With the rise of the Internet of Things, even the healthcare space is facing a critical transition into digitization. Recently, St. Luke’s Medical Center launched its app to enable the public to access a wide array of medical services more conveniently. Microsoft Philippines, together with HP, announced the availability of Care Mobility Initiative or CARMI, a solution that will allow nurses to be more productive and collaborative using cloud-powered tablets.
While technology is revolutionizing the industry, it is in this same breadth that healthcare is lurking in a vulnerable place given the presence of online security threats, ranging from malicious software or malware, to targeted attacks.
In February 2015, 80 million of current and former customers and employees of Anthem Inc., the second largest health insurance provider in the United States, were reportedly affected by a targeted attack. In information technology context, a targeted attack is defined as threat that has been aimed at a specific user or organization. The targeted attack that distressed Anthem may have used custom backdoors to amass personal information from within the company’s network.
As a result, the names, member IDs, social security numbers, addresses, phone numbers, and employment information of the victims were compromised and likely stolen via unauthorized access. There is no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised.
Healthcare organizations hold more information on customers than any other type of organization but may not necessarily use the most effective means to secure their data. They need to install protection to prevent unauthorized access and detect when these intrusions take place. It is very likely that at this very second, networks of more healthcare organizations are being breached and that their data is being compromised. The question is, how long will it be before we hear about it?
Healthcare Companies, Prime Attack Targets
According to the Identity Theft Resource Center (ITRC), four out of ten (42.5%) breaches that occurred from 2005 to 2014 affected the medical or healthcare industry. This statistic highlights one crucial fact—medical information is valuable to attackers.
The following timeline shows notable breaches in the healthcare industry:
Medical information can be used in a number of malicious activities, like identity theft and reputation damage. Days after the Anthem breach was made public, phishing scams were already found targeting possible victims of the breach. Apart from private health details, patient profiles kept by healthcare companies may also include a patient’s financial information, like credit card numbers.
Backdoor Use in Targeted Attacks
The specifics of how the backdoors (means of access to a computer program that bypasses security mechanisms) were used in the Anthem breach still aren’t clear. Breached organizations rarely release technical information about the attacks. Backdoor programs are Trojans “specifically designed to allow malicious users to remotely manipulate affected systems,” as defined by our threat encyclopedia. Backdoors are notorious enablers when it comes to targeted attacks. According to our researchers, attackers use eight notable techniques: communication with ports, bypassing firewalls, checking for available connections, abusing social media sites, abusing common web services, changing protocols, using custom DNS lookup, and reusing ports.
How to Secure Healthcare Information
Most healthcare breaches result from theft or loss, often from unsecured, unencrypted missing laptops or other devices that contain electronic protected health information (ePHI). At first glance, encryption may seem like a guaranteed solution against attacks; however, there are arguments that even the strongest encryption may not be enough. This is especially true with sophisticated attackers who aim to steal login credentials and gain privileged access to otherwise encrypted or protected data.
Lack of encryption is not the only problem when it comes to securing healthcare information. Securing healthcare information involves several things: protecting patient portals, proactively preparing against data loss, detecting breaches, auditing for compliance, safeguarding medical devices, and securing legacy systems, and watching out for all possible endpoints that may be attacked. Making sure that all these factors are covered can be a challenge, but it is necessary when considering what’s at stake.
So, What Now?
The healthcare industry should learn from the recent data breach cases and be more proactive when it comes to security. In this time where digital is at its most powerful stage, threat actors are in their most enabled position as well to hack data and networks. And even the medical industry is not exempted from targeted attacks. In this connection, these questions must be realized: Are local healthcare associations doing enough to protect their IT systems and networks? How open-minded are they in terms of prioritizing and investing in security? The health of patients is of paramount importance and so are their personal identifiable information and data. We hope that medical institutions will have a change in perspective and priorities as early as now. After all, prevention is better than cure.
– Paul Oliveria, Threat Focus Lead, Trend Micro Philippines