It is a story you hear all too often these days. Industries and organizations of all sizes that still use legacy operating systems and have outdated security and defense structures are falling prey to increasingly advanced and stealthy cyber-attack techniques. A recent report from TrapX Security Labs reveals that the healthcare industry in particular has been on the receiving end of the majority of these attacks, making it the number one most targeted industry by cybercriminals.
This is evidenced by several recent large-scale incidents resulting from healthcare system breaches. Banner Health announced last Thursday that it has begun contacting the 3.7 million individuals whose personal data may have been accessed in a breach that began in June. The attack initially targeted credit card payment systems at food and beverage locations within the Banner facilities, then expanded to accessing sensitive patient information stored in the network.
Banner is taking significant measures to prevent future attacks, such as involving law enforcement and hiring a computer forensics firm. It’s a great example of a step in the right direction.
In another recent case, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) announced last week that the Advocate Health Care Network has agreed to pay a whopping $5.55 million settlement for multiple HIPAA violations related to a massive breach that occurred in 2013, exposing sensitive electronic protected health information (ePHI). The reasons for the settlement essentially boiled down to negligence and lack of risk monitoring.
“We hope this settlement sends a strong message to covered entities that they must engage in a comprehensive risk analysis and risk management to ensure that individuals’ ePHI is secure,” said OCR Director Jocelyn Samuels in a statement. “This includes implementing physical, technical, and administrative security measures sufficient to reduce the risks to ePHI in all physical locations and on all portable devices to a reasonable and appropriate level.”
Message received, Jocelyn Samuels. Now, let’s hope the rest of the healthcare industry takes these examples to heart and follows suit. With attackers cooking up new and more malicious schemes every day, it can no longer afford not to.
Still not convinced? The aforementioned recent TrapX report leaves little room for argument. The report is the second installment of TrapX’s original “Anatomy of Attack -- Medical Device Hijack” (MEDJACK) report, which was issued in June 2015. “We were working with some of our customers in the healthcare industry and we uncovered some interesting attacks, this particular style going after medical equipment specifically,” TrapX CMO Anthony James told The VAR Guy. “They were hijacking the equipment – not to cause harm or damage the equipment, but to gain a backdoor into that medical network to look for more important information.”
These initial findings revealed that criminals were hacking into and leveraging medical devices to launch attacks within healthcare networks, stealing patient information and records and threatening overall hospital operations and security. The second edition of the report, appropriately named “Anatomy of an Attack – Medical Device Hijack 2” (MEDJACK 2), explores the current healthcare industry landscape, examining the evolution and increased frequency of these attacks since the initial findings.
“Over the last year, we saw the compromise of healthcare networks come into the public spotlight, making frequent news headlines,” said CEO of TrapX Security Greg Enriquez in the official press release. “MEDJACK 2 shows that MEDJACK 1 was not an anomaly but rather highlighted the beginnings of a growing trend, a trend that’s become prevalent as attackers leverage sophisticated attack techniques to steal sensitive patient data while remaining undetected.”
Just what are these “sophisticated techniques” and how are attackers able to slip past traditional security mechanisms so successfully? By using good old-fashioned camouflage. “New and highly capable attacker tools are cleverly hidden within very old and obsolete malware. It is a most clever wolf in very old sheep’s clothing,” says Moshe Ben Simon, TrapX Security co-founder and vice-president. “They have planned this attack and know that within healthcare institutions they can launch these attacks, without impunity or detection, and easily establish backdoors within the hospital or physician network in which they can remain undetected, and exfiltrate data for long periods of time.”
The report sharply points out that despite this recent “tidal wave” of attacks on healthcare systems, hospitals have been slow to take the proper security and defense measures, due largely to factors such as limited budgets, inadequately-trained employees and an overall lack of education and awareness.
In the MEDJACK 2 report, Simon emphasizes that these high-level attacks are only going to get worse and that it will become harder and harder for hospitals to detect and prevent them. Simon urges hospitals and healthcare organizations to make concrete moves toward implementing technologies that can effectively identify and prevent attacks. “It becomes essential to leverage technology and processes that can detect threats from within hospital networks.”