US healthcare security is far from iron-clad; but it’s not the run-of-the-mill identity thief that is the most dangerous. According to Fujitsu’s security arm, PFU Systems, internal network threats – both intentional and unintentional – and targeted attacks represent the greatest threat to the security of health provider networks and patient record security.
In the wake of the Community Health Systems hack of 45 million patient records, the FBI issued an advisory warning of the vulnerability of US health records.
“The FBI has observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII),” it said. “These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data.”
The records biz can be highly lucrative: Don Jackson, director of threat intelligence at PhishLabs, told Reuters that stolen health credentials can go for $10 each in the criminal underground, which is 10 to 20 times the value of a US credit card number.
Worryingly, PFU Systems also reports that a high number of network security incidents originate within network firewalls—and often without mal-intent. The 2014 Verizon Data Breach Investigation Report bears this out, revealing more than 16,000 incidents of unintentional exposure of sensitive information by insiders. And Verizon identified the healthcare sector as one of the worst offenders for such incidents.
All of this necessitates an overhaul of security approaches, PFU noted.
"The fact is that to secure records and networks, providers need to activate in-network security measures,” said Carmine Clementelli, network security product manager at PFU, in an advisory emailed to Infosecurity. “Relying solely on perimeter firewall security schemes is the pinnacle of outmoded thinking. Today, advanced attacks introduced via malware such as remote access trojans can disguise themselves as normal web traffic, emails or other routine communications, and then after lying dormant, seize massive amounts of patient records in seconds. Besides, what if a C&C server was inside the network? In short, it’s time to let security inside the network, because the bad guys often already know how to get in there.”
PFU has issued three recommended security steps to immediately substantially tighten network and data security. For one, organizations should deploy behavioral traffic analysis technologies with advanced intrusion prevention systems (IPS) that are able to analyze all the traffic that goes through the network switches, not only the traffic that leaves the perimeter, so that they can detect advanced persistent threats (APTs) that are aiming to steal patient and institutional data.
Second, healthcare organizations need to recognize that bring your own device (BYOD) is a fact of life in most busy hospitals. These facilitate communications and productivity but also create new vulnerabilities that further heighten risk of opening new doors to cyber-crime experts – unless organizations adopt endpoint visibility tools to control all IP-based devices, both wired and wireless, without requiring intrusive agent software.
And finally, they should take a preventative approach for application management to better manage application usage within the network, preventing applications with higher risk levels and users without advanced permissions from specific subnets.
"Mobility and BYOD force organizations to adapt to a new definition of network perimeter," said Larry D. Cohn, vice president at Healthcare Systems Management Group, in a statement. "It’s imperative that we know who and what is active on the network in order to control network access and activities and prevent and block threats inside the networks – without inordinate additional expense and complexity."