The Sans Institute has just released a report on security issues within the healthcare industry. The title says it all: “Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on the Horizon”. The report is summarized as follows:
“Virtually all software, applications, systems, and devices are now connected to the Internet. This is a reality that cybercriminals recognize and are actively exploiting. Some 94 percent of medical institutions said their organizations have been victims of a cyber attack, according to the Ponemon Institute. Now, with the push to digitize all health care records, the emergence of HealthCare.gov, and an outpouring of electronic protected health information (ePHI) being exchanged online, even more attack surfaces are being exposed in the health care field.”
Many of the organizations that were found to be already compromised did not even realize they had a problem. The conclusion was that, “there are, in fact, millions of compromised health care organizations, applications, devices, and systems sending malicious packets from around the globe.” The report further concludes that, “current security practices and strategies around endpoints in general, but especially those that are health care related, are not keeping pace with attack volumes…today, compliance does not equal security. Organizations may think they’re compliant, but this data shows that they are not secure.” And, to make matters even worse, the report continues that, “it is not unthinkable that a database, such as the one connected to HealthCare.gov, will eventually be breached.”
It is important to note that most of the malicious traffic (33%) was passed through VPNs and connected devices. This meant that infected endpoints were compromised without being detected. This lack of detection led many IT departments to the false conclusion that their systems were safe from attacks. The report goes on to point out that mobile devices will always make a network easier to attack. It also cautions about the use of cloud applications which, “create additional attack surfaces attackers can exploit to gain access to protected patient medical and financial data.”
If possible, the future looks even bleaker. In its concluding paragraph, the report sums up the situation as follows:
“this data shows that no health care organization is immune. Reports of breaches against health care organizations, large and small, continue to rise—as do the regulatory fines they are facing for the exposure of protected patient data…The time to act is yesterday. Organizations must become aware of the many attack surfaces in their organizations and follow best practices for configuring these systems and monitoring them for abuse.”
In short, if your organization is not already compromised, it soon will be. The time to purchase the best available security is now. Waiting can only lead to inevitable financial disaster as the healthcare company WellPoint Inc. found out when it had to come up with a sobering $142,689,666 to pay for damages relating to bad security.