Important medical devices are almost never updated with the latest security patches
One medical record is 10 times the value of credit card details in the underground market. This makes data breaches and medical identity theft a worrisome issue for both hospitals and patients. Atul Anchan, Director, Systems Engineering, India, Symantec tells Viveka Roychowdhury what makes this sector so vulnerable and outlines some cyber security strategies
Symantec’s Internet Security Threat Report (ISTR) Vol. 21 highlighted that globally, the largest number of breaches took place within the health services sub-sector, which actually comprised 39 per cent of all breaches in 2015. Why is this sector so vulnerable to such attacks?
The healthcare industry is going digital with massive amounts of patient data stored and shared among organisations. But the bad news is that attackers now target this sensitive and often personal information. According to the Symantec’s Internet Security Threat Report 2016 (ISTR), 78 million patient records were exposed last year in a major data breach at Anthem, the second largest healthcare provider in the US. This is no big surprise given that huge volumes of marketable and sellable data, lagging security, remote services, medical devices, special requirements to share and protect personal data. With the growing complexities of attacks, and interest of cyber criminals, security is slowly becoming the most top concern for the healthcare industry worldwide.
Recently, Symantec also highlighted that the healthcare industry is vulnerable to attacks such as Gatak Trojan. The majority of Gatak infections (62 per cent) occur on enterprise computers. Analysis of recent enterprise attacks indicates that the healthcare sector is by far the most affected by Gatak. Of the top 20 most affected organisations (organisations with the most infected computers), 40 per cent were in the healthcare sector. In the past, the insurance sector was also heavily targeted by the group.
How does the attack occur? Are there certain devices that are more vulnerable?
Internet-connected things are multiplying rapidly. Symantec saw many proof-of-concept and real-world attacks in 2015, identifying serious vulnerabilities in medical devices and more. These smart devices are increasingly attractive targets for online criminals. As a result, they are investing in more sophisticated attacks that are effective at stealing valuable personal data or extorting money from victims (ransomware). Many of the systems that are used in hospitals run on well-known software’s such as Windows and Linux. Sadly though, these extremely important devices are almost never updated with the latest security patches. The healthcare industry has long seen the risks as these devices had previously been infected by malware such as Zeus, Citadel, Conficker, and more. In fact, some (computer) virus infections have shut down entire hospital departments, required rerouting of emergency patients, or had similar implications on care delivery.
What could be the possible impact of this breach/ theft of personal health data like health records, etc, in monetary terms etc?
When a health system suffers a data breach, it can cause serious and irreversible damage to patients, employees, third-party partners, the business and the trusted relationship between patients and their care providers. The trouble is, health data and other sensitive information stored in health provider systems by nature needs to be shared with other entities. For example, in the course of treatment, protected health information (PHI) can travel between medical and finance departments, other practices, family members and third party entities such as insurance companies and home health agencies. All the while, health systems are legally bound to protect confidential information while coordinating care and payment. Symantec’s ISTR highlighted that in 2014, one medical record can fetch $50 in the underground economy, which is 10 times the value of a credit card numbers. Further, medical identity theft victims have had to pay an average of $13,500 to resolve the issue.
What are the steps healthcare organisations in India need to take to prevent such breaches? Globally, are there any best practices that consumers (patients, caregivers) can put in place to protect their health data? How can India’s public health authorities proactively prepare for such cyber attacks?
Sensitive information is stored at all levels of healthcare organisations, and there’s so much new, unstructured data being generated every day that it can be difficult for IT administrators to know where it all resides and how and by whom it is being used. Judging by the rising number of data breaches—and ransomware attacks resulting in hospital shutdowns—health systems are seriously lagging when it comes to safeguarding patient records and other sensitive data.
Symantec suggests below to stay protected:
- Manage and protect sensitive data, on-premises or in the cloud: The healthcare industry is moving towards cloud, which has obvious benefits, including cost savings and scalability. Security and complexity concerns have slowed adoption in the industry and Symantec offers a broad portfolio of security solutions designed to help healthcare IT manage and protect sensitive data, whether on-premises or in the cloud.
