According to the SANS-Norse Healthcare Cyberthreat Report, 49,917 unique events of a malicious nature took place within the healthcare IT environment during the study period; and the networks and devices at 375 US-based healthcare-related organizations were compromised during this period.
Compromised devices included everything from radiology imaging software, to firewalls, to web cameras, to mail servers. And a significant number of compromises came about due to very basic issues such as not changing default credentials on firewalls.
Some of those organizations are still compromised, the study found. When compromised organizations emanate malicious IP traffic, the Norse infrastructure detects it and traces it back to the owner for the purposes of the study. The firm found there to be a wide range of organizations that emanated malicious IP traffic, many of them for months and some for the duration of the study – meaning they never detected their compromises and outbound malicious communications. Not only was this problematic for the target of the attack, but the open attack surface opened the doors for attacks on other organizations.
"Cybersecurity in healthcare IT is such a huge issue, as evidenced by some of the statistics my surveys have uncovered," said Larry Ponemon, chairman of the Ponemon Institute, in a statement. "With the Internet of Things expanding the attack surface, and current HIPAA and HITECH compliance not nearly providing enough security, healthcare organizations are falling further and further behind in their efforts to secure patient data. Such a large percentage of medical institutions have been victims of a cyberattack, and with costs resulting from such compromises numbering in the millions and billions, it's clear that security of healthcare data must become the priority for healthcare organizations. This report helps sound a very necessary alarm."
The stakes are high, of course: a network compromise often leads to a data breach, potentially exposing the personally identifiable information of millions of consumers as well as the organization's own intellectual property and billing systems. In addition, these compromised networks allow cybercriminals to use the organization's network infrastructure and devices to launch attacks on other networks and to execute billions of dollars worth of fraudulent transactions.
"This level of compromise and control could easily lead to a wide range of criminal activities that are currently not being detected,” said senior SANS analyst and healthcare specialist Barbara Filkins, the author of the report. “For example, hackers can engage in widespread theft of patient information that includes everything from medical conditions to social security numbers to home addresses, and they can even manipulate medical devices used to administer critical care.”
For many organizations governed by stringent regulations such as the Healthcare Insurance Portability and Accountability Act (HIPAA), compromises and breaches lead to massive fines. In 2013, fines ranged from $150,000 and went up to $1.7 million in the widely publicized WellPoint case.
Although many types of organizations were compromised, one type produced the majority of malicious traffic: healthcare providers like doctors and hospitals themselves, with 72% of it. They were followed by healthcare business associates (with 9.9% of malicious traffic), health plans (6.1%), healthcare clearinghouses (0.5%), pharmaceutical (2.9%) and other related healthcare entities (8.5%).
Although the vast majority of the compromised healthcare organizations are subject to regulations such as HIPAA and HITECH, making for hefty fines, it’s equally important to point out that ongoing attacks and compromises are placing a significant financial burden on patients, the report noted. Cybercrimes such as identity theft, stolen information and fraud not only place extreme inconvenience on individuals but also drive additional healthcare costs that patients may not be able to recover.
"What SANS and Norse have uncovered in this report is, in a word, alarming," stated Sam Glines, CEO of Norse. "The sheer number of attacks being perpetrated against healthcare organizations is overwhelming, while the defenses in place are not nearly enough to neutralize them. So although the healthcare industry continues to search for ways to protect its data, many organizations are still not able to properly safeguard critical data, and both companies and consumers are paying the price."
While most consumers are shielded against ecommerce-related theft and fraud expenses, they are responsible for costs related to compromised medical insurance records and files – costs that reached $12 billion in 2013.