Healthcare Industry Cyber Security Woes Will Worsen Before Getting Better

By Joseph Opacki, VP of Threat Research at PhishLabs, former FBI Technical Director of Advanced Digital Forensics
Twitter: @PhishLabs

A bold statement, I know. After all, how could things get worse?

Over the past two years healthcare has been targeted and breached more than any other industry. Fines for negligence have become commonplace, and reached new highs in 2016.

And yet I’m confident in my prediction. Here’s why.

0 – 60 in… Months? Years?
Right now, cyber security is just not being taken seriously by many healthcare organizations. Certainly there have been improvements in the past couple of years, but healthcare is still lagging far behind the financial services and retail industries.

On average, healthcare organizations have lower security cyber budgets than any other industry, on top of having fewer IT employees allocated to data security. And with these factors limiting potential salaries, attracting top cyber security talent can be a real challenge.

But that’s just one part of the problem. Healthcare organizations also maintain extremely complex environments, with literally thousands of moving parts, network enabled devices, non-technical employees, and interconnected systems. In security parlance, the ‘attack surface’ of an average clinic or hospital is far greater than a similarly sized bank or retail outlet.

And yes, the healthcare industry as a whole is starting to increase spending on cyber security. We will start to see improvements, and threat actors will have to work harder for their prize.

But it won’t happen overnight.

The problem can’t be solved with a few new security products, and a couple of extra personnel. Even if funding increases dramatically, it will still take considerable time and effort to address the inherent security weaknesses of the industry.

In short, we almost certainly won’t see the industry’s security profile catch up with financial services or retail for at least another two or three years.

Target Found, Teeth Acquired
As we’ve already mentioned, threat actors have their sights set firmly on the healthcare industry. Why? Because healthcare records are an absolute goldmine.

Here’s how it works. The hackers who steal information from healthcare organizations don’t use it for anything themselves, they simply sell it on. Since healthcare records contain a huge amount of personal information, they’re worth a lot of money to the types of people who specialize in identity theft or creating fake IDs. To put things in perspective, stolen medical records sell for between ten and twenty times more than credit card information or social security numbers.

And they aren’t just valuable, there are plenty to go around. The average number of records stolen in healthcare breaches is 28,564, meaning a threat actor can make anything from $285,000 – $1.7 million for a single successful breach.

And in case you’re wondering, there’s almost no chance of threat actors being caught while trying to offload their stolen wares. These transactions take place on dark web markets, and are practically untraceable.

Add all this up, and it seems likely that attacks on healthcare organizations will increase yet again this year.

But it isn’t just threat actors you should be worrying about. If 2015 was the year of the healthcare breach, 2016 was the year of landmark fines. Across all industries, regulators are starting to find their teeth when it comes to security breaches, and the trend looks set to continue.

The Dark Side of Smart Devices
So with more attacks, larger fines, and a huge security gap to bridge, it seems almost inevitable that things will get worse for the healthcare industry before they get better. Sadly, there’s one more big problem to consider.

Remember the massive surge in POS device compromise in 2015 and 2016?

Just in case you don’t, here’s what happened: Threat actors targeted and compromised retail point-of-sale (POS) devices using malware designed to steal payment card information.

Simple, right?

But here’s the problem. POS devices are standardized, and once the issue had been identified most vendors were able to patch and secure their hardware.

But where retail outlets have just a few device types to secure, medical organizations often have hundreds of network enabled devices. Even worse, medical device manufacturers currently have no legal obligation to build in security features.

And if the WiFi kettle hack taught us anything, it’s that a compromised device isn’t just a compromised device… it’s potentially a compromised network. From your CT scanners to your heart rate monitors, a threat actor could potentially use any poorly secured medical device to gain unauthorized access to your entire network.

So if you think you’ve got problems with ransomware now, imagine what it’ll be like when threat actors can threaten to turn off life support machines, or erase treatment plans.

Of course, with all the low hanging fruit in the healthcare industry, these scenarios won’t start to crop up just yet. There’s really no need for threat actors to write complex malware when very simple attack vectors are proving more than enough.

But as healthcare organizations become more security conscious, the modes of attack used by threat actors will become more sophisticated. At that point, if a solution hasn’t been found for the inherent insecurity of medical devices, it seems likely they’ll be targeted with a vengeance.

Security Products Aren’t the Answer
OK, so there are more attacks than ever before, fines are increasing, and there’s a huge security gap to bridge. But, thankfully, there is one saving grace.

Analysis of healthcare breaches has consistently found that the vast majority are caused by a single factor: People.

Between lost and stolen devices, privilege misuse, and miscellaneous errors, a massive 77 percent of healthcare security incidents are directly caused by human error. Whether it’s a laptop left on a train or sensitive emails sent to the wrong recipient, plain old-fashioned negligence is (at least for now) the prime culprit.

And even when considering other threats to the healthcare industry, such as ransomware, there’s still a substantial human element. A vast proportion of malware attacks are initiated via phishing and spear phishing campaigns, which by definition rely on unwitting employees following malicious links or instructions.

So while the security gap to be bridged may be vast, the immediate way forward is clear. In order to cut security incidents (and all the breach fines, incident response costs, and inconvenience that goes along with them) by more than two thirds, all you need to do is train your employees.

Of course that’s easier said than done. Implementing a powerful, consistent security awareness training program requires investment, and it will take some time to see results. But when compared to the technical challenge of securing every individual endpoint in a hospital, it starts to seem trivially simple.

Over time healthcare organizations will have to implement rigorous technical security controls. Medical devices will require firmware patching, legacy systems will have to be updated or replaced, and network traffic will need to be monitored closely. In the short term, simple precautions such as encrypting mobile devices will help reduce the risk of breaches caused by loss or theft.

But first and foremost, the priority of healthcare CISOs should be clear: Patch the human vulnerability.