With October National Cybersecurity Awareness Month (NCSAM) and November Critical Infrastructure Security and Resilience Month, Morphisec is publishing a series posts on industries included in the DHS list of 16 critical infrastructure sectors.
The healthcare industry needs to focus on its own cyber health. That’s the upshot of the latest round of reports and announcements from industry experts across the board.
ECRI Institute, a leading patient safety and medical technology research organization, recently released their 2019 Top Health Technology Hazards. Cybersecurity topped the annual list, specifically the potential for attackers to exploit remote access systems as an entry point to a healthcare organization's network infrastructure. Healthcare executives concur, placing cybersecurity as a top 10 challenge for 2019 in a new poll by the Healthcare Executive Group (HCEG).
Healthcare a Prime Target for Attackers
The past five years has seen a wave of attacks on the healthcare industry. Hackers stole nearly 80 million patient records, including highly sensitive personal information, in the 2015 cyberattack on Anthem. The insurer just settled on a $16 million dollar fine to the U.S. government under HIPAA. That’s on top of the $115 million class action settlement and an estimated $260 million on security remediation and improvements.
So far, in 2018 alone, UnityPoint Health announced a breach of 1.4 million patient records, a phishing attack on Sunspire Health exposed personal patient information, hackers breached LabCorp, one of the largest clinical laboratories, Blue Springs Family Care was hit by ransomware and info-stealing malware, and a breach at healthcare billings vendor Med Associates exposed more than a quarter million patient records. And that’s a partial list. The situation is no better outside the U.S. – attackers have hit the UK’s NHS and breached the Singapore government’s health database, accessing personal data of 1.5 million patients including Singapore Prime Minister Lee Hsien Loong.
Healthcare lags far behind other sectors in terms of cybersecurity. A 2018 Report by SecurityScorecard ranked healthcare cybersecurity 15th out of 18 US industries.
Medical Devices as an Attack Vector
The U.S. Food and Drug Administration (FDA) and the Department of Homeland Security (DHS) are trying to do something about it. Yesterday the FDA released draft premarket guidance on cybersecurity for medical device manufacturers. “Cybersecurity threats and vulnerabilities in today’s modern medical devices are evolving to become more apparent and more sophisticated, posing new potential risks to patients and clinical operations,” said FDA Commissioner Scott Gottlieb, M.D in a statement. And earlier this week, The FDA and DHS announced a memorandum of agreement to implement a new framework to increase collaboration and improve coordination of their efforts to increase medical device security.
The memorandum came just days after the FDA issued a warning on severe vulnerabilities in certain Medtronic implantable cardiac device programmers. The flaws could be exploited by hackers to change programmer functionality during implantation or follow up visits and cause patients to come to harm.
There have been no known attacks on patients themselves via medical devices, however, and valuable patient records are not likely to be present on such devices. The primary danger in medical devices lies in their ability to serve as entry and pivot points in the network.
Endpoint Security Healthcare’s Achilles Heel
While medical devices pose an undeniable risk, the biggest current sources of healthcare breaches are phishing emails and drive-by-download attacks on endpoint computers and devices. The SecurityScorecard report found the healthcare industry is one of the lowest performing industries for endpoint security.
The majority of the attacks above began with a phishing email where the victim opened a weaponized document or clicked on a malicious link. A survey of physicians conducted by the American Medical Association found that 83 percent had experienced a cyberattack with more than half coming in the form of a phishing email. Many of these employ sophisticated social engineering tactics and deploy advanced, evasive malware. A FortiGuard Labs report found polymorphic attack vectors afflict healthcare at nearly twice the rate of other verticals.
What Can Healthcare Organizations Do?
Standard best security practices go a long way. Safeguard admin credentials and change passwords regularly; use multi-factor authentication or two-step verification procedures as feasible. Maintain a web application firewall and keep all operating system and application software up to date. Protect endpoints with a robust security stack including updated antivirus and an advanced threat prevention technology. Morphisec Endpoint Threat Prevention uses Moving Target Defense to stop fileless attacks, polymorphic threats and unknown advanced threats that can bypass standard security defenses.
The Problem of Patching
According to the same SecurityScorecard report, the most common cybersecurity issues in the healthcare industry can be traced to poor patching cadence. A recent Ponemon survey found healthcare security professionals struggle to keep on top of patching. More than half (57%) experienced at least one data breach triggered by exploiting a vulnerability for which a patch was available. It’s easy to recommend keeping on top of security updates, but hard to implement with overburdened security teams and the need to maintain continuous system availability. Morphisec virtually patches vulnerabilities, keeping endpoints protected from vulnerability exploits when patches are not yet available or deployed.
Contact a Morphisec security expert to learn how we can help your organization improve its cyber health.