As Health IT Matures, Security Approaches Must Mature With It

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://hitconsultant.net/2016/01/28/health-matures-security-approaches-must-mature/

Not that long ago, healthcare worried mostly about the physical loss of
personal health information (PHI) by way of a lost thumb drive, a stolen
laptop, some misplaced paper files. These were the primary concerns in
HIMSS initial security survey, published in 2008. It wasn’t until five
years later, in 2013, that the largest healthcare security breaches came
from cyberattacks instead of lost or stolen devices.

So, is it encouraging to see how far the rapid pace of change has carried
health IT in just a few years? Well, yes and no. Growth is good, but it
always presents a new set of challenges.

To be sure, healthcare has joined the rest of the wired world as a frequent
target of technically skilled ne’er-do-wells. In 2014, cyber breaches in
the form of systems hacking, credit card skimming and phishing (obtaining
sensitive personal data by pretending to be someone trustworthy) totaled 29
percent of all security breaches. In 2015, that number rose to 38 percent.

Expect the trend to continue.

And expect it to get more complicated based on what’s happening in other
industries. You may, for example, remember an interesting experiment last
summer in which hackers demonstrated the susceptibility of a car’s onboard
computer system by taking control of a Jeep going 70 miles per hour on a
freeway outside St. Louis.

“Immediately my accelerator stopped working,” writes Andy Greenberg in a
Wired magazine article on the car sabotage. “As I frantically pressed the
pedal and watched the RPMs climb, the Jeep lost half its speed, then slowed
to a crawl. This occurred just as I reached a long overpass, with no
shoulder to offer an escape. The experiment had ceased to be fun.”

The hurtling SUV hijinks are just one example of the Internet of Things
(IoT), the global network of tangible objects (a Jeep, for example) with
embedded sensors, software and hackable Internet connections. Where cyber
masterminds used to have to access a car’s diagnostic port to tap the
computer, now they can do so wirelessly.

Of course, the commonality of sensors and software make most devices
potentially hackable. So, what might hackers do if they can gain remote
control of healthcare devices? The prospects are a bit chilling. Imagine
where that Jeep might have gone with black-hat hackers at the keyboard.

“We may soon be looking at insertables—implants, pacemakers, insulin
pumps—becoming targets of cyber-terrorists,” says Ponemon Institute
Chairman and Founder Dr. Larry Ponemon in a Healthcare IT Newsarticle. “And
this is not science fiction. It’s already been demonstrated.”

Nightmarish movie scenarios are unlikely, but hackers are already able to
install ransomware on computers that holds data hostage until the owner
pays a ransom to recapture control.

“It’s a bit like thieves sneaking into your home, and rather than carting
away the TV, stuffing your jewelry and electronics into an impenetrable
trunk,” explains Kaveh Waddell in The Atlantic. “Then they try to sell you
the key.”

As Waddell reports, one hacker made $1 million in a single day off
desperate computer users, and the FBI says some viruses are so good the
easiest path is to just pay the ransom—usually in the $300 to $750 range.

“There is cause for concern,” according to a report by the Health Research
Institute at PriceWaterhouseCoopers (PwC). “2015 saw the first-ever
government warning that a medical device was vulnerable to hacking—an
infusion pump officials warned could be modified to deliver a fatal dose of
medication.”

Of course, hacks, ransomware, phishing scams and the like are not just
happening in healthcare. Analysts estimate banking lost roughly $1 billion
to cybercrime between late 2013 and early last year. Last summer, JP Morgan
reported that hackers had accessed a database with information for 76
million households and 7 million small businesses.

As one might expect, these incidents are only a drop in the bucket. As a
former executive with a financial portfolio management software firm, I
know the assault on financial institutions is relentless, despite constant
and detailed efforts to improve security. After all, as Willie Sutton
reportedly said when asked why he robbed banks, “Because that’s where the
money is.”

But what if hackers, en masse or gradually, were to figure out that
hospitals were actually pretty lucrative and easier pickings? There’s not
much reason to think that hasn’t happened already. Consider the Anthem
breach last year and PwC analysis showing that 85 percent of large
healthcare organizations experienced a breach in 2014 with 18 percent
costing more than $1 million to fix.

Sutton’s logic applies to healthcare organizations, too. Hackers will go
after the big ones because that’s where the money is, but there’s no reason
to think it will end there. If a small hospital can be held hostage for
$300 in ransom, why should we think they won’t be? After all, the urgency
associated with unlocking an infusion pump will be greater than regaining
access to vacation photos. More urgency equals more rapid payment, and more
frequent hostage taking if security doesn’t improve.

While healthcare has not been a major hacking target for that long, the
security recommendations and requirements that anticipated these scenarios
have been around for a while in the form of regularly updated HIPAA
regulations. These regulations require hospitals to establish a security
framework – basic procedures like access control and user education.
Unfortunately, they provide little in the way of specific strategies and
tactics like regular penetration testing, clear reporting procedures, or
how to perform periodic testing and training. Hospitals and health systems
must make their own decisions to ensure that their overall environment is
secure.

I have no doubt all healthcare enterprises believe they are doing their
best to protect PHI and patient financial information. But there are still
disconnects. Even the most security-aware technical staff is limited by
budget restraints. Even the most focused administrator has a lot of moving
parts to manage and fund. And HIPAA requirements leave some security
preparation wiggle room based on the size and resources of the facility.

Ultimately, the security decision calculus must be driven by risk—by what a
hospital or health system is vulnerable to—not what it can marshal the
resources to defend against. And understanding risk has little reward if
you don’t invest the time and money to mitigate it.  In our connected
world, we pay for security or we pay for lack of security. There can be
little doubt that the latter is more affordable—to say nothing of
predictable—in the long run.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.