News Stay informed about the latest enterprise technology news and product updates.

Study: Malicious attacks at hospitals risk patient data, health

A study conducted by Norse and SANS Institute says networks and devices at U.S. healthcare organizations are being compromised by malicious attacks.

Networks and devices operated by U.S. healthcare organizations are suffering from an onslaught of malicious attacks, leaving patient data -- as well as patients themselves -- at risk.

The new SANS Institute-Norse Corp. Health Care Cyberthreat Report found that Internet-connected devices -- from billing systems to dialysis machines -- are getting hammered by malicious attacks.

"When you witness a dialysis machine trying to purchase goods and services online using fraudulent credit card numbers, then you realize that in a lot of cases, it's a compromised device that can be used for an opportunistic attack," said Sam Glines, CEO of San Mateo, Calif.-based cybersecurity firm Norse.

"But it also clearly shows that there are folks trying to profit from exploiting and breaching data."

The report, which measured malicious traffic at healthcare organizations during a one-month period last fall, found almost 50,000 unique attacks across more than 700 devices, with some 375 organizations compromised. The compromised devices ranged from radiology imaging software and Web cameras to firewalls and mail servers.

Virtual private networks were the most compromised system, accounting for more than 30% of all compromised connected endpoints.

Hacked documents detailed one hospital's login, passwords

Illustrating the extent of the problem, Norse Chief Technology Officer Tommy Stiansen cited a network administrator-authored document posted on hacker website that contained password, user ID, firewall login and other systems configuration information from the person's employer, an East Coast hospital.

"When a security administrator sits down and writes down his passwords in a document like this, that's bad work," Stiansen said. "You don't put it on a PDF on a public-facing machine."

To make matters worse, the document revealed that the hospital used one password across multiple systems.

The American Hospital Association (AHA) said in a statement that it is actively involved in helping its member institutions bolster their cybersecurity. "As the national hospital association, the AHA's particular expertise in cybersecurity is raising awareness among our member hospitals of the importance of addressing cybersecurity issues, and we encourage member hospitals to adopt appropriate strategies for cyber-risk management and reduction," the group said.

As evidence, Chicago-based AHA cited its 2013 Most Wired report, which indicated that more than 90% of its members had met security objectives across 11 key considerations, such as automatic logoff and encryption of laptops and other workstations.

Attacks span breadth of healthcare industry in United States

Yet more needs to be done, Glines said. "We saw attacks emanating across video conferencing, security, VPNs, firewalls and radiological machines that were compromised and used by adversaries for attacks, and because they are compromised, this means the capacity for a breach is wide open. The breach of a healthcare record is the most valuable data on the gray or black market. Almost three times as much as a stolen credit card number, but unlike credit card fraud, this is something that," he said, the consumer will be directly responsible for addressing and resolving.

"Large institutions and even 10-person [office] providers are in a very bad place right now with respect to the state of their security," Glines said.

Patient health can also be at risk. It's possible for a hacked diagnostics machine to send erroneous data about a particular person's medical test, for example, or for an infected dialysis machine to operate incorrectly.

Overall, healthcare providers received 72% of malicious traffic, with other segments of the industry -- including health plans, pharmaceutical and healthcare business associates -- attracting most of the rest.

The study didn't offer solutions, nor did it detail the impact of the attacks it revealed.

"A lot of this could be avoided by just having a username or password policy" that uses difficult-to-decipher logins and passwords, Stiansen said. "There is also an awareness factor. Let's say you buy a camera. It will be shipped straight from Taiwan, and then you plug it into your network. The hackers note this, and they connect to and use that camera, and then they put a back door in, and this is where compliance regulations come in. There are not rules governing cameras or where you plug in your camera. These are very simple policies to follow, but they need to be there and they need to be enforced."

Norse, which offers persistent threat protection and other security services to enterprises, conducted the probe using its global network of 6 million sensors and next-generation honey pots, which were located in 38 data centers and 20 major Internet exchanges. Glines said Norse will conduct similar studies examining other industry verticals in the coming months.

Dig Deeper on Network Security Best Practices and Products

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Why are you concerned by the results of the SANS-Norse study about U.S. healthcare cybersecurity?
We are the largets North American provider od QA and testing and feel that security is the next logical step for us to focus our efforts in.
working in the healthcare sector in Australia, we lag behind the US so sooner or later this will impacts us here
What bothers me most about this is the recommendation for a username and password policy. Our organization has long-standing, well-defined and rigorously-enforced username and password policies. We have tigthly-managed redundant preventive and detective controls to safeguard the healthcare data we handle. But every day, I see lax controls throughout the industry, all of which create unconscionable risks to both the institutions and the consumers who depend on them.
In addition to my original comment, a username and password policy is one of the most BASIC preventive controls that any organization, in any industry, needs to have in place if it is at all serious about security. For a healthcare organization to not have an effectively designed, and effectively performing username and password policy in place is nonsensical.
It was only a matter of time before systems like this become a target.

Today I heard an example that sent chills.  Imagine if you had a security system with cameras, meant to 'secure your home', and the system itself is insecure and able to be eaves dropped on by a hacker.

That's a bit what this sort of thing feels like to me.
It may not get enough attention now. Once someone hacks in and changes a doctors orders for patient medication or certain test and there is a serious result, it will sit on the back burner with a false sense of security.