main

DDoS Attacks

Healthcare is in Cybercriminals’ Crosshairs

August 6, 2019 — by Mark Taylor0

healthcare-960x640.jpg

The healthcare industry is a prime target of hackers. According to Radware’s 2018-2019 Global Application and Network Security Report, healthcare was the second-most attacked industry after the government sector in 2018. In fact, about 39 percent of healthcare organizations were hit daily or weekly by hackers and only 6 percent said they’d never experienced a cyber attack.

Increased digitization in healthcare is a contributor to the industry’s enlarged attack surface. And it’s accelerated by a number of factors: the broad adoption of Electronic Health Records Systems (EHRS), integration of IoT technology in medical devices (software-based medical equipment like MRIs, EKGs, infusion pumps), and a migration to cloud services.

Case in point: 96% of non-federal acute care hospitals have an EHRS. This is up from 8% in 2008.  

Accenture estimates that the loss of data and related failures will cost healthcare companies nearly $6 trillion in damages in 2020, compared to $3 trillion in 2017. Cyber crime can have a devastating financial impact on the healthcare sector in the next four to five years.

The Vulnerabilities

According to the aforementioned Radware report, healthcare organizations saw a significant increase in malware or bot attacks, with socially engineered threats and DDoS steadily growing, as well. While overall ransomware attacks have decreased, hackers continue to hit the healthcare industry the hardest with these attacks. And they will continue to refine ransomware attacks and likely hijack IoT devices to hold tech hostage.

[You may also like: How Cyberattacks Directly Impact Your Brand]

Indeed, the increasing use of medical IoT devices makes healthcare organizations more vulnerable to DDoS attacks; attackers use infected IoT devices in botnets to launch coordinated attacks.

Additionally, cryptomining is on the rise, with 44 percent of organizations experiencing a cryptomining or ransomware attack. Another 14 percent experienced both. What’s worse is that these health providers don’t feel prepared for these attacks. The report found healthcare “is still intimidated by ransomware.”

The Office of Civil Rights (OCR) has warned about the dangers of DDoS attacks on healthcare organizations; in one incident, a DDoS attack overloaded a hospital network and computers, disrupting operations and causing hundreds of thousands of dollars in losses and damages.

[You may also like: 2018 In Review: Healthcare Under Attack]

Why Healthcare?

The healthcare industry is targeted for a variety of reasons. For one thing, money. By 2026, healthcare spending will consume 20% of the GDP, making the industry an attractive financial target for cyber criminals. And per Radware’s report, the value of medical records on the darknet is higher than that of passwords and credit cards.

And as my colleague Daniel Smith previously wrote, “not only are criminals exfiltrating patient data and selling it for a profit, but others have opted to encrypt medical records with ransomware or hold the data hostage until their extortion demand is met. Often hospitals are quick to pay an extortionist because backups are non-existent, or it may take too long to restore services.”

[You may also like: How Secure is Your Medical Data?]

Regardless of motivation, one thing is certain: Ransomware and DDoS attacks pose a dangerous threat to patients and those dealing with health issues. Many ailments are increasingly treated with cloud-based monitoring services, IoT-embedded devices and self or automated administration of prescription medicines. Cyber attacks could establish a foothold in the delivery of health services and put people’s lives and well-being at risk.

Recommendations

Securing digital assets can no longer be delegated solely to the IT department. Security planning needs to be infused into new product and service offerings, security, development plans and new business initiatives–not just for enterprises, but for hospitals and healthcare providers alike.

To prevent or mitigate DDoS attacks, US-Computer Emergency Readiness Team (US-CERT) recommends that organizations consider the following measures:

  • Continuously monitoring and scanning for vulnerable and comprised IoT devices on their networks and following proper remediation actions
  • Creating and implementing password management policies and procedures for devices and their users; ensuring all default passwords are changed to strong passwords
  • Installing and maintaining anti-virus software and security patches; updating IoT devices with security patches as soon as patches become available is critical.
  • Installing a firewall and configuring it to restrict traffic coming into and leaving the network and IT systems
  • Segmenting networks where appropriate and applying security controls for access to network segments
  • Disabling universal plug and play on routers unless absolutely necessary

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Application SecurityAttack MitigationDDoS AttacksSecurity

2018 In Review: Healthcare Under Attack

December 12, 2018 — by Daniel Smith0

Healthcare-Under-Attack-960x568.jpg

Radware’s ERT and Threat Research Center monitored an immense number of events over the last year, giving us a chance to review and analyze attack patterns to gain further insight into today’s trends and changes in the attack landscape. Here are some insights into what we have observed over the last year.

