Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Regulations, Insider Threat Handicap Healthcare IT Security

Healthcare IoT is expanding opportunities for hackers as the sector struggles to keep up security-wise.

Securing healthcare IT and IoT systems entails balancing legacy technology, regulation, and organizational challenges, and two recent reports show that the industry is falling short in its security efforts.

These issues include the architecture of hospital networks and their use: namely, a lack of segmentation is part of the legacy IT infrastructure that is the source of many vulnerabilities within healthcare.

"Data is moving in and out of hospitals very freely and they're very unsegmeneted," says Chris Morales, head of security analytics at Vectra and principal author of the 2019 Spotlight Report on Healthcare. "We have customers who are still using Windows 95. That's insane ... And we've been told that, since they're saving lives 24/7, they never patch. They're afraid of rebooting the system or messing it up."

Beyond the legacy systems healthcare organizations are unwilling to patch, there are many medical IoT edge devices, from diagnostic tools to systems that administer medicines, that IT staff are forbidden by regulation to patch, update, or modify -- even with tasks considered essential such as installing a security or monitoring agent on the device.

"The first thing is that they [IT security] can't do endpoint security," explains Morales. "The regulations are such that they can't modify a device by installing an agent."

Endpoint agents, meanwhile, can help with basic tasks for security, says Morales. "You need visibility inside the network to see, not what attackers are doing, but just what's happening."

And the unsegmented nature of many healthcare networks means that those unprotected devices are on the same networks as medical records and sensitive patient information.

Compliance

CynergisTek's recently released 2019 Annual Report, meanwhile, studied progress made by organizations regulated by NIST CSF (The NIST Cybersecurity Framework) and HIPAA rules. The study found that, while progress has been made year-over-year, the average healthcare organization has met less than half of the compliance requirements of NIST CSF.  

Given that healthcare saw roughly 14 million patient records exposed in attacks last year, "It remains clear that as an industry we continue to lag in our ability to address cyber threats or incidents when they occur," the report said.

Healthcare organizations specifically are only 47% compliant with the NIST CSF, out of 100% possible compliance, the report found. The report found that there are differences in the degree of average compliance based on the size of the organization, with larger organizations (measured by number of beds, revenue, or staff size) complying more completely than smaller organizations.

For example, organizations with less than $50 million annual revenue complied with only 27% of NIST CSF in 2018, while organizations with more than $2 billion in annual revenue complied with 76% of the framework.

Even in those organizations with stronger compliance, that doesn't mean they are necessarily secure, either, CynergisTek CEO and president Mac McMillan wrote in the report.

In particular, detection capabilities lag behind other core functional areas of NIST CSF. It's possible that's because many detection systems look in the wrong direction, focusing on finding external attackers when the greatest threats to healthcare systems come from the institutions own employees, contractors, and suppliers. "Insiders continue to be at the center of many of the breaches we see in healthcare, from curious workers to malicious criminals," McMillan wrote.

Vectra's Morales says that's one of healthcare's unique set of challenges. "Healthcare is the one industry that doesn't have to worry about the attacker on the outside as much as the attacker on the inside," he says. "They have a much bigger problem with human error than with outside attacker."

The combination of challenges faced by healthcare, and the difficulties in remediating them, means that healthcare organizations are spending significant money on efforts to become more secure. According to a report by Allied Market Research, the global healthcare cyber security market generated $5.21 billion in 2017, and is expected to reach $12.46 billion by 2023, growing at a CAGR of 15.6% from 2017 to 2023.

Fortunately for healthcare organizations, dramatic attacks such as ransomware have decreased in frequency in the last 18 months, according to Morales. That's largely because hospitals and healthcare organizations refused to pay ransom.

He says he's more worried about privacy, however, than disruption in healthcare. "Hospitals are really good at saving lives. The question is, if I go to the hospital, will everyone know about it?" he asks.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...