Healthcare Cybersecurity Weekly Briefing 9-15-2017

Critical Informatics Healthcare Cyber Security

Critical Informatics Healthcare Cyber Security

How and Why Hackers are Targeting Our Hospitals

Hackers are targeting the healthcare industry for two reasons. Firstly, it is lucrative, and secondly, it is vulnerable. ‘The healthcare industry’, says Alex Margovsky, Healthcare Security Consultant at Alpharidge, ‘is much easier to get into than a bank. And the value of that information is also the highest.’ In 2012, U.S. healthcare spending reached a landmark $3 trillion and has continued to swell. Thanks to aging populations and the development of emerging markets, Deloitte predicts that the amount spent on global health care will reach $8.7 trillion by 2020, equating to 10.5% as a percentage of GDP. This has made the healthcare industry a prime target for hackers, as should you be able to hold a healthcare provider for ransom, you can be sure they have money.


Using Threat Intelligence to Improve Healthcare Cybersecurity
Difficulty in the integration of a threat intelligence platform with other security technologies and tools was cited by 64 percent of those surveyed, while just over half – 52 percent – said a lack of alignment between analyst activities and operational security events was the top issue. A lack of staff expertise, a lack of ownership, and a lack of suitable technologies were also listed as top reasons for threat intelligence ineffectiveness.


Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication

To address these cybersecurity vulnerabilities and improve patient safety, St. Jude Medical has developed and validated this firmware update as a corrective action (recall) for all of their RF-enabled pacemaker devices, including cardiac resynchronization pacemakers. […] After installing this update, any device attempting to communicate with the implanted pacemaker must provide authorization to do so. The Merlin Programmer and Merlin@home Transmitter will provide such authorization.


DHS Warns of 8 Cybersecurity Vulnerabilities in Smiths Medical Wireless Infusion Pumps

The vulnerabilities, identified by cybersecurity researcher Scott Gayou, range in severity from low severity to critical on the Common Vulnerability Scoring System (CVSS V3), and according to ICS-CERT, could be exploited remotely by a skilled hacker. “Successful exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access and impact the intended operation of the pump. Despite the segmented design, it may be possible for an attacker to compromise the communications module and the therapeutic module of the pump,” ICS-CERT says.


Healthcare Must Move from Risk to Resilience, Tom Ridge Says

With that expanding cyberthreat landscape, Ridge recommended that hospitals and healthcare organizations shift their thinking from risk management to resiliency. That means being able to survive an attack and sustain operations and then move forward from there. “We know that risks are sometimes surprise events but resilience should be a goal, an objective,” Ridge said. “It’s a 24/7 responsibility, every day, just like homeland security. It’s a continuous cycle of threats.”


Why Guidance is Critical for Strengthening Healthcare Cybersecurity

[HITRUST] can be a critical framework for healthcare organizations, especially as it incorporates numerous other frameworks (i.e. ISO, SANS, HIPAA). While it is not required to be HITRUST certified, Rathburn noted that it could be beneficial in helping entities find options best suited to their data security needs. Healthcare organizations must determine reasonable and appropriate security measures for their own needs and characteristics, according to HHS.


5 Common HIPAA Compliance Pitfalls for Healthcare Orgs to Avoid

HIPAA was established before these cyber threats became such an issue, which can cause some challenges with trying to keep up, said Matt Fisher, partner with Mirick O’Connell, in opening the HIPAA compliance session at the Healthcare Security Forum on Monday. “The best thing an organization can do is try to stay ahead of the issues,” Fisher said. “As soon as you identify issues that could turn into problems, you have to seek help. And don’t try to do it alone.”


Equifax Breach Exposes Healthcare Vendor Vulnerabilities

Data sharing with third parties is seen as one of the biggest vulnerabilities among healthcare providers and insurers with 63% of respondents mentioning it as a key vulnerability, even more than those concerned about Internet-enabled devices leading to a breach, the survey showed. KPMG surveyed 100 C-Suite security executives at healthcare companies and another 100 at life sciences companies.


Ransomware and Electronic Records Access, Healthcare’s Biggest Threats
“The longer term and newer threat with ransomware is medical devices,” he said. “Already hackable, but no real economic model yet for adversaries to focus on. That can change quickly. For example, they can simply extend the ransomware model by denying medical device use until a ransom is paid. The complexity of the medical device supply chain, however, poses even more exotic ransom possibilities.”


Stay up to date on the Healthcare Information Security news that you need to know by signing up for our Healthcare Briefing Here.


Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.