FBI Advisory Underscores Dire Healthcare Sector Security Issues

08/26/2014

Last week, in the wake of a massive patient data breach at Community Health Systems, Reuters reported that the FBI had issued a warning to all healthcare companies that the entire sector was at continued risk from criminal hackers, underscoring security shortcomings that have been well documented prior to the issuance of the advisory.

"The FBI has observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII)," the "Flash" alert obtained by Reuters stated.

"These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data," the alert continued.

Last April, the FBI had also cautioned the industry that its cybersecurity posture was lax in comparison to other industry sectors, a warning that came a full two months after an extensive report on the issue was released by SANS and threat intelligence leader Norse Corporation.

The study, titled Healthcare Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon, had warned that the situation “could easily lead to a wide range of criminal activities that are currently not being detected,” according to principle author Barbara Filkins, Senior SANS Analyst and Healthcare Specialist.

“Hackers can engage in widespread theft of patient information that includes everything from medical conditions to social security numbers to home addresses, and they can even manipulate medical devices used to administer critical care.” 

The report covered a variety of healthcare-related organizations, from hospitals to insurance carriers and pharmaceuticals, and found that exploited medical devices, conferencing systems, web servers, printers, and edge security technologies were all broadcasting malicious traffic.

In addition, the report noted a wide array of compromised devices ranging from radiology imaging software to firewalls and mail servers, with a significant number of compromises being due to some very remedial issues that went unaddressed for long periods of time, such as not changing default credentials.

The intelligence provided by the Norse threat intelligence platform that SANS examined for the report was specific to the healthcare sector and collected between September 2012 and October 2013, and over that period they identified 49,917 unique malicious events, 723 unique malicious source IP addresses, and 375 U.S.-based compromised healthcare-related organizations.

“The data analyzed was alarming. It not only confirmed how vulnerable the industry had become, it also revealed how far behind industry-related cybersecurity strategies and controls have fallen,” Filkins wrote in the report.

The following is a breakdown of the organizational types detected as compromised and the percentage of malicious IP traffic emanating from them:

  • Health care providers—72.0% of malicious traffic
  • Health care business associates—9.9% of malicious traffic
  • Health plans—6.1% of malicious traffic
  • Health care clearinghouses—0.5% of malicious traffic
  • Pharmaceutical—2.9% of malicious traffic
  • Other related health care entities—8.5% of malicious traffic

“Many of the organizations were compromised and, therefore, out of compliance for months, and some for the duration of the study—meaning they never detected their compromises or outbound malicious communications, nor did they acknowledge warnings from the Norse response team,” the report states.

The report notes that there are a variety of reasons why the findings are cause for alarm:

  • The sheer volume of IP addresses detected in this targeted sample can be extrapolated to assume that there are millions of compromised organizations, applications, devices and systems
  • Current security practices and strategies around endpoints in general are not keeping pace with attack volumes, attackers are bypassing perimeter protections en-masse, and that once compromised these networks are not only vulnerable to breaches but also available to be used for attacks
  • Personal health care information (PHI) and organization intellectual property, as well as medical billing and payment organizations, are all increasingly at risk of data theft and fraud because of these attacks
  • The costs of failed compliance and compromises are increasing, going far beyond regulatory fines, the burden of notification to victims, and immediate remediation costs—there are legal risks from class-action lawsuits, potential fallout in stock prices, and the intangible costs of brand damage

“The report is a snapshot of what’s happening throughout the industry. This data shows that no health care organization is immune. Reports of breaches against health care organizations, large and small, continue to rise—as do the regulatory fines they are facing for the exposure of protected patient data,” Filkins concluded.

“The time to act is yesterday. Organizations must become aware of the many attack surfaces in their organizations and follow best practices for configuring these systems and monitoring them for abuse.”

Download the Full Report Here