Many healthcare information assets have been compromised, and no organization is immune, according to a report issued by Internet security firm SANS Institute and sponsored by security firm Norse. Radiology software was among the most prominent healthcare sources of malicious Internet traffic.
Between September 2012 and October 2013, "radiology imaging software" contributed 7% of malicious traffic specific to healthcare that was recorded by the Norse threat intelligence infrastructure, a global network that analyzes more than 100 terabytes daily. Over the study period, Norse monitored 49,917 unique malicious events, 723 unique malicious source IP addresses, and 375 U.S.-based compromised healthcare-related organizations.
Report author Barbara Filkins wrote that these security threats will only increase with new forms of healthcare taking hold and more open exchange of healthcare information between patients, insurers, doctors, and pharmacists.
"The time to act is yesterday," she wrote. "Organizations must become aware of the many attack surfaces in their organizations and follow best practices for configuring these systems and monitoring them for abuse."
Filkins noted that approximately one-third of the compromised organizations represented small providers, while the rest included clearinghouses, health plans, pharmaceutical companies, and other types of medical organizations.
"Some of these providers were also quite large, with renowned research centers and teaching hospitals among the sources sending out the malicious packets," she wrote.
Organization-level sources of malicious IP traffic included the following:
- Healthcare providers: 72%
- Healthcare business associates: 9.9%
- Health plans: 6.1%
- Healthcare clearinghouses: 0.5%
- Pharmaceutical firms: 2.9%
- Other healthcare-related entities: 8.5%
Biggest threats
Ironically, the most common sources of malicious traffic come from security tools that healthcare organizations rely on to protect them.
The largest medical end points of malicious traffic included the following:
- Virtual private network (VPN) applications and devices: 33%
- Firewalls: 16%
- Web-based call center websites: 8%
- Radiology imaging software: 7%
- Routers: 7%
- Video conferencing systems: 7%
The report shows that critical healthcare information assets are poorly protected and often compromised, according to Filkins.
"Edge security and access systems, medical devices, video imaging systems, and call centers have all been suborned in compromises that, in some cases, went on for the duration of the data collection period of 13 months," she wrote. "Providers, insurers, business partners, and healthcare exchanges of all sizes were sending malicious traffic that was caught up in Norse's global threat intelligence sensors."
Many of these organizations are large entities that should have the resources to conduct the basic inventory, assessment, and configuration controls needed to protect their systems from being compromised and used maliciously.
"This report, however, shows that the systems were compromised for long periods of time, and even when alerted to their system's actions, the organizations did not repair the vulnerabilities," she wrote.
No healthcare organization is immune from these threats, Filkins added.
"Reports of breaches against healthcare organizations, large and small, continue to rise -- as do the regulatory fines they are facing for the exposure of protected patient data," she wrote.
Time for action
It's time for a renewed focus on security within healthcare, beginning with enforcing best practices and controls, Filkins said. A good starting point would be to implement the Critical Security Controls (CSCs), a list of 20 items for effective network defense. Two-factor authentication should also be considered.
After assessing their risks, organizations need to follow industry and vendor best practices for securing devices.
"Without a strong password policy in place, even strong [Secure Sockets Layer (SSL)] VPN authentication can be easily compromised by brute force password guessing or dictionary attacks," she wrote.
Filkins also pointed out that devices with default passwords, insecure ports, and other inherent risks are not being properly configured or monitored for vulnerabilities.
Network pathways also need to be considered to ensure they are not internally compromised. In addition, organizations need new methods for monitoring and analyzing their network traffic in real-time.
"Assessment for system configuration and potential vulnerabilities should be an ongoing process of detection, repair, improvement, and attestation that the improvements have been made," Filkins wrote.
The full report can be found here.