Last fall my husband was visiting a relative in the hospital when he noticed an Ethernet port on the side of the bed. He asked the nurse what the hospital uses the port for. She explained that they occasionally connect patient-monitoring devices to the port on the bed to facilitate transmission of alerts to the nurses’ station. For example, if a patient connected to a heart monitor experiences a problem, an alert signal is sent through the network to a manned station. The bed’s port number identifies which patient is in distress.
While this sounds like an efficient use of technology, my husband was curious: how secure is this port for the transmission of sensitive data? He plugged his personal computer into the bed’s port and – voila! – he was able to access the public Internet. Uh oh. If he could get to the Internet via the bed’s port, the Internet could get to the bed via the same port and into the hospital’s network and beyond. Needless to say, he was shocked at this complete lack of security on a network where human lives literally are at risk.
It turns out that this sort of lapse in security isn’t so uncommon in the American healthcare system.
The SANS Institute just released the Healthcare Cyber Report, an in-depth look at widespread data compromises and threats to organizations across the entire healthcare system in the United States. The intelligence data that SANS examined for development of this report was provided by Norse, a live threat intelligence security firm. The dataset was specific to the health care sector and was collected between September 2012 and October 2013.
The full 42 page report is nothing short of shocking and is a must-read for anyone involved in the healthcare industry. The report basically says that data security in this industry is anemic at best, and that every type of business from healthcare providers to insurance carriers are hemorrhaging sensitive (and regulated) data such as personal health information (PHI) and financial data. SANS analyst Barbara Filkins, author of the report, wrote: “The data analyzed was alarming. It not only confirmed how vulnerable the industry had become, it also revealed how far behind industry-related cybersecurity strategies and controls have fallen.”
Here are just a few of the report’s highlights (or more accurately, lowlights) and conclusions that were drawn:
- The intelligence data collected for this sample included:
- 49,917 unique malicious events
- 723 unique malicious source IP addresses
- 375 U.S.-based compromised health care-related organizations
The sheer volume of IPs detected in this targeted sample can be extrapolated to assume that there are, in fact, millions of compromised health care organizations, applications, devices and systems sending malicious packets from around the globe.
- Current security practices and strategies around endpoints in general, but especially those that are healthcare related, are not keeping pace with attack volumes. Once compromised, these devices and the networks they are on are not only vulnerable to breaches, but also available to be used for attacks such as phishing, DDoS and fraudulent activities launched against other networks and victims.
- PHI and organization intellectual property, as well as medical billing and payment organizations, are all increasingly at risk of data theft and fraud because of these attacks and breaches. Poorly protected medical endpoints, including personal health devices, become gateways, exposing consumers’ personal computers and information to prowling cybercriminals.
- HIPAA and HITECH compliance nightmares are looming, with many organizations facing huge fines and other expenses if (when) compliance violations are found.
- Consumers are especially vulnerable in the event of a data breach because, unlike in breaches of credit card data, consumers themselves are responsible for the costs associated with fraud stemming from a healthcare data breach. In other words, if your medical insurance is used fraudulently to pay for someone else’s healthcare, that’s your problem and your liability.
This 2014 Healthcare Cyber Report should be a rallying cry for every organization in the U.S. healthcare industry to increase cybersecurity. Unfortunately most players aren’t likely to do anything about it unless forced to by law. Interestingly, we already have laws that address this very topic, but they are not enforced strongly enough to make the regulated parties take definitive action.