Healthcare Under Attack

Over the last decade there has been a dramatic digital transformation within healthcare; more facilities are relying on electronic forms and online processes to help improve and streamline the patient experience. As a result, the medical industry has new responsibilities and priorities to ensure client data is kept secure and available–which unfortunately aren’t always kept up with.

This year, the healthcare industry dominated news with an ever-growing list of breaches and attacks. Aetna, CarePlus, Partners Healthcare, BJC Healthcare, St. Peter’s Surgery and Endoscopy Center, ATI Physical Therapy, Inogen, UnityPoint Health, Nuance Communication, LifeBridge Health, Aultman Health Foundation, Med Associates and more recently Nashville Metro Public Health, UMC Physicians, and LabCorp Diagnostics have all disclosed or settled major breaches.

[You may also like: 2019 Predictions: Will Cyber Serenity Soon Be a Thing of the Past?]

Generally speaking, the risk of falling prey to data breaches is high, due to password sharing, outdated and unpatched software, or exposed and vulnerable servers. When you look at medical facilities in particular, other risks begin to appear, like those surrounding the number of hospital employees who have full or partial access to your health records during your stay there. The possibilities for a malicious insider or abuse of access is also very high, as is the risk of third party breaches. For example, it was recently disclosed that NHS patient records may have been exposed when passwords were stolen from Embrace Learning, a training business used by healthcare workers to learn about data protection.

Profiting From Medical Data

These recent cyber-attacks targeting the healthcare industry underscore the growing threat to hospitals, medical institutions and insurance companies around the world. So, what’s driving the trend? Profit. Personal data, specifically healthcare records, are in demand and quite valuable on today’s black market, often fetching more money per record than your financial records, and are a crucial part of today’s Fullz packages sold by cyber criminals.

Not only are criminals exfiltrating patient data and selling it for a profit, but others have opted to encrypt medical records with ransomware or hold the data hostage until their extortion demand is met. Often hospitals are quick to pay an extortionist because backups are non-existent, or it may take too long to restore services. Because of this, cyber-criminals have a focus on this industry.

[You may also like: How Secure is Your Medical Data?]

Most of the attacks targeting the medical industry are ransomware attacks, often delivered via phishing campaigns. There have also been cases where ransomware and malware have been delivered via drive-by downloads and comprised third party vendors. We have also seen criminals use SQL injections to steal data from medical applications as well as flooding those networks with DDoS attacks. More recently, we have seen large scale scanning and exploitation of internet connected devices for the purpose of crypto mining, some of which have been located inside medical networks. In addition to causing outages and encrypting data, these attacks have resulted in canceling elective cases, diverting incoming patients and rescheduling surgeries.

For-profit hackers will target and launch a number of different attacks against medical networks designed to obtain and steal your personal information from vulnerable or exposed databases. They are looking for a complete or partial set of information such as name, date of birth, Social Security numbers, diagnosis or treatment information, Medicare or Medicaid identification number, medical record number, billing/claims information, health insurance information, disability code, birth or marriage certificate information, Employer Identification Number, driver’s license numbers, passport information, banking or financial account numbers, and usernames and passwords so they can resell that information for a profit.

[You may also like: Fraud on the Darknet: How to Own Over 1 Million Usernames and Passwords]

Sometimes the data obtained by the criminal is incomplete, but that data can be leveraged as a stepping stone to gather additional information. Criminals can use partial information to create a spear-phishing kit designed to gain your trust by citing a piece of personal information as bait. And they’ll move very quickly once they gain access to PHI or payment information. Criminals will normally sell the information obtained, even if incomplete, in bulk or in packages on private forums to other criminals who have the ability to complete the Fullz package or quickly cash the accounts out. Stolen data will also find its way to public auctions and marketplaces on the dark net, where sellers try to get the highest price possible for data or gain attention and notoriety for the hack.

Don’t let healthcare data slip through the cracks; be prepared.

Read “Radware’s 2018 Web Application Security Report” to learn more.

Download Now

Security

How Secure is Your Medical Data?

February 6, 2018 — by Louis Scialabba0

healthcare-smb-mssp-960x640.jpg

Imagine getting online with your doctor on the other end of the streaming connection, and then sending her real-time data of your blood pressure and glucose levels for real-time analysis and consultation.  It’s convenient, it’s timely, and it’s altogether probably cheaper than making a visit to the office.  But is your information secure?  Who else might be snooping on the data you are sending?  The risk is probably higher than you think, and the reward for malicious cyber criminals is certainly worth their time and effort.

