FBI sees rising cyber threats to healthcare

The Federal Bureau of Investigation sees increasing pressure from hackers trying to access patient information from providers.

Recent events suggest that the pressure may be rising, as offers to sell patient records with protected health information on the “Dark Web” market represent a new level of threat for healthcare organizations trying to protect health information.

In late June, a hacker known as “The Dark Overlord” reported the theft of nearly 10 million patient medical records from providers and a major insurer and put them on the Dark Web market where hackers conduct buy and sell data taken from a variety of sources. As of this writing, the records have not been sold, and the seller may be having trouble selling the treasure trove of protected health information.

The extent of the data theft has not been verified by outside sources. But the creation of a new market for patient records will only expand, cybersecurity experts believe.

Contacted for information regarding the Dark Overlord incident, the FBI declined to comment on any ongoing investigations, but it did issue guidance for providers on steps they should take to improve their security profile.

The FBI’s guidance on best practices for protecting healthcare data re-emphasizes some well-known precautions, but also including others that may not be widely used by many providers and payers.

The FBI suggests that healthcare organizations:

  • Enhance employee awareness about malware threats and train appropriate individuals on information security principles and techniques.
  • Patch the operating system, software and firmware on devices. All endpoints should be patched as vulnerabilities are discovered. This precaution can be made easier through a centralized patch management system.
  • Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted.
  • Manage the use of privileged accounts by implementing the principle of least privilege. No users should be assigned administrative access unless absolutely needed.
  • Those with a need for administrator accounts should only use them when necessary; they should operate with standard user accounts at all other times.
  • Configure access controls with least privilege in mind. If a user only needs to read specific files, he or she should not have “write” access to those files, directories or shares.
  • Disable macro scripts from office files transmitted via e-mail.
  • Implement software restriction policies or other controls to prevent the execution of programs in common malware locations.
  • Regularly back up data and verify the integrity of those backups.
  • Secure backups and ensure that backups are not connected to the computers and networks they are backing up. Examples might be securing backups in the cloud or physically storing them offline.
  • Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy.
  • Use virtualized environments to execute operating systems or specific programs.
  • Categorize data based on organizational value and implement physical/logical separation of networks and data for different organization units. For example, sensitive research or business data should not reside on the same server or network segment as an organization’s e-mail environment.
  • Require user interaction for end user applications communicating with Web sites uncategorized by the network proxy or firewall. Examples include requiring users to type information or enter a password when their system communicates with an uncategorized Web site.
For reprint and licensing requests for this article, click here.