Healthcare Ailing in Cyber War

Cyber criminals exploit vulnerabilities faster than healthcare organizations can adjust their cyber defenses.

hp dd bp 6

Cybercriminals prey on the weak, and they’ve concluded that healthcare organizations are among the most alluring – sitting on massive volumes of potentially vulnerable personal health and financial information. At the same time, growing regulatory requirements leave these organizations threatened by steep compliance penalties if a breach occurs.

At the close of 2016, Experian’s Data Breach Resolution unit predicted that healthcare would be the most targeted sector for cyber criminals to exploit. Sure enough, in May 2017, malware known as WannaCry caused 37 of the health trusts in the UK’s National Health Service to shut downs, eventually spreading across 150 countries seeking out vulnerable computers and networks across industries. In June, a similar attack infected hospitals in the U.S. and a major pharmaceutical organization.

Like other attacks in recent years, the malware locked up computers and displayed a notice demanding ransom to unlock the systems. “Hospitals have been a common target because the culprits know how critical digital records are for treating patients,” noted a report from the Bloomberg news service.

“Many NHS computers are running very out-of-date software which can have serious security flaws,” the UK’s Daily Mail newspaper reported. “At least 10 health trusts still rely on the Windows XP operating system, released in 2001.”

Keeping pace with criminals

Part of the problem is that cyber criminals are moving faster to exploit vulnerabilities than organizations in healthcare and other industries can adjust their cyber defenses. In the case of WannaCry, the Los Angeles Times reported, “The tactic itself wasn’t innovative or surprising, exploiting a flaw in several versions of Microsoft’s Windows operating system that was well-known and well-publicized. A patch Microsoft issued in March to fix the issue could have taken businesses and organizations just a day or two to test and install.”

But it’s not just reliance on PCs with old software that makes hospitals particularly vulnerable.

“Hospitals not only have thousands of computers, phones and laptops: they also have thousands of medical devices connected to the network,” John D. Halamka, M.D. and Chief Information Officer of the Beth Israel Deaconess System, wrote in an article for the PBS NEWSHOUR web site. “IV pumps, X-ray machines, and heart monitors sound like appliances, but in reality they are computers with network connections. Many of these medical devices have little to no security protections because manufacturers never assumed they would be attacked.”

“Cybersecurity vulnerabilities and intrusions pose risks for every hospital and its reputation,” the American Hospital Association advises. “While there are significant benefits for care delivery and organizational efficiency from the expanded use of networked technology, Internet-enabled medical devices, and electronic databases for clinical, financial, and administrative operations, networked technology and greater connectivity also increase exposure to possible cybersecurity threats that require hospitals to evaluate and manage new risks.”

Any connected endpoint device represents a potential security vulnerability. Healthcare organizations are also adding more and more devices as they take advantage of Internet of Things (IoT) technology solutions aimed at improving efficiencies, saving costs, and improving health outcomes.

“Healthcare organizations are also charged with managing all the IoT devices in their network,” HIT Infrastructure warned. “Adopting a device management solution that gives IT administrators complete visibility and control over the network is crucial to successful implementation.”

Hiding in plain sight

In some cases it may be easier to plan for cyber security when adopting new systems. It’s also easy to overlook commonly used devices that may not be generally viewed as points of vulnerability.

Printers and imaging devices represent one such vulnerability that needs to be addressed. These everyday tools require little or no expertise to use, are increasingly networked, and are often left unattended. When there are unsecured devices, the entire network can be exposed to a cybersecurity attack.

Consider, for example, just a partial list of points of attack using one networked imaging or printing device:

  • Ports — Unauthorized users can access the device via unsecured USB or network ports to upload malicious code that, when activated, can provide many ways to exploit data.
  • Storage media — Imaging and printing devices often store sensitive information on internal drives or hard disks, which can be accessed if not protected.
  • BIOS and firmware — Firmware that becomes compromised during startup or while running could open a device and the network to attack.
  • Cloud-based access — Unsecured cloud connectivity may expose data to unauthorized users.
  • Network intercepts — Printing and imaging jobs can be intercepted as they travel over the network to/from a device.

Cybersecurity pain management

Just one lowly, networked multifunction printer, if unprotected, could result in painful ramifications, including identity theft, stolen proprietary information, a tarnished brand image and reputation, and litigation.

There’s also the potential penalties for regulatory and legal noncompliance. The Health & Human Services Office for Civil Rights can impose civil penalties up to a maximum of $1.5 million annually in cases involving failure to comply with privacy and security rules, and criminal violations can result in prison terms.

The key to warding off the pain of cyber security incidents is to make sure that all connected devices are incorporated into an organization’s network security protection plan. With printers, for example, administrators should consider the following:

  • Encryption of data and print jobs traversing the network and stored in local media
  • Secure erase of data to ensure sensitive information is not left unprotected
  • Disabling unused ports and protocols
  • Access controls to ensure only authorized personnel can configure devices
  • Real-time threat detection, automated monitoring, and built-in software validation
  • Advanced authentication to limit usage to authorize personnel

These preventive security tools are available in current products. But they need to be part of a comprehensive, consistently enforced network security strategy. The IT security team has to account for every possible point of vulnerability because the cyber-criminal only needs to find that one point left exposed.

To learn how to protect your organization from cyber risks, go to HP Print Security.


Copyright © 2017 IDG Communications, Inc.