Healthcare IT execs fear loss of life due to hacked medical devices or networks

Today, Veracode released “The State of Web and Mobile Application Security in Healthcare,” made possible after Veracode, along with the Healthcare Information and Management Systems Society (HIMSS), surveyed 200 healthcare IT executives. The exploitation of vulnerabilities in apps was the greatest concern among those healthcare IT execs.

Veracode reported, “Survey respondents cited the potential for loss of life due to compromised networks or medical devices, brand damage due to theft of patient information and regulatory enforcement as their top fears related to such security breaches.”

Those three fears of what could happen due to a cyberattack are followed by fears associated with: “Costs of responding to breach (forensics, cleanup, credit reporting, etc.); class-action lawsuits following a breach;” and “loss of revenue due to downtime following a breach (e.g., Sony).”

Unlike credit card information sold on the black market, “criminals can make so much more money through identity theft and by extorting personal health information,” said Chris Wysopal, the CTO and CISO at Veracode. “If you understand how the information can be used, then you quickly can understand how personal health information can be of a higher value than credit-card information to nation-state attackers. The value of medical information, ramp-up in nation-state activity and complex bottoms-up culture is creating a perfect storm of cyberthreats targeting healthcare in 2016 and 2017.”

The fear of cyberthugs exploiting vulnerabilities in web, mobile, and cloud-based apps is more worrying to healthcare organizations than user error like employee negligence, malicious insiders, and phishing attacks.

As Lee Kim, the director of privacy and security at HIMSS, pointed out, “With all applications, there is the worry of the vulnerability being in the application itself,” she said. “When the application was built, was it built with security in mind or was it an application that was designed quickly and security concerns were overlooked? Leaders need to ask – and get answers to these types of questions.”

Although some people might not fully grasp the problem, the report states:

Considering most applications are pieced together with open-sourced components and libraries, understanding the risks is essential. The Heartbleed vulnerability, for example, should serve as a wake-up call for the importance of understanding how an application is built. This 2014 vulnerability is still found in the commonly used open source cryptography library OpenSSL. Any server or web site using a vulnerable version of OpenSSL is at risk of having a variety of data exposed including private keys, usernames and passwords, session cookies and other sensitive data from users connecting to the service.

“The number of records stolen has grown from 2.7 million in 2012 to more than 94 million through the first half of 2015,” the report said. Veracode explained that “a single healthcare record brings nearly 10 times the value of a stolen credit-card number, combined with the competitive differentiation of intellectual property (drug or device development, billing processes, care procedures, etc.).” 

The report added, “Healthcare data is a lot more valuable than other types of data because it has all the components criminals need such as the patient’s mother’s maiden name, date of birth, billing information and diagnosis codes, among other sensitive data.” So “it’s no wonder healthcare providers are being attacked.”

One thing insecure applications have accomplished is to increase healthcare’s fear of liability. 57% of those surveyed are increasing spending on external security assessments; 56% are adding liability clauses into contracts with commercial-software vendors in their supply chain; 54% are implanting frameworks like the SANS Institute Security Controls.

Wysopal added:

There’s a perfect storm brewing for 2016 in healthcare and if things continue as-is, we’re likely to see an increased plundering of medical records leading to increases in insurance fraud, illegally purchased medical equipment and controlled substances, or something even worse. Remedying the problem starts with a good look at how healthcare-related software is built and making sure that security is a priority. In fact, our data from actual code-level analysis of billions of lines of code shows that 80% of healthcare applications contain easily avoidable cryptographic issues such as weak algorithms. Given the large amount of sensitive data collected by healthcare organizations, this is quite concerning.”

One of the biggest problems for healthcare organizations is a “bottoms-up culture” in which doctors hold the decision-making authority, causing serious vulnerability issues by making it extremely difficult for CISOs to implement consistent controls across departments. That has sparked changes in some organizations to make security a top priority.

65% of healthcare organizations are investing in security tech which enables governance policy enforcement; 51% are investing in training to teach department heads about cybersecurity; 44% are pushing the CEO to advocate for a central IT-security policy across all departments. The changes can be challenging since healthcare leaders are not upping security budgets.

To folks in healthcare IT who still can’t get the funds needed for better security, perhaps you can point out that healthcare data is a “treasure trove” for cybercriminals, according to Donald Good, deputy assistant director of the FBI’s cyber division. He told the HIMSS Connected Health Conference, “For a number of years, folks I think realized there was a threat out there, but it wasn’t as pervasive as it is today. It’s not a question of whether or not you’ve been compromised. You will be compromised at some point.”

You can download Veracode’s whitepaper, ‘The State of Web and Mobile Application Security in Healthcare,’ here.