The Institute for Critical Infrastructure Technology’s (ICIT) report Hacking Healthcare IT in 2016 (PDF) starts out with a bang:
“Among all of America’s critical infrastructures, the healthcare sector is the most targeted and plagued by persistent attacks from numerous unknown malicious hackers, intent on exploiting vulnerabilities in their insecure and antiquated networks.”
ICIT’s report offers statistics to back up their claim, but what might be more to the point is looking at what pundits call the healthcare Wall of Shame. The US Department of Health and Human Services Office for Civil Rights publishes information about data breaches that affect the records of at least 500 individuals. For the 2015 calendar year, the wall displays over 230 healthcare breaches, and that amounts to over 110 million individuals having their records stolen due to no fault of their own.
Another telling statistic surfaced in the report Findings of First Half 2015 Breach Level Index by the digital security company, Gemalto:
“Across industries, the government and healthcare sectors accounted for about two-thirds of compromised data records (31% and 34% respectively), though healthcare only accounted for 21% of breaches this year, down from 29% compared to the same period last year.”
Fewer breaches than 2014, but the bad guys captured more records.
Why attack the healthcare industry?
One reason is the value placed on healthcare records. For their effort, attackers get financial, identification, and health information all nicely bundled together. Another reason is that criminals gravitate to the easiest pickings, and right now the healthcare industry is considered the lowest hanging fruit. As to why, well, that’s complicated.
The ICIT report hints at why: “For the most part, patients visit the healthcare sector when something is wrong. No one cares how the patient’s birth date will be stored when the patient is in the middle of a heart attack.”
It is hard to argue with the attitude that all effort is focused on patient help. However, bad guys not having the same standards, leverage the fact that data security is not the number one healthcare priority.
One more thing, bad actors see that the healthcare industry is in a major upheaval right now trying to unify patient records via a common Electronic Healthcare Record (EHR) system. “Healthcare organizations, like many government agencies, manage an infrastructure built over multiple technology waves, and the layers created often have gaps that enable hacker access,” mentions Rick Caccia, CMO of Exabeam, in the report. “Coupled with the management of very sensitive data, this is a formula for an eventual breach.”
The following are some of the issues caused by using heterogeneous systems:
- Software and hardware vulnerabilities happen when different technologies overlap
- Assorted systems melded together are difficult to properly manage
- Manufacturers of system components no longer provide support
- System software is neither updated nor are patches available
“Legacy systems, especially those more than a decade old, are extremely vulnerable,” suggest the authors. “They often contain valuable data, offer easy access to data, and are integrated too deeply into the organization’s infrastructure to be replaced.”
Lack of qualified help
The lack of qualified cybersecurity professionals, as noted in the report, is yet another argument why the healthcare industry is suffering through so many data breaches — and that’s not unexpected. Add the stringent requirements of the healthcare industry to the already complex IT profession, and it gets even more rigorous, which in turn elevates the required qualifications. For example:
- Bachelor degree minimum, with most companies requiring additional education or years of experience.
- Knowledge of accounting, HIPAA, HITECH, and PCI DSS.
What will it take to fix?
The report states the biggest need is for the creation of an information security platform that will be managed by a dedicated security team. “Rather than spreading the technical security of the organization across departments and divisions, the security team should centralize system security governance in a Systems Operation Center (SOC),” explains the report. “The SOC serves a central point to assess, monitor, and defend the other enterprise systems. Organization-wide applications, such as change management and access limitation applications can also be managed through the SOC.”
Next, the report mentions the need for policies and procedures. “The information security team needs to draft clear and concise policies according to the organizational structure and obtain approval by the executive board,” add the report authors. “Policies increase information security awareness.”
Three policies suggested by the report are:
- Information security policy: Helps employees become invested in the organization’s security.
- Governance policy: Sets compliance requirements, adherence metrics, and enforcement measures.
- Roles and responsibilities policy: Defines employee access to information and employee accountability.
The report’s introduction does not pull any punches, nor does its conclusion:
“The healthcare sector is the most targeted yet under-prepared genre within our nation’s critical infrastructures. The already massive and expediently expanding IoT attack surface of this industry offers script kiddies a domain to wreak havoc, provides mercenaries an all-encompassing plane upon which to exfiltrate records for capitalization, and gives state sponsors an unprotected target to accumulate a database from which to derive future surveillance and adversarial positioning.”
Considering how important and private the information contained in healthcare records is, one has to wonder: What it will take before appropriate steps are taken?