Health care is a favorite cyber target! Week after week another Healthcare Data breach
Just last week another healthcare data breach, this time in the U.K. Hackers’ cyber target was the National Childbirth Trust (NCT) and compromised personal information of over 15,000 new and expecting parents….
We have all been following the Medistar hack (here), which were the cyber target then of critical hospital services shutdown for days… weeks. In February this year the Hollywood Presbyterian Medical Center paid $17K ransom to unlock its own medical records… (here).
What a story! The bad guys, entered the hospital and moved from floor to floor, dropping malware-laced USB thumb drives where staffers might tend to pick them up. Before they entered the facility, the security researchers at Independent Security Evaluators had disguised the drives, labeling them with the hospital’s logo.
Within 24 hours, infection spread as hospital employees used the bobby trapped drives at nursing stations that obediently called in to request malware from the researchers’ server. In this case, the infection was benign: an emulation of malware that can download and install itself off a USB stick, take control of the targeted system, and grant control to a remote adversary.
If it had been a malicious attack, an attacker could have used that network foothold to attack critical medicine dispensary equipment, potentially leading to a patient being given the wrong medicine. The dangers of people plugging in rigged USB sticks is nothing new. But it was only one of a dizzying array of attacks the team launched in a two-year project aimed at dissecting hospital security.
The researchers have documented their findings in a paper titled Securing Hospitals. The team, led by healthcare head Geoff Gentry, examined 12 healthcare facilities, two healthcare data centers, a pair of live medical devices, and a couple of web apps open to remote attacks.By exploiting server vulnerabilities, the researchers gained control of the web server, thereby getting a foothold into the internal network, from which they ran scans until they found vulnerable patient monitors.
Using an authentication bypass attack, they forced the monitor to emit false alarms, had it display the wrong vital signs, and disabled the monitor’s alarm altogether: tampering that could potentially lead to a patient’s death or serious injury.
The issues aren’t so much that hospitals do not have the funds, but that they are directed in a way that security is not a priority. This needs to change in order to protect patient health. Other issues include wasting funds on low-priority security items; security understaffing and lack of training; lack of defined, implemented, and/or audit policy; and reliance on legacy systems, among many, many other areas of concern.
The findings show an industry in turmoil: lack of executive support; insufficient talent; improper implementations of technology; outdated understanding of adversaries; lack of leadership, and a misguided reliance upon compliance.
Healthcare remains an extremely vulnerable Cyber Target
Sophos researchers claim “the lack of funding arguably the most detrimental issue with hospital security. It’s not that the money’s not there; it’s that cyber security isn’t taken seriously enough” The FBI says “The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” the FBI said in a memo obtained by Reuters.
The FBI has warned healthcare providers their cybersecurity systems are lax compared to other sectors, making them vulnerable to attacks by hackers searching for Americans’ personal medical records and health insurance data.
Health data is far more valuable to hackers on the black market than credit card numbers because it tends to contain details that can be used to access bank accounts or obtain prescriptions for controlled substances.