Modern threats putting healthcare organization at risk, how they’re improving their security posture, and where many fall short.
At a time when organizations across all industries fear data breaches and cyberattacks, those in healthcare have greater reason to be on edge. Troves of sensitive health data, a wealth of connected medical devices, and poor risk management practices make healthcare a hot target.
Between 2009 and 2018, there have been 2,546 healthcare data breaches involving more than 500 records, HIPAA Journal reports. These incidents have led to the exposure of 189,945,874 healthcare records. While 2015 has been the worst year on record, with some 113.3 million records exposed, there has been a general upward trend in the amount of compromised data.
For cybercriminals, health data is far more valuable than other types of information they sell for profit. A protected health information (PHI) record, for example, is worth 100 times as much as a credit card number on the Dark Web, Bugcrowd states in its recently published “State of Healthcare Security 2019” report. More than half of healthcare organizations lack strong confidence in medical device security.
Organizations that handle PHI must have physical, network, and operational security measures to ensure HIPAA compliance. Checking the boxes isn’t easy: Despite standards like ISO/IEC 800001 and the NIST Cybersecurity Framework pushing to change healthcare tech, the industry’s increasing digitization is putting sensitive data at risk.
“The big issue is the widespread use of medical devices and IoT devices connected through the Internet,” says Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, which published “The Economic Impact of Third-Party Risk Management in Healthcare” on behalf of Censinet. Large healthcare organizations like the Cleveland Clinic are taking this seriously and investing more resources into securing their devices; however, smaller institutions typically can’t afford to do the same.
Cloud adoption is another barrier in healthcare. “For a long time, healthcare organizations have been laggards in terms of deployment to the cloud,” Ponemon explains, as many feared data would fall into the wrong hands. While more have realized the cloud can strengthen security, bringing applications to the cloud requires a formal process to reduce the risk of migration.
“Most organizations don’t have the resources or internal knowledge to do that very well,” he adds. “It’s creating a lot of internal risk during these transitions.” Researchers found 72% of 554 healthcare IT and security pros say increasing reliance on third-party connected medical devices is risky, and 68% say moving to the cloud while connecting these devices creates significant risk.
Risk management was the crux of the Ponemon Institute’s research, which specifically digs into how partnerships with third-party organizations are a growing threat to healthcare data. Third-party vendor incidents cost the industry $23.7 billion annually, they report.
Partnerships Come at a Price
Each data breach costs healthcare providers $2.9 million, Ponemon researchers found, which is far less than the $3.8 million in hidden costs related to managing vendor risk. In the last two years, 56% of healthcare firms have suffered a breach introduced by one or more vendors.
A recent example was reported this week: The Nemadji Research Corp., which contracts with the L.A. County Department of Health Services, was hit with a phishing attack that allowed external actors to access medical information belonging to 14,591 patients. Data included names, addresses, birth dates, medical record numbers, and Medi-Cal identification numbers.
“A constant finding was that most organizations have a really hard time managing vendors or just in general, third-party relationships,” says Ponemon. Eighty percent say prioritizing vendor risk is very important, but only 36% say it’s very effective. More than half (52%) allocate an average of 17% of their budget to vendor risk management. The average organization has 3.21 full-time staffers spending 500+ hours each month on vendor risk assessment, they report.
All respondents in the survey had a vendor risk assessment program in place; however, these had security gaps. Researchers found vendor risk management controls and practices are only partially deployed or not deployed at all. When assessments are conducted, 60% don’t find the information valuable and many don’t act on it: only one-third of respondents would mitigate security gaps, and 28% would terminate a relationship with a vendor that didn’t meet standards.
“The whole idea of an assessment is to recognize the negative and positive things vendors are doing, and doing [this] in a way that helps change the organization’s process when they identify a practice that is unacceptable or doesn’t meet the control standard,” Ponemon says.
Catching and Squashing Healthcare Bugs
Nearly all medical devices are, in some way, connected to the Internet, the Bugcrowd report says. It’s one of many factors healthcare cybersecurity teams are worried about, along with a rise in mobile digital health applications and electronic patient records moving to the cloud.
From 2017 to 2018, researchers saw 340.6% growth in vulnerability submissions for healthcare organizations. Bugcrowd chief security officer David Baker partly attributes this to rapid adoption of crowdsourced security. “The speed at which healthcare is adopting crowdsourced security [is] much faster than I’ve seen them adopt other security solutions,” he says. While medical devices aren’t yet included in bug bounty programs, websites, and mobile apps are.
Most organizations are concerned about the loss of PHI, and the loss of personally identifiable information (PII) that correlates with the PHI, Baker says. More health companies are connecting APIs into health applications, which collect patient data to send to physicians. The loss of PHI is “pretty catastrophic,” he adds, citing the penalties and fines associated with it.
Nearly 75% of healthcare program submissions involve website targets, Baker says, a large majority compared with IoT (4.8%), Android (3.6%), and API (3%). About 42% fell in the P3-level criticality, 12.2% were classified P1 (highest severity), and 11.3% classified P5 (lowest severity).
P3 vulnerabilities are considered to be medium severity, he explains. They don’t necessarily relate to PHI or PII disclosure, but they relate to details of the app itself. These bugs might involve cross-site scripting or request forgery; they’re often found in Web-facing technologies. When multiple P3s are chained together, it can lead to potentially severe consequences.
While the trend of crowdsourced security indicates healthcare organizations have security, Baker says they also need to strengthen their ability to address the vulnerabilities they find.
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio