Report: Healthcare Cybersecurity Appalling, Legislation Not Enough

The time to act is yesterday. As the Internet of Things expands into healthcare it is also making connected medical devices and software into increasingly attractive targets for hackers. In short, the flood is coming, and medical devices and healthcare aren't ready.

A report released by the SANS Institute, a private company that specializes in Internet security training, in conjunction with Norse, providers of security and anti-fraud solutions and live threat intelligence, has found that healthcare is lacking across the board when it comes to securing data from attack and preventing malicious use of networked medical devices.

Between September 2012 and October 2013 SANS and Norse analyzed about 50,000 malicious events through the Norse threat intelligence infrastructure that included every type of healthcare organization including hospitals, insurance carriers, and pharmaceutical companies. The end results found compromises of all types ranging from medical devices even to Web cameras, a significant number of which were “due to very basic issues such as not changing default credentials on firewalls.”

“Many of the organizations were compromised and, therefore, out of compliance for months, and some for the duration of the study—meaning they never detected their compromises or outbound malicious communications, nor did they acknowledge warnings from the Norse response team,” the report says.

Sam Glines, CEO of Norse, has called the report results “alarming” and an illustration of how far behind the healthcare industry has fallen in terms of cybersecurity.

Among different healthcare-related organizations, healthcare providers accounted for a whopping 72% of the malicious traffic and connected medical endpoints accounted for a significant number of vulnerabilities. Norse says extrapolating this target sample leads it to assume, globally, there are millions of compromised healthcare organizations, applications, devices, and systems.

While the majority of attacks were targeted at hospital and patient records, billing information, and other sensitive information, a significant number (3%) of the attacks were attempts to compromise Internet-facing medical devices such as surgical and anesthesia devices, patient monitors, and lab analysis tools – all of which could potentially result in a loss of life.

The report cautions that the gap between reality and actual practice in terms of healthcare cybersecurity is an indication that current legislation such as HIPPA and the HITECH Act are insufficient in terms of informing healthcare organizations on how to secure themselves. “In some cases, regulations that surround medical devices actually make it difficult to secure and upgrade such items, even if manufacturers can develop adequate security for them,” the report says. SANS and Norse are advising healthcare organizations to take a new focus on security that meets compliance requirements without compromising security or privacy and addresses current trends such as cloud computing and mobile/digital health. According to the report “A good starting point to implement and enforce best policies and practices is the Critical Security Controls (CSCs), a list of 20 items for effective network defense.”

The full SANS-Norse Healthcare Cyberthreat Report is available here

-Chris Wiltz, Associate Editor, MD+DI
[email protected]