Healthcare Cybersecurity Weekly Briefing 10-27-2017

Critical Informatics Healthcare Cyber Security

Critical Informatics Healthcare Cyber Security

Heart-stopping Cybersecurity Threats — Literally
As our physical and virtual worlds continue to meld, bad actors are not only attempting to steal sensitive information but also manipulate life-sustaining internet-connected medical devices, such as internal defibrillators, pacemakers and automated insulin pumps. The interoperability of these devices is critical in helping doctors monitor patients and detect problems with implanted devices. However, the ability for these technologies to adapt through internet connectivity — their greatest strength — is also their greatest vulnerability.

 

Health Care 20/20: Atlanta’s Health Care Leaders Reveal What Keeps Them Up at Night
No matter how much a health system expands and invests in technology, “if you don’t have the right people, you can fail in your mission,” Mullins said. “And this is a very competitive landscape when it comes to having the best nurses or the best doctors. I think that competition is good. I think it’s made all of our systems better for it.”

 

Why Healthcare Mergers, Acquisitions Can Uncover New Cybersecurity Risks
“Healthcare provider organizations need to be aware that they are uniquely susceptible to cybersecurity risks in conjunction with a transaction because of the nature of the data they handle,” said Marc Leone, a producer at Graham Company, one of the Mid-Atlantic’s largest insurance brokers, and a mergers and acquisitions risk expert.

 

Healthcare Cyber: House Inquiry Targets Medical Software 
The committee also hinted that it was undertaking a broader inquiry into the cybersecurity practices in the healthcare industry. […] Representative Greg Walden (R-Oregon), chairman of the Energy and Commerce Committee, told Nuance CEO Paul Ricci, in a letter dated October 19, 2017, that his committee wanted to “better understand the circumstances surrounding Nuance’s initial infection by NotPetya, as well as what steps it has taken in order to recover and resume full capabilities.”

 

Cyberterrorists Targeting Healthcare Systems, Critical Infrastructure
Critically, cyberterrorist attacks are not the same as hacking or compromising consumer data, as what happened in the recent Equifax data breach. They instead aim to cause global panic or mass loss of life by hacking into critical infrastructure like power networks, trading platforms and healthcare systems. […] But Mr Dembosky said while terror organisations like Islamic State are unlikely to abandon attacks on civilians by traditional means, they will inevitably expand their arsenal into cyberspace.

 

Feds Warn of DDoS Attack Vulnerability for Connected Medical Devices
“Deficient security capabilities, difficulties in patching vulnerabilities and a lack of consumer security awareness provide cyber actors with opportunities to exploit these devices,” the alert said. The concern is the these poorly secured or completely unsecured devices will give hackers easy access to private networks — and in turn gain access to other devices or data that lives on the network.

 

NC Health System’s Network Disrupted by New WannaCry Strain 
FirstHealth of the Carolinas blamed a new strain of the WannaCry virus for system disruptions that began Oct. 17 and continued throughout last week. On identifying the threat, FirstHealth shut down its network and did a security check of more than 4,000 devices and more than 100 locations connected to the network.

 

Hospital Loses $10m to Cyberattack, but Broker’s Recommendation Saves the Day
The hospital has estimated costs relating to the cyberattack have already reached almost $10 million. The broker’s recommendation was timely and necessary. “Hospitals are targets, and if they are hit they’re going to get hit hard,” said Reggie Dejean, specialty insurance director at Lawley, an independent agency in Buffalo, New York. “These aren’t fender-bender [type claims], these are head-ons when you have large clients like this.

 

Health Care Focus: Information Exchanges Getting Mixed Reviews
When the exchanges were created, their goal was to allow “information to follow a patient where and when it is needed, across organizational, vendor and geographic boundaries,” notes the Office of the National Coordinator for Health Information Technology, or ONC, a federal agency that supports states with grants, awards and guidelines. However, Paul Kempen, an anesthesiologist at the Weirton Medical Center in West Virginia, doesn’t see it happening that way. One of his big complaints is that various state systems don’t “talk to each other.”

 

PHI Security Could Be at Risk in Boston Scientific Medical Device
“The affected device uses a hard-coded cryptographic key to encrypt PHI prior to having it transferred to removable media,” the advisory warned. “The affected device does not encrypt PHI at rest.” The vulnerabilities do require physical access, ICS-CERT added, and there are currently no known exploits of the vulnerabilities. An attacker with a low skill set could also potentially exploit the found vulnerabilities.

 

Stay up to date on the Healthcare Information Security news that you need to know by signing up for our Healthcare Briefing Here.

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.