In recent months, hospital cybersecurity and information security teams have been moving quickly to correct gaping holes in security to address an onslaught of attacks from cybercriminals and state sponsored attacks.
Understanding the vulnerabilities
Recently at THOTCON in Chicago, Scott Erven gave a talk on the ease of hacking hospital equipment. Wired magazine summarized his findings in It’s Insanely Easy to Hack Hospital Equipment. The following day at Security Bsides in Chicago, labs were set up to allow hackers and enthusiasts an opportunity to break into various hospital equipment. When I stuck my head into those labs, I was surprised and horrified to discover the simplicity of the exploits that could give root access to equipment ranging from x-ray machines to defibrillators.
Bleeding Edge IT and Untrained Operators
There are a number of reasons it is easy to bust into hospital systems. The first is that hospitals have a primary focus on saving lives. Much of the technology that is used is handled by practitioners, not IT personnel. The users of this sophisticated technology may be very skilled in healthcare but very few of them have extensive infosec training. This coupled with the high stress, high temp nature of healthcare encourages IT staff to configure the devices in the “easiest to use” mode. This type of configuration normally runs contrary to the “most secure” mode.”
Exasperating the problem, healthcare technology is always being improved making much of hospital network “in beta.” Security improvements normally come much later in development cycles (once adoption funds and warrants it.)
Insufficient IT Budgets
The mission of healthcare systems is to improve the health of its patients. When allocating budget, much focus is put to that end. This tends to leave IT departments understaffed to handle all the work necessary to run a network using dozens of different device types on hundreds of different code releases. This same limitation also prevents hospitals from upgrading old systems that are no longer supported for security releases. This particular issue has resurfaced as Microsoft has begun to discontinue support on Windows XP (see: Protecting Windows XP from Exploit.)
Enter the Attackers
The rich amount of information in hospitals and the subpar security practices have made them a prime targets for both organized crime and state sponsored attackers. In the 2013 Mandiant APT1 report, two known, targeted attacks against healthcare organizations were attributed to the Chinese People’s Liberation Army (PLA.) While the purpose of these state sponsored attacks were not publicly disclosed, the general modus operandi of this type of attacker has been to steal intellectual property. Hospitals participate in many fields of research making them a prime target for nation state sponsored attacks.
In the 2013 Identity Theft Resource Center Data Breach Stats Report, 43.8% of all reported ID theft related breaches were connected to the healthcare industry. The total number of (reported) stolen personal identifying information (PII) records exceeded 8 million last year in healthcare. These types of attacks are normally handled by organized crime. They seek to steal patient and employee data for profit.
Addressing the Issues
There is certainly no single “silver bullet” to addressing all of these issues. Business priorities need to be adjusted, investment in security and IT needs to be expanded. Detailed security architecture aligning with SANS Critical Security Controls or other security standards needs to be deployed.
Lancope’s StealthWatch solution provides coverage in hospitals in several key areas. I have written articles that address several of them.
The first is protecting against Insider Threats. In Dealing with Insider Threats, I address the nature of hospital employees betraying the trust of their employers and patients. StealthWatch provides round-the-clock monitoring of this type of threat. Watching how users access data can alert hospital security teams to behavior attached to an employee or contractor that has gone bad.
Window XP and other vulnerable devices
In the article, Protecting Windows XP from Exploit, the methods for monitoring vulnerable systems are discussed. Many of these principles apply to other devices in hospital networks that could be compromised by attack.
Watch the Data
Perhaps the most important part of protecting patient data and intellectual property is monitoring how it is accessed. In Monitoring Protected Data, the steps necessary to detect data theft from hospital “crown jewels” is discussed.
A common pitfall in IT is failure to validate. This applies to checking the effectiveness of enforcement mechanisms in blocking prohibited actions. The article When Enforcement Doesn’t… lays out how intelligent NetFlow processing can address unauthorized changes to configuration that leave systems vulnerable to compromise.
Healthcare organizations have become a prime target for exploit. Criminals are stealing millions of patient records a year. State sponsored operatives are also turning their focus on the research data being collected. The long standing and pervasive vulnerabilities in hospitals have made them easy to pick off. Intelligent network behavioral anomaly detection (NBAD) and forensic logging from StealthWatch can make it much more difficult for attackers to succeed.