[BreachExchange] Rules of Cybersecurity Changing for Healthcare Sector

[Audrey McNeil]

http://www.databreachtoday.com/blogs/rules-cybersecurity-changing-for-healthcare-sector-p-2073

The cyberattacks that we've seen in the healthcare sector over the past
year are starting to rewrite the rules of the security game for
healthcare-related businesses in a way we really haven't seen before.

It was evident from speakers and attendees of a cybersecurity symposium I
attended during the Healthcare Information and Management Systems Society
2016 conference in Las Vegas on Feb. 29 that the string of recent attacks
on healthcare sector entities is waking up an industry that has largely
been asleep at the wheel when it comes to awareness of the evolving and
potentially dangerous cyber threats facing their organizations.

It was bad enough that attacks last year on several health plans, including
Anthem Inc.,Premera Blue Cross and Excellus BlueCross BlueShield, resulted
in breaches affecting nearly 100 million individuals. Eye popping indeed.

But it seems to me that many of the 200-plus attendees at the packed HIMSS
2016 Conference cybersecurity symposium are most rattled by recent
ransomware attacks on some small and mid-sized hospitals, including
Hollywood Presbyterian Medical Center, which in February acknowledged that
it paid extortionists $17,000 to unlock encrypted patient data.

That's because the health plans that were targeted in those mega-breaches
last year were major insurers holding enormous amounts of data. Even after
those breaches, many hospitals and healthcare providers were still in
denial that they too could ever fall onto the radar screens of
cyberattackers. But the ransomware case involving Hollywood Presbyterian
was too close to home - literally - for other healthcare providers that are
now suddenly fearing a similar fate.

One attendee, who asked to remain unidentified, told me that the attack on
Hollywood Presbyterian was the main reason she decided at the last minute
to attend the cybersecurity symposium. The Hollywood hospital is located
not too far from her own healthcare organization - and the thought of data
being locked up by cyberterrorists and unavailable to clinicians for
patient care decisions was particularly frightening.

Different Breed of Breaches

No longer are hospital CISOs - and those at other healthcare sector
entities, including cyber insurers - mostly worried about breaches
involving clinicians losing unencrypted laptops containing thousands of
patient's protected health information. Healthcare sector organizations are
clearly getting spooked by these other recent attacks they're hearing about.

"Cyberattacks like we've been seeing [on healthcare sector entities] are
entirely different from the privacy breaches we've seen in the past,"
attorney and cyber insurance expert Kimberly Holmes, vice president of
product development at OneBeacon Insurance Group, told attendees.

This new breed of massive breaches involving hackers attacking the
databases and network systems of healthcare sector organizations "will
dramatically change" how cyber insurers issue coverage, she predicts.
"There's a lack of actuary data [for these kinds of breaches in the
healthcare sector]; that's why these policies are so difficult," she said.

Dan McWhorter, vice president of threat intelligence at FireEye, and a
speaker at the cybersecurity symposium, painted a bleak picture of what the
healthcare sector is up against:

- Nation-state attacks: So far, larger institutions - health plans,
pharmaceutical firms, research centers - seem to be the target of hackers
in China, Russia and various countries in Eastern Europe. China at this
point does not seem too motivated to sell protected health information on
the Dark Web, but rather could be collecting data for intelligence-building
and potential espionage. Also, Chinese hackers could be behind attacks
involving theft of intellectual property from medical technology companies
in an attempt to play catch-up in healthcare, he says. "China is under
pressure to improve healthcare," McWhorter says of China's growing
population and increasing demands of better healthcare. But that's really
bad news for smaller U.S. medical technology startups. "Losing a little
information could be losing it all," he says.
- Ransomware attacks: These attacks, including those that are carried out
by bots and often target no one in particular, but leave everyone
vulnerable, will likely increase, he predicts. "These guys are
opportunists," he says. However, healthcare entities also need to be
particularly wary of more sophisticated ransomware attackers who destroy
backups of databases, then encrypt and lock up main databases, he warns.
- Attacks and breaches involving smart phones: These attacks, as well as
those against medical devices and the Internet of Things - are coming to
healthcare entities, too, he says. "New cell phones have all these new
features ... with no security," he says. And these new apps and devices are
being used without any kind of security scrutiny by patients, staff and
third parties of healthcare entities, he contends.

McWhorter's message to healthcare organizations is that it's a scary world,
and it's only getting scarier. And so healthcare CISOs and their teams need
to be ready "to fight the tough fight."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160301/1bfc9c24/attachment-0001.html>