The healthcare industry is going digital with massive amounts of patient data stored and shared among organizations. But the bad news is that attackers now target this sensitive and often personal information. According to the Symantec 2016 Internet Security Threat Report (ISTR), 78 million patient records were exposed last year in a major data breach at Anthem, the second largest healthcare provider in the US.
With the deluge of customer and patient big data, how are organizations protecting the valuable data?
Here is an overview of some issues impacting the healthcare industry and how organizations can protect themselves.
2015: The Changeover Year
According to the 2016 ISTR, over half a billion personal information records were stolen or lost in 2015. The largest number of breaches took place within the Health Services sub-sector, which actually comprised of 39 percent of all breaches in the year.
Facts about the Anthem attack:
- 78 million patient records were exposed on January 26, 2015
- Breach was caused by cyberespionage group which Symantec calls Black Vine
- Attackers used a wide variety of resources to conduct multiple, simultaneous attacks over a sustained period of time (attacker-owner infrastructure, zero-day exploits, custom-developed malware)
“We have to remember that Healthcare lives in the bigger world of threats and vulnerabilities and while we like to think we are that different, ignoring what is happening around us is naïve—and dangerous. We can never forget that because of the uniqueness of our industry—we need to frame that bigger world around healthcare’s special issues—huge volumes of very marketable and salable data, lagging security, remote services, medical devices, special requirements to share and protect that data," says David Finn, Health IT Officer, Symantec.
Attackers breached at least 55 healthcare providers and stole data from more than 110 million Americans, reported HealthITSecurity.
“2015 was a changeover year,” says Axel Wirth, Healthcare Solution Architect, Symantec. “Prior to 2015, user negligence (lost or stolen work computers) was the cause of data breaches. Today, we see a shift towards targeted attacks to an industry that isn’t fully prepared.”
The Symantec 2016 Healthcare Internet Security Threat Report found that the healthcare industry suffers from lack of attention and investment in IT security. For example, only 33 percent of healthcare providers believe that they have sufficient resources to prevent or quickly detect a data breach.
Symantec believes that the attackers behind one of the largest and highly publicized healthcare industry breach in 2015 are part of a highly resourceful cyberespionage group called Black Vine. However, according to Symantec research, this criminal group also targeted other industries such as aerospace, energy, military, finance and technology.
What’s at Stake?
Criminals are figuring out how to monetize more than credit cards and sell them on the underground black market; in fact, stolen healthcare information is also sold.
“Unlike your credit card number, which can be changed after stolen, your healthcare information stays the same,” explains Kevin Haley, Director, Symantec Security Response. “Criminals use this information for identity theft and for healthcare fraud; for example, submitting false claims.”
Healthcare data also carries a great deal of private information such as person’s medical information, physical description, information on next of kin, etc. There is also the financial and insurance information often included with healthcare data.
“There’s also the value of stolen healthcare information to nation states,” says Axel Wirth. “Nation states can check immunization records that might be a part of travel profiles for diplomatic or military records. So, the theory is that nation states can use this healthcare data to spy on its citizens or even blackmail them over personal medical records.”
Healthcare Fundamental Differences
Breaches in the healthcare industry often make headlines due to the fact the industry has the most stringent reporting requirements. When a breach happens, a healthcare organization must report the data loss. But there are also other factors that make the industry different; and in doing so, create additional challenges.
Three fundamental differences of the healthcare industry include:
- Highly regulated
- Additional security can create obstacles
- Inherent complexity
Overall, creating a unified cyber security approach for the entire industry is a daunting challenge as these industry differences create ongoing obstacles.
How Attackers Breach the Healthcare Industry
2015 was the changeover year for the healthcare industry with more targeted attacks. With emerging technologies such as the Internet of Things (IoT), the industry faces concerns like “Hospitals Breached via Medical Devices?” and how consumer health IoT devices can be susceptible to data loss.
“Medical devices are the original IoT devices,” explains Kevin Haley. “Today more medical devices are being networked but also have USB ports that make them open for malware attacks.”
Within the healthcare industry, there are medical devices that use off-the-shelf (OTS) software found vulnerable to viruses, worms and other threats. Examples include systems that communicate pictures on networks (ultrasound), systems that monitor patient activity, and systems that communicate with clinical laboratory analyzers.
According to the 2016 ISTR, researchers have found potentially damaging vulnerabilities in dozens of devices such as insulin pumps, x-ray systems, CT-scanners, medical refrigerators, and implantable defibrillators.
For more information, read the FDA’s “Guidance for Industry: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software.”
A Shift is Coming in the Approach to Healthcare Security
While technology plays a vital role in furthering healthcare security, the focus will shift to the people and policies that generate, use and manage the data and information required for care and related processes.
“Hopefully, healthcare IT executives will realize that security is not only a compliance issue but also an assurance issue,” says David Finn, Health IT Officer, Symantec. “And non-IT executives will begin to understand that security is also a people issue, not just a technology issue. Computers don’t click links, steal critical data, or social engineer—people do. And it’s people who can stop breaches from occurring.”
Looking for more insights?
Watch the 2016 Healthcare Internet Security Threat Report Highlights recorded webcast co-presented by Paul Wood, Cyber Security Intelligence Manager, Symantec and David Finn, Health IT Officer, Symantec.
For more information visit us at: www.symantec.com/healthcare.