Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Regulations, Insider Threat Handicap Healthcare IT Security

Healthcare IoT is expanding opportunities for hackers as the sector struggles to keep up security-wise.

Securing healthcare IT and IoT systems entails balancing legacy technology, regulation, and organizational challenges, and two recent reports show that the industry is falling short in its security efforts.

These issues include the architecture of hospital networks and their use: namely, a lack of segmentation is part of the legacy IT infrastructure that is the source of many vulnerabilities within healthcare.

"Data is moving in and out of hospitals very freely and they're very unsegmeneted," says Chris Morales, head of security analytics at Vectra and principal author of the 2019 Spotlight Report on Healthcare. "We have customers who are still using Windows 95. That's insane ... And we've been told that, since they're saving lives 24/7, they never patch. They're afraid of rebooting the system or messing it up."

Beyond the legacy systems healthcare organizations are unwilling to patch, there are many medical IoT edge devices, from diagnostic tools to systems that administer medicines, that IT staff are forbidden by regulation to patch, update, or modify -- even with tasks considered essential such as installing a security or monitoring agent on the device.

"The first thing is that they [IT security] can't do endpoint security," explains Morales. "The regulations are such that they can't modify a device by installing an agent."

Endpoint agents, meanwhile, can help with basic tasks for security, says Morales. "You need visibility inside the network to see, not what attackers are doing, but just what's happening."

And the unsegmented nature of many healthcare networks means that those unprotected devices are on the same networks as medical records and sensitive patient information.

Compliance

CynergisTek's recently released 2019 Annual Report, meanwhile, studied progress made by organizations regulated by NIST CSF (The NIST Cybersecurity Framework) and HIPAA rules. The study found that, while progress has been made year-over-year, the average healthcare organization has met less than half of the compliance requirements of NIST CSF.  

Given that healthcare saw roughly 14 million patient records exposed in attacks last year, "It remains clear that as an industry we continue to lag in our ability to address cyber threats or incidents when they occur," the report said.

Healthcare organizations specifically are only 47% compliant with the NIST CSF, out of 100% possible compliance, the report found. The report found that there are differences in the degree of average compliance based on the size of the organization, with larger organizations (measured by number of beds, revenue, or staff size) complying more completely than smaller organizations.

For example, organizations with less than $50 million annual revenue complied with only 27% of NIST CSF in 2018, while organizations with more than $2 billion in annual revenue complied with 76% of the framework.

Even in those organizations with stronger compliance, that doesn't mean they are necessarily secure, either, CynergisTek CEO and president Mac McMillan wrote in the report.

In particular, detection capabilities lag behind other core functional areas of NIST CSF. It's possible that's because many detection systems look in the wrong direction, focusing on finding external attackers when the greatest threats to healthcare systems come from the institutions own employees, contractors, and suppliers. "Insiders continue to be at the center of many of the breaches we see in healthcare, from curious workers to malicious criminals," McMillan wrote.

Vectra's Morales says that's one of healthcare's unique set of challenges. "Healthcare is the one industry that doesn't have to worry about the attacker on the outside as much as the attacker on the inside," he says. "They have a much bigger problem with human error than with outside attacker."

The combination of challenges faced by healthcare, and the difficulties in remediating them, means that healthcare organizations are spending significant money on efforts to become more secure. According to a report by Allied Market Research, the global healthcare cyber security market generated $5.21 billion in 2017, and is expected to reach $12.46 billion by 2023, growing at a CAGR of 15.6% from 2017 to 2023.

Fortunately for healthcare organizations, dramatic attacks such as ransomware have decreased in frequency in the last 18 months, according to Morales. That's largely because hospitals and healthcare organizations refused to pay ransom.

He says he's more worried about privacy, however, than disruption in healthcare. "Hospitals are really good at saving lives. The question is, if I go to the hospital, will everyone know about it?" he asks.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17223
PUBLISHED: 2019-10-15
There is HTML Injection in the Note field in Dolibarr ERP/CRM 10.0.2 via user/note.php.
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...