[BreachExchange] How to Cure the Healthcare System's 'Cyberflu'

Wed Apr 4 22:23:12 EDT 2018

https://www.infosecurity-magazine.com/blogs/healthcare-systems-cyber-flu/

Expensive, top-heavy, bureaucratic – the healthcare system is all
that, but we're all grateful to be living in an era when medicine has
advanced to the point that it keeps us alive, on average, until we're
well into our 80s.

But, to those criticisms of the healthcare system, add another; a
marked lack of security on servers in doctors' offices, hospitals and
clinics, as busy medical staff ignore strictures on logins and
passwords, leaving accounts open and email in plain sight. This gives
hackers the opportunity to wreak havoc – by installing malware or
ransomware on networks, often using fileless malware attacks, which
are largely immune to standard security systems, call it a case of
‘cyberflu.’

Why would hospitals – or doctors' offices, HMOs, insurance company,
and medical clinics – be more vulnerable to hack attacks than, say,
banks? According to experts, the simple reason is that the medical
profession is focused on treating patients and protecting lives, and
puts the lion's share of its efforts into that.

Banks are in business to protect money, and they take the necessary
steps to protect that. The upshot is that cybersecurity is very much
on the minds of people in the bank business – but not necessarily
those in the medical profession.

Numerous studies show that “cybersecurity appears worryingly low and
many hospitals are wide open to attack,” as one study puts it. Why?
Because they need to constantly access patient records and communicate
with other departments, medical staff tend to ignore logging out after
they log into a network.

Besides doctors, other staff – nurses, social workers, LPNs, financial
officers, insurance workers – may access patient records, sometimes
several times a day if the patient's health situation is fluid.

All those staff will have the credentials to enter the system and
access records – and the more access to those credentials, the more
likely they are to leak, or to get stolen. Personnel often access a
hospital network from their own devices – laptops, tablets, or even
smartphones – again, because they are focused on saving lives, not on
security.

That's all the windows a hacker needs; they can send an email from a
hacked account, with a file that has a likely-looking title (“Update
on Patient X,” or the like) that could have malware embedded in it.
Studies show that as many as 95% of those security breaches are due to
phishing, socially-engineered attacks that convince users to open a
document or click on a link, with many of those attacks in the guise
of macros or Javascripts attached to documents that sandboxes,
anti-virus programs, and other popular systems are unable to detect.

Is an anti-virus program installed on the target's machine? No
problem; hackers can use tried and true tactics such as embedding
malware in a macro in a Word document, for example. That kind of
attack is undetectable by antivirus programs.

That these attacks work is proven by the numbers: In the first half of
2017, the healthcare industry was the second biggest target for
hackers (behind the finance industry), but it was the industry that
experienced the biggest increase in attacks.

Overall, over 30% of breaches reported in 2017 were in healthcare,
compared to 22.6% in 2016. And in 2018, industry experts expect 35% of
all malware attacks to utilize fileless malware tactics.

With the medical industry clearly at a cybersecurity disadvantage,
those responsible for security in the industry need to think outside
the box when developing security strategies. To expect medical
personnel to suddenly change their ways and hew to strict
cybersecurity guidelines is pretty unrealistic; the best strategy
would be for security watch dogs to prevent malware from getting to
personnel in the first place.

To do that, they need an intelligent security system that can detect
attachments that may contain fileless malware – systems that can
analyze macros and remove offending malware before passing files onto
users. Anything less will practically guarantee that the medical
profession – and the health of those it serves – will remain at risk.