They say an apple a day keeps the doctor away, but when it comes to cyber security, healthcare organizations need a stronger prescription.
Healthcare is a top target for hackers today because security defenses may be fairly easy to breach and medical data has become a rich reward. In fact, medical Personally Identifiable Information (PII) is worth 10 times more on the black market than credit card details. A recent Ponemon Institute study reports that 91 percent of healthcare organizations had at least one data breach in the last five years.
Let’s examine a few technology trends impacting the healthcare industry today:
#1 – The Internet of Things (IoT) is exploding
IoT can have many different meanings, but in healthcare, it’s usually the addition of Internet connectivity to older medical devices or an introduction of next-generation Internet-enabled products. These devices are revolutionizing the industry with better efficiency, which reduces costs.
However, progress can also bring new threats. These devices are prime targets for hackers to install backdoors, allowing them to move laterally throughout a healthcare organization’s network. This report from cybersecurity research firm, TrapX, explains how. Alarmingly, it goes on most of the time completely undetected.
The major concern here is the lack of security by design. Before the IoT, these devices were not intended to be on a network so they weren’t built with cyber security protection. Way too often, IT administration guides instruct personnel to not change default passwords to avoid breaching support contracts and many of them run older operating systems with well-known vulnerabilities.
IoT devices can be patched for known security threats, just like personal computers and corporate servers. Unfortunately, there is looming reluctance in the industry to patch for concerns of triggering a lengthy FDA approval process that leaves a sizeable number of devices open to attack. Interestingly, the FDA recommends security patch updates and states they will not trigger re-approval as long as functionality is preserved.
Hopefully this message will spread and continuous security patching will become common practice across the medical device industry. Even then, additional layers of security are needed at the network level if we are to get in front of healthcare hacks.
#2 – Mobile devices (BYOD) increase attack surface
The math is simple. More entry points into a healthcare or affiliate network will exponentially increase the chances of a security breach because they increase the threat attack surface. Therefore it makes sense that mobile devices play a role in creating security risk for healthcare organizations.
According to the same Ponemon data security study, smartphones and tablets are the types of devices most compromised or stolen, and employee negligence continues to be the biggest concern of healthcare organizations.
Mobile phones may have security vulnerabilities that make devices an increasingly popular target for hacks. This includes wide-spread mobile phone vulnerabilities like Android’s stagefright. In essence, if a bad guy has a backdoor on your mobile device and it gets on an internal network, he can manually explore that internal network.
#3 – Security vs Convenience
Society today has greater access to oceans of information than ever before, and this data trend will continue to grow. The easy access to information has a significant impact on our behavior.
Many people enjoy the convenience of accessing Protected Health Information (PHI) from mobile phones and cloud services. Although this access is convenient and the applications feel similar to other services for video, gaming and social networking, people still need to be mindful of their security practices when accessing PHI.
For example, it may be convenient to select “remember password” options on sites or apps that include PHI. Even though it’s convenient, you don’t want to enable remember password because any attacker that gets their hands on your device (physically or remotely) will be able to access all your data without knowing your passwords. In fact, they might keylog or crack your passwords without the “remember password” feature. We recommend you implement some sort of two-factor authentication to make logins on devices even more secure. This ensures that even if a bad actor has your password, they can’t use it without the second factor to authenticate your identity.
At AHMC Healthcare, two laptops were stolen containing unencrypted PHI data on 729,000 patients. This breach reminds us that using encryption software and proper privacy protocols is a relatively small, but important step towards keeping PHI and Personally Identifiable Information (PII) secure.
Technology continues to advance and drive change within the healthcare industry in providing new insights, solving problems and saving time. It’s important to evaluate the security risks that come with new technologies to ensure we are building strong full defense in depth measures to help mitigate risk to user’s PII. Security researchers, advanced network security vendors, and healthcare leaders must work together to identify and address real cyber security threats facing the healthcare industry today.