Banner Health, one of the largest healthcare firms in the U.S recently recently suffered a healthcare security incident. The firm announced that it was notifying approximately 3.7 million individuals about an incident in which hackers gained unauthorized access to computer systems that process payment card data at food and beverage outlets at certain Banner locations. As per the healthcare provider the attackers may have also gained unauthorized access to patient information and health plan member which includes names, birthdates, addresses, physicians names, health insurance, social security information details of the patients among others.
Banner incident has once again brought into limelight the vulnerability of healthcare sector. However the issue has been raised time and again. Infact the year 2015 was declared as “the year of healthcare breach” by IBM. In the same year Bloomberg Business declared that cyber attacks against healthcare industry have increased two times in last five years costing $6 Billion every year. As per The Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data 2016 report released Ponemon Institute 90% of healthcare organizations suffered data breaches. The report says healthcare sector continues to remain the single most targeted sector by cyber criminals.
The factors which make Healthcare industry so attractive for the cybercriminals are:
- Availability of Personal Information
- Poor Cybersecurity framework
Abundant Personal Information
When it comes to healthcare sector, there is no dearth of personal information. Apparently network of any healthcare firm if breached can provide personal information of millions of patients which hackers can use to make good sum of money. Medical profiles of patients can sell for as much as ten times more than the credit card numbers. The hospitals nowadays keep a record of minute details of the patient. The patient information contains utmost personal details like social security number, emergency contact, home address, email address, health insurance etc. The hackers can exploit these details to launch spear phishing and social engineering attacks. Above all once your information is accessed by an unauthorized person your right to privacy is violated and becomes non-retrievable.
Poor Cybersecurity Framework
Majority of the healthcare providers still use Wired Equivalent Privacy (WEP); the first generation encryption protection. WEP is the predecessor of Wi-Fi Protected Access (WPA2). Similar encryption standards are followed by most of the manufactured medical devices. In 2013, The Department of Homeland Security’s Industrial Control Systems Cyber Security Emergency Response Teamreported that 300 medical devices manufactured by 40 different companies may have vulnerabilities associated with password settings set to allow for privileged access to these devices, which would under normal circumstances be used only by service technicians. Also, medical devices keep on running on default passwords and obsolete software.
Such an outdated security framework for medical devices makes them most vulnerable to hacking. Its almost like an invitation to hackers and in return they are not shying. The hackers are performing “Medjacking” of the medical devices. Medjacking involves hackers infecting the medical devices and equipment with malwares which is followed by creation of a backdoor vulnerability known as “Medjack”. This vulnerability is then exploited by nefarious parties.
As per a report published by cybersecurity firm TrapX at least 3 cases of Medjacking have been identified. In the first case hackers were able to plant a malware in surgical blood gas analyzers. Later they used this vulnerability as a backdoor to find passwords throughout the hospital’s IT system, and to leak sensitive information out of the system and into the Internet. In second case the hackers gained access to hospital’s picture archive and communications systems (PACS) — which stores images from CT scanners, MRI scanners, X-ray machines, and ultrasound equipment. They used this path to enter into other parts of the hospital’s network. The third case involved hackers creating a back-door access point through a hospital’s X-ray system.
The late Barnaby Jack was on the forefront of research into the vulnerability of medical devices. Before his death in 2013 he demonstrated how a certain model of implanted insulin pump could be lethally hacked to administer incorrect dosages from up to 300 feet way. In 2013 former Vice President of US, Dick Cheney got the Wi-Fi functionality of a medical implant in his heart disabled because it could potentially be hacked by terrorists. The threat is real and healthcare sector needs to gear up before frequency, intensity and nature of attacks increases as compared to what happened with Banner Health Care.
Click here to read the FDA’s cybersecurity guidelines for medical device manufactures.