[BreachExchange] Data breaches in the healthcare sector are fueling the dark web

Tue Jul 19 10:40:35 EDT 2016

http://securityaffairs.co/wordpress/49472/data-breach/data-breaches-healthcare-sector.html

In the past several years, security pundits have been predicting that the
healthcare sector was going to be the hotbed of cyber threat activity.
These predictions go back several years and seemingly each year, attention
to the healthcare sector has been minimal at best, but we may finally have
hit an inflection point in 2016.

The healthcare sector is a labyrinth of governance and compliance with risk
mitigations squarely focused on the privacy of patient data.  We in the
industry have accepted the norm that “security is not convenient” but for
those in the healthcare industry, inconvenience can have a catastrophic
impact on a hospital, including the loss of a patient’s life.  Besides
patient records, there’s a multitude of other services critical to patient
health and wellbeing wrapped by an intricate web of cutting-edge and legacy
technologies making it perhaps the most challenging environment to secure.
This may explain the rise in attacks against healthcare providers in the
last six months.

According to an article on fastcompany.com’s website, complete medical
records are selling for US$60 apiece on the dark web compared to stolen
credit card selling for about US$3 bucks a piece on the high end. According
to the article, one hacker claimed to have over a million full medical
records of individuals. Although the individual’s claims were not verified,
it should come as no surprise.  Sadly, it may be a more dire situation than
we know.

According to the Brookings Institute, since 2009, the medical information
of more than 155 million.  The report delves into a number of statistics
that really punctuate the problem showing the number of incidents sharply
increasing in late 2014 and continuing its ascent upward each year.  The
report also outlines other unique significant challenges citing the large
volumes of data being for long period of time much of it stored digitally.
This, coupled with the explosion of spending on technologies to handle
digital health records, many hospitals are doing what they can to keep
their heads above water deploying new technologies that have been mandated
upon them rather than a phased approach commensurate with staffing levels.

It’s not just core network services causing concern.  ICS-CERT recently
released an advisory identifying numerous vulnerabilities in Philips
Xper-IM Connect systems running Windows XP.   Xper-IM is an automated
software composition tool that provides physio- monitoring capabilities
along with reporting, scheduling, inventory, and data management.

According to the advisory, the breakdown of vulnerabilities by CVSA scores
are as follows:

360 vulnerabilities were identified as having a CVSS base score of
7.0-10.0, and
100 vulnerabilities were identified as having a CVSS base score of 4.0-6.9.

Though mitigating the vulnerability may be as simple as upgrading off of
Windows XP, the fact that XP is still out in the wild may be further
evidence that the healthcare industry is falling behind in protecting
itself from cyber criminals.

In January of this year, Melbourne’s largest hospital network was
significantly impacted when a computer virus affected the hospitals Windows
XP systems disrupting meal delivery and pathology results. Manual
workarounds such as fax machines were utilized as a contingency but the use
of those devices only compounds the issues of patient privacy.  It’s those
types of disruptions that really jeopardize the patient privacy and even
safety.  It’s hard to determine how many medical devices and critical
services in the healthcare industry are still running Windows XP in their
environments, but it is likely a number many would shudder to think about.

It is likely healthcare breaches will continue to grow upward.  Funding and
prioritization of initiatives are only the tip of the iceberg for
healthcare institutions looking to secure their networks.  Even on a solid
footing, the sector will be confronted with a shortage of talent to carry
out even the best-intended plans.  In the meantime, patients, often unaware
of the risk associated with their medical care, have to become better
informed about how to protect their health records and personal identity in
the event their information finds itself on the dark web up for sale to the
highest bidder.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160719/0e229283/attachment.html>