Status of healthcare security: 'Alarming'

The networks and Internet-connected devices of healthcare organizations--from hospitals to insurance carriers to pharmaceutical companies--are being compromised at an "alarming" frequency, according to analysis of malicious traffic by The SANS Institute.

Using data gathered by a live threat intelligence platform between September 2012 and October 2013, it found 49,917 malicious events, 723 malicious source IP addresses and 375 compromised U.S.-based health-related organizations.

"[The results] not only confirmed how vulnerable the [healthcare] industry had become, it also revealed how far behind industry-related cybersecurity strategies and controls have fallen," states the report, which bills itself as a warning to the industry and offers guidance on reducing the risks.

The analysis revealed that multiple connected device types, applications and systems can be compromised, including radiology imaging software, videoconferencing systems, digital video systems, call contact software, security systems and edge devices such as VPNs, firewalls and routers, according to an announcement.

Some of these devices and applications were openly exploitable, such as through default admin passwords, for many months before the breach was discovered and in some cases, the organization did not find the breach at all during the study period.

Among the causes for alarm, from the report:

  • The sheer volume of IPs detected in this targeted sample can be extrapolated to assume that there are millions of compromised health care organizations, applications, devices and systems.
  • Current security practices and strategies around endpoints are not keeping pace with attack volumes.
  • The data show that organizations may be in compliance with HIPAA and other regulations and still not be secure.

The Utah Department of Health learned the nightmare that can ensue from use of a default admin password after a breach affecting nearly 800,000 Medicaid patients.

Meanwhile, most health IT executives in a recent survey said their organizations are not fully prepared to deal with a data breach.

To learn more:
- find the report (.pdf)
- here's the announcement