The healthcare vertical is at particular risk from ransomware. This is just one of the findings of the "2016 Healthcare Industry Cybersecurity Report," a just released survey from SecurityScorecard, a security rating and continuous risk monitoring platform.
The analysis reveals that cybersecurity vulnerabilities could be devastating, the study found, as an attack could potentially shut down an entire network. The study examined 700 healthcare organizations including medical treatment facilities, health insurance agencies and healthcare manufacturing companies.
Among the key findings in the "2016 Healthcare Industry Cybersecurity Report":
Million of patients could potentially be put at risk, especially as the healthcare vertical ranks 15th out of 18th as a target of social engineering attacks, the survey found.
"The low social engineering scores among a multitude of healthcare organizations show that security awareness and employee training are likely not sufficient," Alex Heid, chief research officer at SecurityScorecard, said in a statement. "Security is only as strong as the weakest link, and employees are often the lowest-hanging fruit when it comes to phishing, spear phishing and other social engineering attacks."
For a hacker, he added, it only takes one piece of information – such as learning the email structure of an organization – to exploit an employee into divulging sensitive information or providing an access point into that organization's network.
Another risk detected in the study was that the spurt in the use of Internet of Things (IoT) devices – which includes wireless medical devices and tablets – while greatly aiding medical personnel in performing their duties, at the same time introduce a whole new danger as security implementations are often not adequate.
"As long as these IoT devices are manufactured with poor security standards, the vulnerability doesn't only lie within the devices themselves, but they also pose a risk to any hospital, treatment center, or individual using the device," Heid stated. "If a connected device is hacked into, the device can be forced to malfunction or it can be used as a pathway to reach an organization's primary network."
IoT devices, Heid told SCMagazine.com on Monday, have recently made headlines due to the common exploitable weaknesses that have been identified within hundreds of consumer devices, such as DVR devices and webcams. "The medical industry makes heavy use of IoT technologies, everything from IP cameras for physical security and surveillance, to the use of IoT enabled medical equipment that is intended to be used on live patients."
Many of these devices, he said, make use of legacy protocols – such as Telnet and/or FTP – for administrative management functions. "The use of these plaintext, legacy protocols are often chosen because they are lightweight and do not cause processing overhead for the IoT device."
Functionality, he said, has always been a focus in the development of IoT, especially when it comes to medical devices because the functions can be life critical.
Further, Heid said, the common thread in IoT attacks are oftentimes attempts to use default administrative credentials in order to access the device remotely, and once access is obtained attackers will oftentimes deploy post-exploitation malware to maintain persistent access to the compromised device. "When the target is a peripheral piece of hardware, such as a printer or webcam, the compromised device can become a pivot point into the internal network, whereby additional sensitive resources are accessible which would not be visible to the outside."
However, Heid warned, When the target is a medical device (either intentionally or unintentionally), and an attacker attempts to deploy additional software or execute arbitrary code, the attack may result in a device malfunction, a malfunction that may endanger a patient's life.
From a network attack perspective, it is critical for healthcare providers to ensure complete segregation of sensitive network assets, such as IoT enabled medical devices, from the public internet, Heid emphasized. Furthermore, he added, internal networks should segregate portions of the local intranet which are used for administrative tasks (billing, appointments) from portions of the network which are used for interconnected medical equipment.
"The findings within the SecurityScorecard 2016 Healthcare Report reveal that there are significant issues within the healthcare field as they relate to network infrastructure, web application security, existing malware infections, as well as end user awareness regarding the threats of social engineering," Heid told SC. "Specifically, we found a correlation whereby companies that ranked low for social engineering were also the companies that had the most active, detected malware infections."
"Aside from the risks of misconfigured networks, legacy web applications seem to be the norm within the healthcare field," Heid said. "Common web application attacks against outdated healthcare provider websites can yield information that can be used in both identity theft and insurance fraud, oftentimes without the difficulties associated with an attack against a financial institution."
The best solution for these risks is for healthcare providers to implement a continuous monitoring solution that examines the complete enterprise for exposed network services, vulnerable web applications, and other common exploitable conditions, Heid said.
One takeaway from the report, he said, is that is important to conduct regular information security awareness training programs for all enterprise employees who have access to internal network resources. The topics of social engineering methodologies and password reuse risks are topics that should always be at the forefront of these training scenarios, he stated.
"Information security technologies that attempt to thwart active attacks can only go so far, as a dedicated attacker with partial knowledge of an enterprise organizational structure can employ spear phishing methodologies to gain access to the internal network."
Spear phishing communications, he added, may come in the form of emails, social network messages, or even phone calls or SMS messages.
Furthermore, password reuse among inexperienced users is still commonplace, and the bad habit provides an easy entry point for attackers into enterprise resources, Heid pointed out. "Attackers can make use of email address, username, password combinations that have been made publicly available in the multiple 'megabreaches' released throughout the last couple of years to attempt to gain access to enterprise login portals in the hopes of finding an employee who re-used their password on a breached third-party website."