Networks and devices operated by U.S. healthcare organizations are suffering from an onslaught of malicious attacks, leaving patient data -- as well as patients themselves -- at risk.
The new SANS Institute-Norse Corp. Health Care Cyberthreat Report
"When you witness a dialysis machine trying to purchase goods and services online using fraudulent credit card numbers, then you realize that in a lot of cases, it's a compromised device that can be used for an opportunistic attack," said Sam Glines, CEO of San Mateo, Calif.-based cybersecurity firm Norse.
When you witness a dialysis machine trying to purchase goods and services online using fraudulent credit card numbers, then you realize … it's a compromised device that can be used for an opportunistic attack.
CEO, Norse Corp.
"But it also clearly shows that there are folks trying to profit from exploiting and breaching data."
The report, which measured malicious traffic at healthcare organizations during a one-month period last fall, found almost 50,000 unique attacks across more than 700 devices, with some 375 organizations compromised. The compromised devices ranged from radiology imaging software and Web cameras to firewalls and mail servers.
Virtual private networks were the most compromised system, accounting for more than 30% of all compromised connected endpoints.
Hacked documents detailed one hospital's login, passwords
Illustrating the extent of the problem, Norse Chief Technology Officer Tommy Stiansen cited a network administrator-authored document posted on hacker website 4shared.com that contained password, user ID, firewall login and other systems configuration information from the person's employer, an East Coast hospital.
"When a security administrator sits down and writes down his passwords in a document like this, that's bad work," Stiansen said. "You don't put it on a PDF on a public-facing machine."
To make matters worse, the document revealed that the hospital used one password across multiple systems.
The American Hospital Association (AHA) said in a statement that it is actively involved in helping its member institutions bolster their cybersecurity. "As the national hospital association, the AHA's particular expertise in cybersecurity is raising awareness among our member hospitals of the importance of addressing cybersecurity issues, and we encourage member hospitals to adopt appropriate strategies for cyber-risk management and reduction," the group said.
As evidence, Chicago-based AHA cited its 2013 Most Wired report, which indicated that more than 90% of its members had met security objectives across 11 key considerations, such as automatic logoff and encryption of laptops and other workstations.
Attacks span breadth of healthcare industry in United States
Yet more needs to be done, Glines said. "We saw attacks emanating across video conferencing, security, VPNs, firewalls and radiological machines that were compromised and used by adversaries for attacks, and because they are compromised, this means the capacity for a breach is wide open. The breach of a healthcare record is the most valuable data on the gray or black market. Almost three times as much as a stolen credit card number, but unlike credit card fraud, this is something that," he said, the consumer will be directly responsible for addressing and resolving.
"Large institutions and even 10-person [office] providers are in a very bad place right now with respect to the state of their security," Glines said.
Patient health can also be at risk. It's possible for a hacked diagnostics machine to send erroneous data about a particular person's medical test, for example, or for an infected dialysis machine to operate incorrectly.
Overall, healthcare providers received 72% of malicious traffic, with other segments of the industry -- including health plans, pharmaceutical and healthcare business associates -- attracting most of the rest.
The study didn't offer solutions, nor did it detail the impact of the attacks it revealed.
"A lot of this could be avoided by just having a username or password policy" that uses difficult-to-decipher logins and passwords, Stiansen said. "There is also an awareness factor. Let's say you buy a camera. It will be shipped straight from Taiwan, and then you plug it into your network. The hackers note this, and they connect to and use that camera, and then they put a back door in, and this is where compliance regulations come in. There are not rules governing cameras or where you plug in your camera. These are very simple policies to follow, but they need to be there and they need to be enforced."
Norse, which offers persistent threat protection and other security services to enterprises, conducted the probe using its global network of 6 million sensors and next-generation honey pots, which were located in 38 data centers and 20 major Internet exchanges. Glines said Norse will conduct similar studies examining other industry verticals in the coming months.