- Data loss prevention and encryption: Allows users to monitor and protect confidential information wherever it is stored and however it is used. In the healthcare sector, described content matching technology looks for matches on regular expressions or patterns. DLP allows scanning network to share files, databases and other enterprise data repositories identifies and protects confidential unstructured data. This also allows a single web-based console to let its users define data loss policies, review and remediate incidents, and perform system administration across all endpoints, mobile devices, cloud-based services, and on-premises network and storage systems.
- DLP Cloud Service for Email: Allows users to quickly transition to the cloud and securely adopt software-as-a-service applications, such as Office 365 or Gmail. Cloud Service for Email provides real-time protection with automated response actions such as message blocking, redirection, and encryption capabilities. This allows users to know how to prioritise real incidents with accurate monitoring and analysis, and respond faster with one-click responses and automated workflow.
- Validation and ID protection: Ensures that only authorised users can securely access clinical and IT systems. This enables a stronger multifactor and risk-based tokenless authentication that eliminates up to 80 per cent of breaches. VIP enhances all the existing static passwords by positively identifying users with a dynamic second factor of authentication that cannot be predicted or stolen. VIP can adapt to nearly any network, cloud, or mobile app with built-in integrations
- Ensuring device security: Security across endpoints, ranging from desktops to Internet of Things (IoT)-enabled medical devices is critical. At the most basic level, organisations need to have the right security solutions for various endpoints- from AV and anti-malware, to IoT security.
What is Symantec’s protection strategy, risk management strategy for such attacks? Any instances, case studies of its implementation in healthcare organisations. globally and in India?
2015 was the changeover year for the healthcare industry with more targeted attacks. While many hospitals have mature cyber security programmes in place, various others are still struggling with the basic goals like implementing encryption to protect data on lost or stolen mobile devices, laptops, or data carriers. By and large, the healthcare industry is not prepared to face today’s cybersecurity risks, be it hospitals, pharmaceutical or biotech companies, medical device manufacturers, health insurers, national health agencies, or employers. Additionally, with emerging technologies such as the IoT, the industry faces concerns as expressed in our blog post, dated June 24, 2015 titled, “Hospitals Breached via Medical Devices?” and how consumer health IoT devices can be susceptible to data loss. Within the healthcare industry, there are medical devices that use off-the-shelf (OTS) software found vulnerable to viruses, malware and other threats.
With security experts facing a rapidly changing threat environment, one thing is clear: existing solutions are not the efficient answer. Advanced attacks are on the rise and security professionals using a myriad of individual point products to stop them are at a great loss. To address this, Symantec recently introduced Symantec Advanced Threat Protection (ATP), the first solution that allows enterprises to uncover, prioritise and remediate advanced threats and zero day attacks much faster, that too without adding any new endpoint agents to thwart these threats. Further, organisations not only need to plan proactively but also be ready with reactive measures, among which a major step would be insurance of assets and intellectual property (IP). Symantec is also partnering with IoT manufacturers in healthcare to address cyber security risks through its IoT technology portfolio that includes Device Security with Symantec’s Embedded Critical System Protection, IoT Roots of Trust and Device Certificates and Code Signing Certificates and Secure App Services. Our future plans will help enterprises address IoT security include introducing new technologies, such as an IoT portal for managing all IoT security from a single interface, and security analytics for proactively detecting anomalies that might indicate stealthy attacks on IoT networks. In fact, Englewood Hospital and Medical Center (EHMC) in Norton America wanted an efficient, cost-effective option for IT security monitoring and management that matched its high standard of clinical excellence. After rigorous, six-month analysis of options, EHMC signed a three-year Symantec Managed Security Services (MSS) contract. The IT team felt Symantec understood the healthcare space. The decision frees EHMC internal security staff for higher-value work and takes advantages of the expertise Symantec gains from its 24×7 global security monitoring operations.
Comments are closed.