4 min read

Healthcare Devices: Security Researchers Sound Alarms

Default usernames, weak passwords, and widespread Windows XP Embedded systems are cause for concern, SANS Institute researchers say.

and used to launch attacks. Last year, for example, Craig Heffner, a vulnerability researcher at Tactical Network Solutions, discovered an authentication bypass flaw in D-Link routers that would allow an attacker to log into any such Internet-connected device -- no matter their security settings -- and install malicious firmware.

Thankfully, TheMoon didn't involve malicious firmware, which had the added benefit of making the malware easy to expunge from infected devices. Instead, the worm appeared to be relatively opportunistic and designed just to gain access to vulnerable devices and then run its attack script to DDoS the dronebl site.

Healthcare fix: Start with information security basics
TheMoon demonstrates how easily a determined attacker can tap an undocumented flaw on a network-connected device to use it for his own purposes. But what happens when the exploited flaws are of an IT department's own making -- for example, because it's failed to change factory-set usernames or passwords? "The point is that, if you're going to buy a firewall, you'd better change the frickin' default password," said Glines.

Of course, that assumes a firewall is even being used. According to Glines, "what we're also seeing within this industry is quite a few appliances -- surveillance cameras, printers, and so on -- that run full Linux stacks that have no security on them whatsoever," nor have they been placed behind firewalls.

From a security defense standpoint, setting unique passwords and using firewalls should be just the start. The SANS report recommends that every organization -- healthcare included -- implement its list of 20 critical security controls, which include assessing the IT infrastructure to know which types of devices are actually running on the network. That's especially important in hospital environments, which may be full of nontraditional IT systems, such as network-connected medical instruments and MRI scanners.

Other crucial SANS steps include thinking like an attacker -- how would you attempt to steal medical information? -- as well as network monitoring to watch for signs of network infiltration and post-breach data exfiltration.

Patient data feeds prescription fraud
As the compromise of 375 different networks -- reported in the SANS study -- highlights, healthcare intrusions aren't an academic issue. "This level of compromise and control could easily lead to a wide range of criminal activities," Barbara Filkins, the SANS analyst who wrote the "Healthcare Cyberthreat Report," said in a press release. "For example, hackers can engage in widespread theft of patient information that includes everything from medical conditions to social security numbers to home addresses, and they can even manipulate medical devices used to administer critical care."

The vast majority of online attacks trace to criminals seeking financial gain by using things like banking malware to steal businesses' or consumers' online banking credentials. Healthcare systems, however, also offer criminals a potential revenue source; they can seize information that can be used to perpetrate Medicare fraud or prescription fraud. "The value of a medical record that gets stolen is $50 to $60 per record today, whereas a credit card is about $20," said Glines at Norse.

With credit card fraud, consumers can change accounts, or they can use ID theft monitoring services to cut down on some of the hours of cleanup hassle they'll likely face. But people who have their medical records stolen have fewer options or types of consumer protection. "If you're the victim of medical record fraud, [cleanup] costs fall more directly on the consumer, not to mention the privacy of your information being on the Internet is more concerning," Glines said.

Is HIPAA keeping security healthy?
For healthcare organizations, of course, failing to properly secure patient data opens them up to HIPAA fines and enforcement actions. In 2013, according to Filkins at SANS, individual HIPAA fines started at $150,000 and peaked with the $1.7 million fine against WellPoint for failing to protect information on more than 600,000 patients, which was left easily accessible via the Internet.

Despite the threat of such fines, 18 years after HIPAA was passed, and with the White House itself struggling to make the insurance portal secure, the SANS study suggests that many organizations that touch patient data still aren't taking the health of their IT infrastructure seriously.

Download Healthcare IT In The Obamacare Era, the InformationWeek Healthcare digital issue on changes driven by regulation. Modern technology created the opportunity to restructure the healthcare industry around accountable care organizations, but ACOs also put new demands on IT.