FBI issues warning, EHRs vulnerable to cyber attack, theft

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.fiercegovernmentit.com/story/fbi-issues-warning-ehrs-vulnerable-cyber-attack-theft/2014-05-01

The FBI is warning healthcare providers that lax cybersecurity standards
will leave their computer systems more vulnerable to hackers as the
industry transitions to electronic health records.

The law enforcement agency said new EHR systems coupled with more devices
connected to the Internet will create "a rich new environment" to exploit.
As a result, cyber criminals could steal patient medical records and sell
them on the black market.

"The healthcare industry is not as resilient to cyber intrusions compared
to the financial and retail sectors, therefore the possibility of increased
cyber intrusions is likely," the FBI said in a private industry
notification (pdf) dated April 8. The agency is urging recipients to report
suspicious or criminal activity to local FBI offices or to its 24/7
Strategic Information and Operations Center.

The agency cited recent reports from several research firms that have
documented vulnerabilities and thefts in the healthcare industry.

A February 2014 SANS Institute report said healthcare security strategies
and practices are "poorly protected and ill-equipped" to deal with new
cyber threats that expose patient records, billing and payment
organizations, and intellectual property, according to the FBI notice.

That SANS report also said IT healthcare professionals believe their
cybersecurity defenses work even though data analysis revealed that medical
devices such as radiology imaging software and security application
systems, such as firewalls, have been compromised.

A March 2013 Ponemon Institute also cited by the FBI said that 63 percent
of healthcare organizations reported a data breach in the past two years
with an average monetary loss of $2.5 million per breach. The report added
that 45 percent of organizations hadn't implemented security measures to
protect patient data.

The FBI notice also cited a 2013 EMC²/RSA white paper that said more than 2
million healthcare records were compromised in the first half of 2013. On
the black market, each partial EHR sells for $50, compared to $1 for a
stolen Social Security or credit card number. Stolen EHRs, which can be
very difficult to detect, can be used to file fraudulent insurance claims
or get prescription medication, the white paper noted.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!