Why Healthcare and Why Now?
It wasn’t until relatively recently that hospitals and medical providers became targets of hackers and thieves. While this could be said to be an indirect result of the Affordable Care Act, which requires providers to allow patients easy access to their medical records, it’s also due to the inevitable shift to digital recordkeeping that has been in motion for decades. These factors have led to a concerted drive to go completely electronic, creating websites and patient portals where users can easily login and view or download what they need. The upside is that studies have shown online access results in a greater trust between doctor and patient as well as a general improvement in self care. The downside is that many systems were built with very few security safeguards or protocols in place. Stealing medical records is a multi-billion dollar business, as this information is said to be up to 20 times more valuable than a credit card number. Criminals can use the info to order prescription drugs, buy equipment for resale on the black market, make phony insurance claims, use it themselves, sell it to others, or all of the above. As we will show, there are many points of access to all this lucrative data.
Targeting Healthcare Workers with Phishing
One of the simplest attacks that is also very common is phishing, i.e. sending a spam email to healthcare workers that includes a malicious link or attachment. Sometimes the attachment claims to be a medical invoice and the link is to a phony web portal that prompts for a username and password. A busy administrator or doctor may inadvertently click it or type a password before thinking. The best defense against this unconscious clicking is to train your staff to be savvy about attachments and phishing emails, using a service like SecurityIQ from InfoSec. Once clicked and/or acted upon, hackers now have access to a computer and possibly a network. They can then infect other computers, steal data, and potentially even lock the entire staff out unless a fee is paid. This last example is known as ransomware and puts hospitals in a precarious position that can result in life or death for their patients. The most famous example to date is the ransomware attack on Hollywood Presbyterian Hospital, where administrators capitulated to the hackers’ demands and paid $17,000 in Bitcoin to recover access to their own medical records system.
Targeting Patients and Patient Portals
On the other side of the coin is the patient who accesses information online through their doctor or hospital, which often happens via a third party EHR vendor. These vendors are often international and many of them have vulnerabilities that can be exploited, giving hackers access to possibly thousands of different networks. In July 2015, Medical Informatics Engineering announced that their EHR system had been breached and an unspecified number of patients’ personal records exposed. In addition to the vendors, the problem of patients themselves falling for phishing scams lurks. Some who are older or less savvy may click on an email link that tricks them into entering their user/password into a phony web portal. The hackers can then use it to steal data.
Targeting Medical Consumer Apps
With the advent of smartphones and tablets, consumer health-related apps are now proliferating in the marketplace. Many of these apps have been shown to be helpful for weight loss or exercise; at the very least they let you count your steps. However, some also have serious security flaws and/or privacy issues that could compromise user data. Other apps pretend to be legit but are merely selling snake oil. For example, a $4.99 app called “Mole Detective” promised it could identify potentially cancerous moles. (Charged by the FTC with making false and unsubstantiated claims, the company behind it settled for $58,000.) Another looming threat is called a Masque attack, where a user receives an email, text or IM with a link to what they think is a legitimate app but is actually a clever fake that can be controlled or monitored remotely. It was reported in 2014 that a vulnerability in iOS software allowed fake versions of apps like WhatsApp, Facebook, and Bank of America to have the same bundle identifier as the real app and therefore be installed on an iPhone automatically; Google Play and Windows apps have also been found to have similar issues.
Targeting Medical Devices
Another area of exploitation are electronic medical devices themselves, many of which are built on outdated computer systems (Windows 2000, anyone?). A white paper released by TrapX analyzed three separate hospital attacks and found that criminals were able to infiltrate and completely take over older devices like X-ray machines, medical lasers, and even life support systems. The attack vector, which they call MEDJACK, served as the weakest link to entry. “The MEDJACK is designed to rapidly penetrate these devices, establish command and control and then use these as pivot points to hijack and exfiltrate data from across the healthcare institution,” said Moshe Ben Simon, Co-Founder & VP of TrapX Security, in the report. In addition, medical devices are coming online as part of the Internet of Things, or IoT. This new technology allows various machines to “talk” to each other as well as transmit and store data; the potential for reinventing healthcare is practically limitless. Unfortunately, the potential for misuse by hackers is nearly as great. IoT medical devices can be easily turned into zombies and form a botnet of millions of computers, sending spam or DDOS attacks, often without the owner knowing it. Since there are no standards yet for IoT devices, there too exists a lot of gaping holes in security.
Targeting Enterprise Cloud Storage
Many hospitals and medical practices are opting to eschew the security problems and costs of having a network of servers and instead use file sharing applications and cloud-based networks. While this can save some costs and IT headaches, it has the potential to create new problems as well. A report by SkyHigh Networks found that 93% of the cloud services used by healthcare organizations are medium to high risk. In addition, an investigation into healthcare security published by the Washington Post found that many organizations use less secure file sharing services; they cite as example how the University of Chicago Medical Center stored private patient information in a Dropbox account that had its username and password published in an online manual.
What You Can Do?
Some of the solutions to security issues will rely on the development and implementation of industry standards. Since the alarm bells are ringing, many of these are being fast-tracked. However, a great many vulnerabilities are caused by a general lack of awareness and/or diligence by hospital staff. The Hollywood Presbyterian ransomware attack, for example, is thought to have been successful because someone clicked on a malware attachment in an email; one of the MEDJACKs TrapX analyzed got in due to someone visiting a malicious website at a nurse’s station. To help increase awareness and test diligence, Infosec Institute has created a suite of products under the SecurityIQ banner. The first is PhishSIM, an automated emailing program that can send “phishing” emails to doctors, administrators, and coworkers. There are many templates to choose from, which can mimic invoices and other common types of communication. These can be scheduled and sent automatically in a series of blasts called a battery. If one of the recipients clicks on a link, it takes them to a short video which explains that they have been “hacked.” You will also receive an alert whenever this happens. The other key tool is education. AwareED is a series of videos, lessons, and modules that can be configured and sent to a group of learners automatically. Topics include passwords, phishing scams, malware, and mobile security. In addition, we have many articles and important white papers regarding healthcare security. Don’t let your hospital network and medical records be vulnerable any longer.
