Why Medical Records Are Hotter Than Credit Card Thefts

Posted: August 31, 2016 / Author: Dror Liwer
Last year, more than 113 million medical records were compromised. Government Health IT indicates that over a third (34%) of U.S. healthcare customer records have already been breached – the highest figure of any industry. Unfortunately, the fact is that hospitals and other healthcare institutions are struggling to adapt to the new threats they face. While health records are galloping into the digital arena at an unprecedented rate, funding for cybersecurity initiatives in healthcare is essentially at a standstill. [Tweet "Why Are Healthcare Network Threats a Problem?"] While it may seem like credit cards, SSNs, and other financial data are at greater risk from hackers, this is not the case. Health records are far less protected—as evidenced by the flat growth of security budgets—and far more valuable to bad actors. According to a study by the Ponemon Institute, nearly 80 percent of hospitals and other healthcare organizations were breached twice or more since 2014. To summarize, healthcare records are more valuable than the ordinary run of data. They neatly bundle financial records, social security numbers, addresses, and all the other info needed to create fraudulent credit cards, bank accounts, and so on. These records are also guarded by underfunded entities with a proven record of failure. Lastly, hospitals fail to provide even a basic level of incident response—from the Ponemon report, the majority of hospitals don’t even provide free credit monitoring for victims of a breach. Why Is Hacking Health Records So Easy? In 2014, the Darkhotel Malware targeted hotel guests who signed in to the hotel’s complimentary WiFi. They were able to install malware on the guests’ wireless devices after compromising the hotel’s WiFi network. Hospitals and hotels are both large buildings full of insecure wireless devices that belong to large teams of employees, high daily traffic of (patients) and visitors and modern equipment. So it  makes sense that similar vulnerabilities would be found in both. A recent Intercept Cyber Intelligence report conveyed a vulnerability in ANTLabs InnGate access points, a popular Internet gateway for visitor-based networks such as hospitals. The weakness gives hackers remote access through an unauthenticated rsync daemon and then allows them to read and write to the operating system. This doesn’t just give the attacker access to patient-owned devices, but to the computers and other wireless devices the hospital owns. With the number of wireless medical devices rising rapidly, and the number of consumer devices connecting to hospital networks increasing as well, this threat is becoming pronounced. Last year, UK Health Secretary Jeremy Hunt announced plans to invest the £1bn NHS technology fund in making free WiFi available in every NHS building by 2020. Plans for similar programs are launching in other parts of the world as patients and healthcare professionals begin to rely more on wireless medical treatment. What Can Be Done to Prevent Network-Related Attacks in Healthcare Organizations There are so many new wireless devices coming into play that administrators are now forced to radically redesign their network architecture. For hospitals, this redesign brings weakness—the network is becoming the most vulnerable entry point for hackers looking to access sensitive medical files. The US Information Security and Privacy Board echoed these concerns and made four recommendations:
  1. Assigning a single government entity the responsibility of securing medical devices.
  2. Food and Drug Administration (FDA) and National Institute of Standards and Technology (NIST) collaborating to research potential cybersecurity features that could prevent network threats
  3. Training and education programs to update users, healthcare organizations, and manufacturers about the network risks posed by wireless medical devices
  4. United States Computer Emergency Readiness Team (US-CERT) creating distinct reporting categories for medical device cybersecurity incidents. This will allow agencies to create a unified database of ongoing and emerging threats.
While no specific timeframe has been given for the deployment of these new standards, individual healthcare organizations should act now to ensure they are protected from network threats and other cyber-attacks. Use a network security platform like Coronet to protect your networks, your users and your valuable healthcare data.
Previous Next