all of the traffic from the various devices to managing switches (daisy chain or cluster them together). By isolating the traffic, the hospital could filter access to the medical devices (i.e. Med-Dev, made it up) to only to their management systems and staff, nothing else. This process could limit the external attack by reducing the hospital's attack surface. Also, I would suggest the following as a possible solution:
  • Enable IPv6 on the endpoint devices (ensure they come that way)
  • Enable IPv6 AES256 ESP/AH VPN connections to the devices (encrypt the traffic sessions)
  • Ask the vendor if there is a way to limit the traffic to the mgmt. servers to only allow certain ports or ask if the ports can be modified for NMS monitoring
  • Standardize equipment purchases but keep options open for enhanced or different versions
  • Create a test environment to monitor traffic to and from the NAC (Network Access Control) devices
  • Physically separate the guest network for waiting areas (isolate the production, device, mgmt, and admin network)
  • Harden the mgmt. servers and follow NIST 800-Rev4/5 guidelines

The vendor needs to support IPv6, most of the hack attempts identified have occurred on IPv4 and not IPv6 (Russia, China, North Korea, Iran, Japan).

Todd
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: He still insists that security by obscurity is the way to go.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9681
PUBLISHED: 2019-09-17
Online upgrade information in some firmware packages of Dahua products is not encrypted. Attackers can obtain this information by analyzing firmware packages by specific means. Affected products include: IPC-HDW1X2X,IPC-HFW1X2X,IPC-HDW2X2X,IPC-HFW2X2X,IPC-HDW4X2X,IPC-HFW4X2X,IPC-HDBW4X2X,IPC-HDW5X2X...
CVE-2019-9009
PUBLISHED: 2019-09-17
An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 . Crafted network packets cause the Control Runtime to crash.
CVE-2018-20336
PUBLISHED: 2019-09-17
An issue was discovered in Asuswrt-Merlin 384.6. There is a stack-based buffer overflow issue in parse_req_queries function in wanduck.c via a long string over UDP, which may lead to an information leak.
CVE-2019-12755
PUBLISHED: 2019-09-17
Norton Password Manager, prior to 6.5.0.2104, may be susceptible to an information disclosure issue, which is a type of vulnerability whereby there is an unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information.
CVE-2019-14826
PUBLISHED: 2019-09-17
A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies were retained in the cache after logout. An attacker could abuse this flaw if they obtain previously valid session cookies and can use this to gain access to the session.