Healthcare Hacker Attacks: The Impact

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/healthcare-hacker-attacks-impact-a-8420

The recent string of major hacker attacks in the healthcare sector,
including the cyber-attack on UCLA Health, calls attention to the urgent
need for organizations to step up their security programs.

Security experts say healthcare organizations need to carefully reassess
their risks and then take appropriate security measures, which, in many
cases, will include implementing multifactor authentication; improving
breach monitoring and detection; and ramping up staff security education,
among other steps.

The sophistication of cyber-attackers is making defending against threats
in the healthcare sector more challenging, says John Halamka, M.D., CIO of
Beth Israel Deaconess Medical Center in Boston.

"Five years ago, external attacks on healthcare were most often from single
actors or curious students. Today they are from organized crime,
state-sponsored cyberterrorism and hacktivism," he says.

Healthcare is becoming a bigger target for hackers and other cybercriminals
for three main reasons, Halamka contends. "One, healthcare has
traditionally under-invested in IT compared to other industries, leaving it
more vulnerable. Two, healthcare tends to aggregate a large amount of
personally identified information in one place, making it easy to breach a
large number of records in a single attack. Three, medical identity theft -
fraudulently receiving healthcare services - can be more profitable than
financial identity theft."

Insufficient Efforts

Even some well-meaning healthcare organizations are also realizing that the
diligent efforts they've been putting into information security aren't
enough, notes privacy and security attorney Kirk Nahra, a partner at the
law firm Wiley Rein.

"Many healthcare industry organizations thought they had pretty good
information security. But these attacks have been eye-opening to many
companies, that 'we really need to beef up' in terms of protection against
these external risks," he says.

Christopher Paidhrin, who recently became information security manager for
the city of Portland, Ore., after 15 years as an information security
leader at West Coast healthcare provider PeaceHealth, offers a similar
assessment. "If CISOs are not now assessing their cybersecurity posture -
and exposure - they soon will," he says.

"The scope of vulnerabilities is increasing, and the 'defensive' security
program model is failing to meet the challenge of the threats," he says.
"Surveys over the past few years indicate that more than 90 percent of
organizations sampled have already been hacked. That is a startling number
that requires a national emergency-level response."

The attacks on the healthcare sector will only worsen, Paidhrin predicts.
"Cybercriminals are motivated by money, easy money. Healthcare offers one
of the greatest return on investment efforts with the lowest level of
detection and risk. Medical information is data rich, and durable. Credit
card data lasts for a month or two, before a bank disables an account.
Health information is much more durable, with much of it unchangeable for
the life of the affected individual."

UCLA Health Breach

In the latest headline-grabbing hack attack in the healthcare sector, UCLA
Health estimates that data on as many as 4.5 million individuals
potentially may have been impacted by a cyber-attack that is thought to
have begun last September and is "believed to be the work of criminal
hackers." UCLA Health says it is working with FBI investigators and has
also hired private computer forensic experts to further secure information
on network servers.

"In today's information security environment, large, high-profile
organizations such as UCLA Health are under near-constant attack," the
organization said. "UCLA Health identifies and blocks millions of known
hacker attempts each year."

As for who was responsible for the UCLA Health breach, and how the hackers
gained access to the systems, "the cyber-attack on UCLA Health is still
under investigation, we are unable to discuss particulars or provide
further information regarding the attack," a spokesman for UCLA Health
tells Information Security Media Group.

With the exception of UCLA Health, most of the largest hacker attacks so
far this year targeted insurers, including Anthem Inc., which was hit by a
breach affecting nearly 80 million inidividuals; Premera Blue Cross and
CareFirst Blue Cross Blue Shield.

Will Spending More Help?

Some observers say all the recent headlines about hacker attacks could make
it easier for CISOs and CIOs to win support from senior leaders for funding
to ramp up information security efforts. But will increased spending make a
difference?

"The argument for funding will be easier, because the frequency and size of
healthcare sector attacks provide CISOs with mounting evidence to justify
increased funding, but it will not guarantee action," Paidhrin says.
"Funding generally occurs when the 'what, specifically, can be done?'
question can be answered with a price tag less than the perceived cost of
assuming the risk. ...Healthcare is struggling, as are all other sectors,
to find affordable and effective technologies, skilled cybersecurity
personnel and process maturity."

But technology investments won't necessarily stop hackers who rely on
social engineering to scam users into providing their network credentials
through phishing attacks. "Although spending increases on healthcare IT and
cybersecurity will help, the most effective risk mitigator is education,"
Halamka says. "We are as vulnerable is our most gullible authorized user."

Paidhrin sees a "disturbing trend" toward advanced persistent threats and
social engineering, which both largely bypass network perimeter defenses.
"APTs are stealthy, very effective at exploiting under-the-radar
vulnerabilities that do not trigger the alert thresholds of many security
systems," he notes. "Social engineering, basically tricking an authorized
user to assist an attacker into an action that exploits a vulnerability, is
much simpler than a frontal assault on a network. Why break a lock when you
can ask for the keys, and get them?"

Wake-Up Call

The most significant impact the recent hacker attacks will have on the
healthcare sector is "information security will need to be considered as an
integral part of the security and operations processes of healthcare
organizations," says Mitch Parker, CISO of Temple University Health System.
"They will need to become more proactive and consider risk as equally as
utility."

The hacker attacks should serve as a wake-up call for some organizations
that have skimped on their information security risk management practices.
"Organizations are supposed to re-assess their information security
programs, processes, and technologies on a regular basis to continually
improve," Parker says. "That is the purpose of risk management. Incidents
such as these should be used to evaluate your organization's current
practices and make changes or improvements beneficial to your organization."

Paidhrin says many organizations need to take four "not-so-easy steps" to
bolster their security. Those include:

- Two-factor authentication. "Weak passwords, seldom if ever changed, are
the bane of information security. Requiring a token, something other than a
username and password - both things you know - is the cheapest big step up
the security ladder," he says.
- Data segmentation. "Valuable, sensitive information needs to be segmented
from general user access, not all accessible from one network or one level
of user account."
- Proactive monitoring for unauthorized use. "When 90 percent or more of
organizations are potentially compromised, real-time detection of threat
actors is essential."
- Rapid response. "The meme of today is 'It's not if, but when we will be
breached.' If an organization cannot respond to an attack and penetration,
with effective countermeasures, all of the other information security
measures, funding, planning and effort will be undone."

Organizations in all sectors, not just healthcare, need to up their game,
says Nahra, the attorney. "It's a real challenge. The healthcare sector
isn't alone in terms of facing weaknesses and threats."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!