[BreachExchange] Malware Most Common Smart Hospital Data Security Threat

Mon Dec 5 19:09:39 EST 2016

http://healthitsecurity.com/news/malware-most-common-
smart-hospital-data-security-threat

Malware is the most common type of potential attack scenario for smart
hospitals that poses a data security threat, according to a recent study
from the European Union Agency for Network and Information Security (ENISA).

Smart hospitals have become more prevalent as Internet of Things (IoT)
components support core functions of a hospital, ENISA stated in its study.

Information security is a key issue for these organizations, and malicious
actions, human errors, system and third-party failures, and natural
phenomena should all be considered as a potential threat.

“The risks that result from these threats and corresponding vulnerabilities
are typically mitigated by a combination of organisational and technical
security measures taken by smart hospitals which comprise good practices,”
the report’s authors wrote. “With respect to organisational measures,
compliance with standards, staff training and awareness raising, a sound
security organisation, and the use of guidelines and good practices are
particularly relevant.”

ENISA investigated the current status of Smart Hospitals and related
information security issues, focusing on deployments in the EU for the
study.

Respondents included hospital representatives, industry representatives,
and policy makers.

Along with malware, those surveyed said that device tampering, social
engineering, denial of service attacks, and theft, were also top attack
scenarios for smart hospitals.

Traditional hospitals may also be vulnerable to these types of attacks,
researchers noted. However, the consequences can be much more severe in
connected organizations.

“Protection becomes difficult because, with the high number of networked
devices, many potential points of attack are emerging,” the report states.
“The consequences become more severe because information systems and
devices are more intensely connected within hospitals and across
organisational boundaries.”

Respondents also rated threat categories according to their likelihood of
occurrence on a scale from 1 (low likelihood) to 5 (high likelihood). Human
errors were the most likely to occur, according to the survey, while a
natural phenomena was given the lowest likelihood of taking place.

“With respect to human errors, user errors, non-compliance with policies
and procedures and loss of hardware, for instance, were perceived as posing
considerable risk to smart hospitals,” the researchers explained.

However, malicious actions, which include threats from malware, social
engineering, hacking, denial of service and device tampering, were
considered particularly critical for smart hospitals by a larger group of
respondents than human errors.

Specifically, 77 percent of respondents said that malicious actions were a
critical threat, while 70 percent said human errors were the top threat.
Just over half of those surveyed - 53 percent - listed system failures as a
critical threat.

ENISA recommended that hospitals establish effective enterprise governance
for cybersecurity, and also provide specific IT security requirements for
IoT components in the hospital. Conducting a risk assessment and
vulnerability assessment were also recommended, which are required for US
organizations under HIPAA regulations.

Industry representatives should perform the following measures to enhance
smart hospital data security:

Incorporate security into existing quality assurance systems
Involve third parties (healthcare organisations) in testing activities
Consider applying medical device regulation to critical infrastructure
components
Support the adaptation of information security standards to healthcare

Several of these recommendations are also already being considered for
US-based healthcare organizations.

For example, the National Health Information Sharing and Analysis Center
(NH-ISAC), the Medical Device Innovation, Safety and Security Consortium
(MDISS), and the U.S. Food and Drug Administration (FDA) Center for Devices
and Radiological Health (CDRH) recently signed a memorandum of
understanding to help organizations identify, mitigate, and prevent medical
device cybersecurity threats.

The Information Sharing and Analysis Organization Standards Organization
(ISAO SO) also released several documents in October 2016 on cybersecurity
information sharing guidance, which focused on cybersecurity risks,
incidents, and best practices. In terms of healthcare cybersecurity
information sharing, one document discussed privacy and security aspects of
cybersecurity risk.

“At a minimum, privacy considerations should include the individual members
of an organization, the privacy of any individuals whose data may be
included in cyber threat indicators to the extent provided by law, and a
full range of other constituencies, customers, and individuals,” the
document stated. “To adequately protect privacy while accomplishing the
goals of an ISAO, it is important for the ISAO to provide guidance to
members, participants, and ISAO staff that will be helpful in striking a
balance between allowable sharing of cyber threat information and
protecting privacy.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161205/4ce237bb/attachment.html>