Menu
Kim Kardashian Leaked Photos Backlash

Kim Kardashian Leaked Photos Backlash

Benedict Cumberbatch is Alan Turing in The Imitation Game

Benedict Cumberbatch is Alan Turing in The Imitation Game

Amber Heard Topless Photo Leaked

Amber Heard Topless Photo Leaked

The Sexiest Halloween Costumes of 2014

The Sexiest Halloween Costumes of 2014

Oculus Unveils Crescent Bay, its New Virtual Reality Headset Prototype

Oculus Unveils Crescent Bay, its New Virtual Reality Headset Prototype

SANS Institute Report on Cyberthreat To Healthcare Industry

Feb 20 2014, 2:06am CST | by , in News | Technology News

SANS Institute Report on Cyberthreat To Healthcare Industry
 
 

YouTube Videos Comments

Full Story

SANS Institute Report on Cyberthreat To Healthcare Industry

In light of last weeks cyber-attack on Forbes (here), the release of new cyberthreat report yesterday specifically for healthcare was both timely  and sobering. Maliciously disrupting the business of a major media company is serious stuff. Applying a similar attack to healthcare entities has broader (and potentially deadlier) implications.

The report – SANS Health Care Cyber Threat Report (email registration here) – was sponsored by Norse (a threat intelligence vendor) who provided the data to SANS Institute for analysis.  As described on their website (here):

SANS is the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet’s early warning system – the Internet Storm Center.(www.sans.org)

Senior SANS Analyst and Healthcare Specialist Barbara Filkins authored the report which included some startling analysis.

The data analyzed was alarming. It not only confirmed how vulnerable the industry had become, it also revealed how far behind industry-related cybersecurity strategies and controls have fallen.

During the sample period [09/2012 to 10/2013], the Norse threat intelligence infrastructure – a global network of sensors and honeypots that process and analyze over 100 terabytes of data daily – gathered data.  The intelligence data collected for this sample included:

49,917 Unique Malicious Events
723 Unique Malicious Source IP addresses
375 U.S.-based health-care related organizations were compromised

A SANS examination of cyberthreat intelligence provided by Norse supports these statistics and conclusions, revealing exploited medical devices, conferencing systems, web servers, printers and edge security technologies all sending out malicious traffic from medical organizations. Some of these devices and applications were openly exploitable (such as default admin passwords) for many months before the breached organization recognized or repaired the breach. Barbara Filkins – SANS Analyst and Healthcare Specialist

One reason for the alarm  this was all just a sample data set. The report identified all categories in healthcare as having been compromised and in some instances – still open and vulnerable.

Health care providers – 72.0% of malicious traffic
Health care business associates – 9.9% of malicious traffic
Health plans – 6.1% of malicious traffic
Health care clearinghouses – 0.5% of malicious traffic
Pharmaceutical – 2.9% of malicious traffic
Other related health care entities – 8.5% of malicious traffic

Even though the largest single category of malicious traffic was identified as health care providers, the report highlighted one medical device company in Florida (Site One) as having a significant number of events (over 12,000) during the reporting period.

The list of exploited devices included medical devices, conferencing systems, web servers, printers and edge security technologies that were all sending out malicious traffic from medical organizations. Surprisingly, the two biggest categories of risk were security devices themselves and then devices that fall more broadly into the Internet-of-Things (IoT). Newer versions of devices like dialysis and MRI machines are often “network” attached.

Connected medical devices, applications and software used by health care organizations providing everything from online health monitoring to radiology devices to video-oriented services are fast becoming targets of choice for nefarious hackers taking advantage of the IoT to carry out all manner of illicit transactions, data theft and attacks. This is especially true because securing common devices, such as network-attached printers, faxes and surveillance cameras, is often overlooked. The devices themselves are not thought of as being available attack surfaces by health care organizations that are focused on their more prominent information systems. SANS-Norse Report

The example of an IP connected device (in this case a video surveillance camera with default security settings) was highlighted as an easy entry point where access could then be extended to other devices on what the organization would likely consider their secure and private network.

Perhaps the most chilling aspect of the report (aside from the enormous financial liability for healthcare entities) was the potential consumer liability associated with Medical Identity Theft (largely around electronic medical record software and “personal health information”).

In the e-commerce world, consumers have some protection from theft and fraud. In the healthcare world, consumers are directly responsible for costs related to compromised medical insurance records. A survey last year by the Ponemon Institute estimated the cost of Medical Identity Theft to consumers at $12 billion for 2013 (here).

The larger consumer risk isn’t financial  it’s the life-threatening inaccuracies in the medical records themselves (often used for committing the financial fraud). According to the Ponemon survey (sponsored by the Medical Identity Fraud Alliance) victims reported these medical risks:

15% of respondents experienced a misdiagnosis
13% of respondents experienced a mistreatment
14% of respondents experienced a delay in treatment
11% of respondents were prescribed the wrong pharmaceutical
50% of respondents have done nothing to resolve the incident

The largest single takeaway from the report for the HIPAA-obsessed healthcare industry could well be this one.

 Today, compliance does not equal security. Organizations may think they’re compliant, but this data shows that they are not secure. SANS Health Care Cyberthreat Report (email registration here)

Source: Forbes

 

You Might Also Like

Updates


Sponsored Update


Advertisement


More From the Web

Shopping Deals

 
 
 

<a href="/latest_stories/all/all/31" rel="author">Forbes</a>
Forbes is among the most trusted resources for the world's business and investment leaders, providing them the uncompromising commentary, concise analysis, relevant tools and real-time reporting they need to succeed at work, profit from investing and have fun with the rewards of winning.

 

 

Comments

blog comments powered by Disqus

Latest stories

Sammy Watkins Owns Up to Poor Week 3 Performance
Sammy Watkins Owns Up to Poor Week 3 Performance
Buffalo Bills rookie wide receiver Sammy Watkins caught for just 19 yards in his team's 22-10 loss to the San Diego Chargers on Sept. 21. He owned up to it, telling ESPN he took a play off on their final drive of the game.
 
 
Kate Hudson Checks Off Item on Bucket List
Kate Hudson Checks Off Item on Bucket List
The star also claimed she can feel the presence of ghosts as her mother has done.
 
 
Darren Sproles Making Big Impact With Philadelphia Eagles
Darren Sproles Making Big Impact With Philadelphia Eagles
New Philadelphia Eagles running back Darren Sproles is making a big impact in his first year with the team.
 
 
PS TV Will Launch With Nearly 700 Titles
PS TV Will Launch With Nearly 700 Titles
The new device is on track to launch Oct. 14th.
 
 
 

About the Geek Mind

The “geek mind” is concerned with more than just the latest iPhone rumors, or which company will win the gaming console wars. I4U is concerned with more than just the latest photo shoot or other celebrity gossip.

The “geek mind” is concerned with life, in all its different forms and facets. The geek mind wants to know about societal and financial issues, both abroad and at home. If a Fortune 500 decides to raise their minimum wage, or any high priority news, the geek mind wants to know. The geek mind wants to know the top teams in the National Football League, or who’s likely to win the NBA Finals this coming year. The geek mind wants to know who the hottest new models are, or whether the newest blockbuster movie is worth seeing. The geek mind wants to know. The geek mind wants—needs—knowledge.

Read more about The Geek Mind.