Health Sector Security and the “Big Squishy Middle”
Call center operations have been shut down by telephone denial of service. An entire hospital system in the UK was shut down by ransomware – a problem that is only projected to escalate. And now medical devices have been shown to have been developed with the same (lack of) care as web-connected toys. At a time when national health care is the subject of debate (a term I’m using quite loosely here) and regulations are being viewed at the federal level as something to get rid of, I think we’re setting ourselves up for quite a landmine.
Healthcare Data Breach Costs Highest for 7th Straight Year
In the US, data breaches cost companies an average of $225 per compromised record. Furthermore, the total average organizational cost of data breach hit a new high at $7.35 million. Heavily regulated industries, including healthcare, experienced higher data breach costs. Following healthcare at $380 per capita, the industries with the highest costs were financial services ($336 per capita), services ($274), life science ($264), and industrial ($259). The mean per capita data breach costs were $225.
Cybersecurity for Healthcare a “Public Health Concern,” Task Force Says
A federal task force called healthcare cybersecurity a “public health concern” that needs “immediate and aggressive attention,” and said increased digital connectivity places a greater responsibility on healthcare organizations to secure their equipment and patient data. […] Threats to cybersecurity for healthcare facilities range from technical exploits such as ransomware to insider threats such as employee negligence. Both types of threats can potentially expose patient data and leave it susceptible to fraud and identity theft.
HHS: Microsoft Vulnerabilities Impact Healthcare Cybersecurity
HCCIC explained in its report that the vulnerabilities relate to the same type that allowed the WannaCry ransomware strain to spread. DHS specified that “Hidden Cobra” will likely target “the media, aerospace, financial, and critical infrastructure sectors in the United States and globally.” Because of that, it is possible that US healthcare and public health sector systems and devices are also targets.
Healthcare Cybersecurity Measures Must Evolve for Success
There are two key areas that directly apply to healthcare from the ISACA report, Clyde explained. First, the Internet of Things (IoT) overtook mobile as the industry’s primary focus. “This is right in healthcare’s wheelhouse,” he stated. “It goes without saying that healthcare with its medical devices is one of the top industries that has adopted the Internet of Things to better people’s lives. But as this report indicates, the industry is concerned.”
Nuclear Plants, Hospitals at Risk of Hacked Radiation Monitoring Devices
The vulnerabilities are not your standard buffer overflows or other known classes of bugs, he says. “This research covers several design-level vulnerabilities,” says Santamarta. “The vulnerabilities are related to the design of these devices and their radio protocols.” And the catch: there’s no fix or patch that can remedy them, he says. “There’s no solution for these issues,” Santamarta says. “You can’t patch them because it’s the way they are designed.”
Key Ransomware Prevention Measures in Recent Executive Order
The blog post also stressed that entities need to prepare for the worst-case scenario. There must be a plan for when disaster actually strikes, and preparation should be made in case of a long-term outage. Again noting the WannaCry attack, Weber and Kapelke said that UK hospitals “were forced to scramble when their data systems were frozen.” “Such a plan should take into account the possibility that electric grids, security systems, and anything else that depends on computing power and the internet may be shut down at least temporarily,” the duo advised.
|Stay up to date on the Healthcare Information Security news that you need to know by signing up for our Healthcare Briefing at: https://criticalinformatics.com/healthcare/|
Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners. © 2017 Critical Informatics, Inc. All rights reserved.