Study: Endpoint Vulnerabilities CommonReport Highlights Exploitation of Medical Devices, Other Tech
Many endpoints in the healthcare sector, including medical devices, are being hacked because of inadequate security, according to a new report from the SANS Institute, a security research and education organization.
The report was based on an examination of cyberthreat intelligence that the security firm Norse Corp. collected from September 2012 to October 2013.
Norse's cybersecurity surveillance identified endpoints at 375 healthcare organizations that apparently had been exploited. In addition to medical devices, these endpoints included conferencing systems, Web servers, printers, virtual private network applications and edge security technologies.
The healthcare organizations analyzed included healthcare providers, health plans, clearinghouses, pharmaceutical firms and business associates for HIPAA covered entities. The report does not identify the healthcare entities that experienced breaches.
Lack of Controls
The findings indicate that "the biggest cybersecurity threat facing healthcare organizations is lack of proper security controls, Jeff Harrell, a senior director at Norse, tells Information Security Media Group. "A shocking amount of the systems we found sending malicious traffic to Norse's threat intelligence infrastructure still had default admin credentials and open interfaces available from the Internet," he says. "Basic security policy and controls would prevent those systems from being put into production in that way."
The report makes several recommendations for healthcare organization to improve their security, starting with enforcing best practices and controls. The report, as well as independent security experts, also recommend that organizations should consider adopting two-factor authentication.
Norse's threat intelligence platform continuously collects and analyzes information on high-risk Internet traffic through sensors and honeypots deployed worldwide. "Any traffic that communicates with our infrastructure is by nature bad, since our infrastructure sits in the botnets," Harrell says. "Of the 375 organizations that were part of the report, 100 percent had systems that emitted malicious traffic, which usually means they are compromised."
The systems and devices sending out malicious traffic could be indicative of a variety of possible activities and threats, ranging from unauthorized access to sensitive information to brute-force attacks or distributed-denial-of-service attacks, the report notes.
Some of these compromised devices and applications, which were using manufacturer's default admin passwords, were exploited by hackers for many months before the organization addressed the vulnerability, according to the report.
"The real surprise was the duration of many [breach] events and the names of the [healthcare] entities involved," says senior SANS analyst Barbara Filkins, author of the report, tells ISMG. "These are not small organizations, but large ones with the budget and resources to accomplish effective cybersecurity. This means that these types of threats aren't necessarily on the day-to-day security radar of these entities."
Additionally, even after being notified about security vulnerabilities, many of the affected healthcare organizations were slow to react to the news that their systems were sending out malicious packets, says Deb Radcliff, executive editor of the SANS Analyst Program.
"That means to me that the organizations lacked the resources they needed to even follow up on the problem, let alone close the vulnerabilities that likely led to the problem in the first place," she says.
The slow reaction could also mean that the operators of these networks felt restricted by governmental regulations about making certain changes to specific devices emitting the malicious traffic, she says. "This is a common problem today for all healthcare organizations," Radcliff says.
Common Weak Spots
Medical devices, VPN applications, and other access points are common weak spots for health data security, says David Kennedy, founder and principal at security consulting firm TrustedSec LLC, which was not involved in preparing the SANS report.
"Medical devices have been a hot topic for the hacking community lately and pose a significant risk," he says. "When it comes to VPN technologies, once credentials are compromised, it's easy for an attacker to gain access to behind the firewall and inside the network of hospitals."
One way to help prevent this unauthorized access is by using two-factor authentication, Kennedy says. "However, that isn't a complete solution to protecting the infrastructure."
Another problem for many healthcare organizations is a lack of infosecurity expertise and resources, Filkins says. "The biggest threat may not be 'cyber' in nature. Much of the threat, especially for smaller entities and individual providers, stems from a true lack of understanding and experience with how to effectively secure an information system containing electronic protected health information," she says.
As a result, many healthcare organizations are unaware when they're even being targeted by hackers and cybercriminals, Filkins adds.
Nursing Homes Vulnerable
A recent Wall Street Journal story highlighted the lack of security awareness that exists at some healthcare organizations, particularly nursing homes. The file sharing site 4shared.com was reportedly found to contain information from three New York area nursing homes, including details about the healthcare providers' computer networks, such as IP addresses for computers and other devices, and passwords to network firewalls. The information potentially can be used by hackers and cybercriminals looking for patient financial and medical data.
Cybercrimals are certainly looking to cash in on patient data, Filkins says. "Medical identities are much more lucrative than pure financial identities," she says. "And the long cycles, at least in the U.S., to validate payment for medical claims ... leaves the door wide open for fraud," she says.
Kennedy says nursing homes generally don't have large IT staffs and lack security expertise. "We see a common trend of nursing homes being attacked and mostly by international entities," he says, pointing to the surveillance work his firm has conducted in healthcare. In addition to targeting data, hackers are also looking to gain access to systems for use in botnet attacks, he notes.
"The healthcare sector is one of the worst when it comes to protecting personal information," Kennedy says. "We are at a time now where technology is only going to evolve faster and become more complex," he says. "With this comes a level of responsibility in understanding the technology and properly securing it against the bad guys."