Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Regulations, Insider Threat Handicap Healthcare IT Security

Healthcare IoT is expanding opportunities for hackers as the sector struggles to keep up security-wise.

Securing healthcare IT and IoT systems entails balancing legacy technology, regulation, and organizational challenges, and two recent reports show that the industry is falling short in its security efforts.

These issues include the architecture of hospital networks and their use: namely, a lack of segmentation is part of the legacy IT infrastructure that is the source of many vulnerabilities within healthcare.

"Data is moving in and out of hospitals very freely and they're very unsegmeneted," says Chris Morales, head of security analytics at Vectra and principal author of the 2019 Spotlight Report on Healthcare. "We have customers who are still using Windows 95. That's insane ... And we've been told that, since they're saving lives 24/7, they never patch. They're afraid of rebooting the system or messing it up."

Beyond the legacy systems healthcare organizations are unwilling to patch, there are many medical IoT edge devices, from diagnostic tools to systems that administer medicines, that IT staff are forbidden by regulation to patch, update, or modify -- even with tasks considered essential such as installing a security or monitoring agent on the device.

"The first thing is that they [IT security] can't do endpoint security," explains Morales. "The regulations are such that they can't modify a device by installing an agent."

Endpoint agents, meanwhile, can help with basic tasks for security, says Morales. "You need visibility inside the network to see, not what attackers are doing, but just what's happening."

And the unsegmented nature of many healthcare networks means that those unprotected devices are on the same networks as medical records and sensitive patient information.

Compliance

CynergisTek's recently released 2019 Annual Report, meanwhile, studied progress made by organizations regulated by NIST CSF (The NIST Cybersecurity Framework) and HIPAA rules. The study found that, while progress has been made year-over-year, the average healthcare organization has met less than half of the compliance requirements of NIST CSF.  

Given that healthcare saw roughly 14 million patient records exposed in attacks last year, "It remains clear that as an industry we continue to lag in our ability to address cyber threats or incidents when they occur," the report said.

Healthcare organizations specifically are only 47% compliant with the NIST CSF, out of 100% possible compliance, the report found. The report found that there are differences in the degree of average compliance based on the size of the organization, with larger organizations (measured by number of beds, revenue, or staff size) complying more completely than smaller organizations.

For example, organizations with less than $50 million annual revenue complied with only 27% of NIST CSF in 2018, while organizations with more than $2 billion in annual revenue complied with 76% of the framework.

Even in those organizations with stronger compliance, that doesn't mean they are necessarily secure, either, CynergisTek CEO and president Mac McMillan wrote in the report.

In particular, detection capabilities lag behind other core functional areas of NIST CSF. It's possible that's because many detection systems look in the wrong direction, focusing on finding external attackers when the greatest threats to healthcare systems come from the institutions own employees, contractors, and suppliers. "Insiders continue to be at the center of many of the breaches we see in healthcare, from curious workers to malicious criminals," McMillan wrote.

Vectra's Morales says that's one of healthcare's unique set of challenges. "Healthcare is the one industry that doesn't have to worry about the attacker on the outside as much as the attacker on the inside," he says. "They have a much bigger problem with human error than with outside attacker."

The combination of challenges faced by healthcare, and the difficulties in remediating them, means that healthcare organizations are spending significant money on efforts to become more secure. According to a report by Allied Market Research, the global healthcare cyber security market generated $5.21 billion in 2017, and is expected to reach $12.46 billion by 2023, growing at a CAGR of 15.6% from 2017 to 2023.

Fortunately for healthcare organizations, dramatic attacks such as ransomware have decreased in frequency in the last 18 months, according to Morales. That's largely because hospitals and healthcare organizations refused to pay ransom.

He says he's more worried about privacy, however, than disruption in healthcare. "Hospitals are really good at saving lives. The question is, if I go to the hospital, will everyone know about it?" he asks.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.