The healthcare industry’s poor security posture makes it susceptible to the most basic opportunistic data attacks. The value of patient records and critical role that medical facilities play in national stability make healthcare an attractive target for financially and politically motivated attacks, according to eSentire, a vendor of continuous threat monitoring and resolution services. Its most recent industry threat report seeks to raise the awareness and education of senior decision makers about the cyber security issues facing the industry.
Growing exposure to threats
Standard business practice requires decentralized data sharing and specialized network-integrated medical equipment, both of which contribute to a rapidly expanding threat surface. In general, funds allocated to the IT department are mostly dedicated to business functions that actually increase the threat surface. Only a small fraction of IT spending in healthcare is designated for cybersecurity. Further, reliance on web portals for data sharing across entities is a core problem for the industry, according to eSentire.
Content Continues Below
Substandard authentication of users
Many healthcare organizations use single-factor authentication for their VPN services and have devices running the outdated Windows XP operating system. In fact, the most startling observation was the mass exposure of services that require only single-factor authentication, which are attractive targets for brute force attacks to acquire passwords.
Outdated, exploitable software
eSentire personnel conducted open-source intelligence investigations on healthcare organizations, putting themselves in the role of a potential attacker to assess vulnerabilities. Results revealed massive threat surfaces, including publicly accessible network admin panels, unsecure web services for patients and several devices exposed to the Internet and running outdated software. Commonly exploited software included OpenSSL, Microsoft Windows Server 2003, PHP, Apache Struts and Microsoft IIS.
Transparent access protocols
In one organization studied by eSentire, it found a network admin panel that was left exposed, requiring only single-factor authentication to gain access. Remote administration login traffic occurred in clear text, making credentials and business activity susceptible to interception. This organization uses at least one consumer-grade Linksys router known for numerous vulnerabilities and lacking f security features found in professional-grade routers. Also exposed was MySQL, SMB v1 and Telnet. Patient records kept on the MySQL server present easy access to hackers.
Content Continues Below
There are many tools available to hackers—both free through development platforms like Github and for sale in the underground markets—that can efficiently scan the Internet for common vulnerabilities. These markets can be accessed through the Dark Web, a layer of Internet activity that runs on anonymized peer-to-peer connections and is frequented by threat actors conducting business. Vulnerabilities going back to 1999, such as CVE—1999-0517, are still regularly attacked by opportunistic threat actors.
Easily hacked point-of-sale devices
Another commonly observed attack on hospitals is the hijacking of point of sale devises such as credit card readers used in payment processing. For example, after a breach of 3.7 million health records, Banner Health reported that threat actors had compromised more than one of their hospitals’ cafeterias for payment information.
Massive phishing attacks
Healthcare organizations tend to have a larger ratio of phishing traffic, compared with other industries, because the email addresses of healthcare professionals are less protected from the public than the addresses of executives in other industries. Healthcare personnel also are more likely to open a phishing email partly a result of the fact that they receive a high number of emails in the process of ordering drugs and equipment, and collaborating with other healthcare providers.
Content Continues Below
Increasingly common HeartBeat threats
Another common observation on healthcare networks is the presence of malformed HeartBeat requests, which is an alert raised when attackers attempt to exploit the Heartbleed vulnerability. There also is a high degree of Android exploit attempts, possibly related to patients and visitors using the guest networks.
Widening security gap
The weak security posture of the healthcare industry is an escalating problem, eSentire warns. The industry’s lack of cybersecurity awareness combined with steady advances in technology, such as IoT pacemakers, life monitors and prosthetics, will continue to expand the industry’s threat surface.
Looming breach catastrophes
Healthcare organizations are hesitant to dedicate budget to cybersecurity, yet they continue to spend in other areas of information technology. This mindset will likely shift—sooner than later—and likely in response to a catastrophe rather than as a preventative measure.