- Another report points to insider error and misuse as major threats to data security in the healthcare sector. Errors such as improper handling and storage of patient files, often due to poor organizational policies and procedures, leave IT systems and connected medical devices vulnerable to outside attack and manipulation, new research from Vectra warns.
- Meanwhile, security risks associated with the healthcare internet of things (IoT) are exacerbated by unpartitioned networks, inadequate access controls and reliance on legacy systems, according to the Vectra 2019 Spotlight Report on Healthcare.
- One spot of good news is that ransomware attacks, while still a concern, subsided considerably during the second half of last year.
This latest report is more evidence that health systems are not equipped to deal with ever-growing cybersecurity threats. According to Protenus, the healthcare industry suffered 503 data breaches in 2018, affecting nearly 16.1 million patient records — up from 477 breaches and 5.6 million records the prior year.
One fourth of healthcare organizations suffered a mobile-related compromise in the past year, according to Verizon's Mobile Security Index 2019 report, which looked at cybersecurity activity across a range of industries. Among all respondents, 76% felt IoT devices posed the highest cybersecurity risk. At the same time, fewer than a third of organizations reported using whole disk encryption and roughly 5% of devices lacked lock screen configurations.
Security vulnerabilities of EHRs and insufficient funding for cybersecurity also put many health systems and other organizations at risk. According to a JAMA Internal Medicine research letter published last fall, 53% of 1,138 data breaches the researchers analyzed were triggered internally.
Between July and December of last year, the most common approach to hide command-and-control communications in healthcare was via hidden HTTPS tunnels, according to Vectra. The traffic represents outside communications spanning multiple sessions over long periods that appear to be normal encrypted web traffic. The next most common method attackers employed was external remote access tools, which can be used when healthcare organizations communicate with external service providers such as independent labs and imaging centers.
Vectra saw a spike in behaviors consistent with hackers conducting internal reconnaissance via internet darknet scans and Microsoft Server Message Block account scans. Darknet scans occur when an organization's IoT devices keep searching for IP addresses not recognized by the network. SMB account scans can occur when a host device quickly flits through multiple accounts using the SMB protocol, which is often used in file sharing.
Use of domain name system (DNS) tunnels was the most prevalent way attackers exfiltrated healthcare data, followed by what is called "smash and grab." The latter occurs when reams of data are sent to an outside location in a short period of time, such as images from a security camera that are forwarded to the cloud.
The challenge of keeping networks safe is compounded by legacy systems that lack basic cybersecurity controls and medical devices that connect to the network without vetting for security, the report notes. Healthcare is also a round-the-clock operation, which discourages making downtime for patches and upgrades.
"Healthcare organizations struggle with managing legacy systems and medical devices that traditionally have weak security controls, yet both provide critical access to patient health information," Chris Morales, head of security analytics at Vectra, said in a statement. "Improving visibility into network behavior enables healthcare organizations to manage risk of legacy systems and new technology they embrace."
Vectra based its findings on data from the 2019 RSA Conference Edition of the Attacker Behavior Industry Report, which tracks behaviors and trends in the networks of a sampling of 354 opt-in enterprise organizations across nine industries, including healthcare.