Healthcare organizations (HCOs) around the world are under attack. The data they store and process has become a valuable commodity on the cybercriminal underground and has even been linked to nation state attacks. In 2015, more than 113 million records were stolen in the U.S. alone, according to the Department of Health and Human Services. Many more cases undoubtedly go unreported, both at home and abroad. But why are Electronic Health Records (EHRs) so highly sought after? And where are organizations most exposed?
To better help industry stakeholders understand the level of cyber threats currently facing healthcare providers, Trend Micro produced a new report: Cybercrime and Other Threats Faced by the Healthcare Industry.
We hope the insights provided within by our Forward-Looking Threat Research (FTR) Team will help the industry marshal a more effective response to attacks.
EHRs in demand
The year 2015 was a standout one for healthcare data breaches. That’s mainly because of landmark attacks on three of the top providers in the US: Excellus Health Plan, Premera Blue Cross and Anthem. Although breach levels have settled down since then, the number of records stolen still topped 14 million in 2016. And in the UK, more than 800 individual breach cases were reported to privacy watchdog, the Information Commissioner’s Office (ICO) – more than any other sector. So what’s the problem?
HCOs must remember that EHRs are in huge demand and can fetch better prices within the criminal undergrounds than simple PII data. That’s because they uniquely contain a blend of PII, medical, insurance and financial information. This data has a considerable shelf life unlike the perishable nature of credit card data. Cybercriminals can parse this data and sell it separately or together.. Here are some of the services that hackers can offer thanks to stolen EHRs:
The attackers can go after HCOs themselves or cloud-based providers of the EHR software they use. The latter are particularly favored as they can provide access to multiple client databases, generating a great return on investment for the hacker. Unfortunately, security best practices, including two-factor authentication, data encryption and vulnerability management, are still limited at best, creating security gaps that cybercriminals are adept at exploiting.
Healthcare CISOs and their teams are fighting a constant battle against these threats. Their job is further complicated by the often complex, heterogeneous environments they are tasked with defending. Many are still running end of life software and operating systems like Windows XP, our research found. CISOs and their teams have to take additional steps to mitigate these threats by building robust vulnerability management programs that include virtual patching solutions that enable them to quickly deploy security policies to prevent exploitation of known vulnerabilities.
Growing Threat of Exposed IoT
An already extensive attack surface is growing further thanks to the Internet of Things (IoT). Smart medical devices and systems are everywhere today. Many of these are left unsecured, providing the perfect gateway into HCOs for hackers. These compromised devices not only are potential open doors to their broader network they also can be used in DDoS attacks as seen with the Mirai botnet. More menacing going forward will be the threat that these medical devices will be held for ransom putting HCOs and patients and great risk.
We conducted a Shodan scan in February to assess the threats to providers and found more than 1,000 expired SSL certificates in the U.S. alone, exposing these organizations to potential attack. What’s more, many endpoint devices hadn’t even been patched to protect against the notorious Heartbleed bug, more than two years after its discovery.
It’s clear from the report that HCOs and their EHR data are the target of many different cyber attacks, however they also face a growing threat posed by exposed medical devices. We hope this research will help providers better understand the threats they face but also the vulnerabilities they have at the device level as well as the system level. Only by having this level of understanding can HCOs build effective enterprise risk management strategies for today but as well as tomorrow.