Insecure healthcare organisations don’t even know they’re being hacked, experts warn

Thieves recruiting insiders to cherry-pick sensitive healthcare data as black-market value increases

Convergence of operational and clinical networks, confounded by a systemic lack of action around information-security controls, are crippling the Australian healthcare industry’s data protection efforts and signal looming problems with a compliance regime based on higher visibility of data breaches, security specialists have warned.

The magnitude of the problem was flagged in a new recent research study by IBM’s X-Force Research security team, which noted that data theft and ransomware were a “plague” that healthcare organisations weren’t handling very well.

The X-Force team flagged 320 breaches involving unsecured personal health information during 2016 alone – an 18.5 percent increase over 2015 that was likely fueled by the increasing value of such information on black-market information exchanges. That value was more than twice the mean across all other industries, reflecting the value that attackers increasingly place on sensitive personally identifiable information (PII).

Despite the risks that data loss present, Australian healthcare organisations and government policymakers are suffering from “a general lack of understanding of the magnitude of the risk with which the providers are faced,” warns Richard Staynings, principal and cybersecurity healthcare leader with Cisco Systems.

“Most simply don’t have the tools or personnel to really understand what’s happening on their network. There is very little in the way of security operations capabilities and visibility tools, and there is quite little from a regulatory or compliance perspective that is forcing people to look into the repercussions when data is not secured.”

The push towards digital transformation – which has hit government-run and –affiliated healthcare organisations as much as any others – has forced organisations to rethink their cybersecurity strategies. Yet in some environments, an overly stringent focus on compliance – a common business response to identified procedural weaknesses – is exacerbating the problem, according to recent SANS Institute analysis.

Staynings agrees, highlighting three key areas of concern – including holistic planning and security roadmapping; a lack of appropriate skill sets for developing security strategy and governance models; and a lack of operational visibility that has, in part, been hampered by “extremely limited” budgets that provide ever-present limitations on healthcare organisations’ ability to maintain their infrastructure security.

Such visibility is critical for healthcare organisations to even know that they are under attack, much less to manage their sensitive data. Supporting this was the need for an architectural response to the convergence of operational and clinical systems – the necessary implementation of “more effective segmentation controls” for high-value information assets or devices that cannot be secured using traditional endpoint security controls, such as implantable medical devices.

“We need to implement alternate segmentation controls to protect those unprotectable devices,” Staynings explains, “to prevent their being used to attack patients, hold patients to ransom, or be used as a weak egress point to the healthcare business network through which finance, payroll, and other data can be stolen.”

Time and again, apathy around protection of healthcare data has already has serious consequences in Australia and overseas: researchers were counting the cost as hackers remotely wiped exposed CouchDVB and Hadoop databases after successfully targeting others running MongoDB and Elasticsearch. Last month, a California nursing school was hit by ransomware, highlighting a trend that is only intensifying as half of SMB ransomware victims end up paying their cybercriminals’ demands; a recent IBM survey found that the percentage was even higher amongst larger businesses, 70 percent of whom admitted to paying a ransom and more than half paying more than $US10,000 ($A13,050).

Consumers have high expectations of data providers to protect their private information. But with with recent Cisco research suggesting that spam is making a comeback and many users proving to be as susceptible as ever to online manipulations – and still others being actively recruited to help in data-exfiltration schemes – data-security practitioners need to assume that healthcare networks are hostile environments and manage them accordingly.

Fully 68 percent of network attacks on healthcare organisations during 2016 were carried out by insiders, according to IBM, with malicious data input the most common attack vector and third-party organisations often creating exploitable vulnerabilities. IBM’s X-Force team expects this to continue – highlighting the “urgent need for organisations to transform a point product-based set of security solutions into an integrated security immune system”.