Security

The Healthcare / Cyber-Security Connection

January 9, 2018 — by Radware0

healthcare-roundup-960x640.jpg

One of the businesses in the spotlight lately when it comes to cyber-attacks is healthcare – in fact, 46% of healthcare organizations experienced a data breach. The data associated with this industry is extremely sensitive and highly regulated, and also actively sought by hackers. It has even gotten to the point where we need to worry about the possibility of someone’s pacemaker or other medical device being hacked. We’ve covered this topic in much detail over the course of 2017, and below is our roundup of everything you need to know about cyber-security and healthcare.

SecurityWAF

Healthcare & Web Application Security: A Prescriptive Look at Application-Layer Security Risks

December 7, 2017 — by Radware0

waf-healthcare-960x640.jpg

The healthcare sector consists of a wide number of segments: payers, such as insurance companies; providers such as hospitals and doctors; and manufacturers, both pharmaceutical as well as medical device and equipment. Because the industry deals with quality of life issues across the spectrum, access to real-time data, especially sensitive data such as patient records, requires both the security and availability of in-house, Web, mobile, or cloud applications.

Application Delivery

Encryption is a Double-Edged Sword for the Healthcare Industry

December 5, 2017 — by Frank Yue2

ssl-healthcare-encryption-960x641.jpg

The healthcare industry must take security and privacy seriously.  They collect and retain personal health information (PHI) and financial information while providing life-saving medical care.  The protection of this information and the networks that manage it is one of the top concerns for IT organizations in the healthcare industry.

Application DeliverySecuritySSL

5 Key Items for the Digital Transformation of Healthcare

September 20, 2017 — by Frank Yue0

healthcare-ssl-1-960x640.jpg

People’s lives are at risk as the healthcare industry transforms patient care with modern IT technologies. Data security and application availability are essential when a patient’s medical information is on the network. Hospitals and medical practices are digitizing healthcare applications like x-rays, CAT scans, medication distribution and surgical procedures using interactive video. In addition, patient care staff are accessing all of this medical information on tablets, phones, and other devices in real-time.

Attack Types & VectorsSecurity

Hospitals Can Take More Than Your Organs

August 30, 2017 — by Louis Scialabba0

healthcare-mssp-960x620.jpg

You went to the hospital to get your appendix out and one week later your identity was taken from you as well.  How did this happen? In all likelihood, you can thank a hospital worker.

In its 2019 Data Breach Investigations Report, Verizon found that the majority of data breaches in healthcare are associated with internal bad actors, and result from ransomware and phishing attacks. For the second straight year, Verizon reported that ransomware incidents accounted for over 70 percent of all malware outbreaks in the healthcare vertical.

A Growing Epidemic

Per a HealthCareDive brief, almost 32 million patient records were breached in the first half of 2019 — more than double the records breached in all of 2018. And according to Health IT Security, the top ten healthcare breaches in 2019 (so far) have seen more than 200,000 records breached at a time. These are massive numbers.

In July 2019 alone, 42 separate hacking incidents led to the exposure of 22 million people’s healthcare data. There was only one higher month ever measured – February 2015 – when the Anthem breach exposed the data of nearly 80 million members.

[You may also like: Healthcare is in Cybercriminals’ Crosshairs]

Small hospitals, doctor’s offices, and clinics do a great job at making us well, which is their primary focus; cyber attacks on electronic health records have historically not been top of mind. That needs to change, and the sooner the better.

Although healthcare entities have taken small steps in protecting sensitive data, attacks continue to get more and more complex and can initiate from both the outside and inside of an organization.

Per the above referenced Verizon report, the “healthcare industry is not immune to the same illnesses we see in other verticals such as the very common scenario of phishing emails sent to dupe users into clicking and entering their email credentials on a phony site. The freshly stolen login information is then used to access the user’s cloud-based mail account, and any patient data that is chilling in the Inbox, or Sent Items, or other older for that matter is considered compromised – and its disclosure time.”

Deadly Impacts

Just as small enterprises everywhere are searching for ways to shore up their protection and avoid business disruptions, healthcare organizations have an obligation to protect their business and their patients’ sensitive information — it could very well be a matter of life and death.

[You may also like: 2018 In Review: Healthcare Under Attack]

A Vanderbilt University researcher posited that mortality rates rise in the aftermath of a cyber attack, thanks in part to corresponding disruptions to medical services and delays in providing treatment. The researcher estimated that healthcare data breaches may case as many as 2,100 deaths per year in the U.S.

Just think: What would happen if someone hacked into your pacemaker or insulin pump? The threat is so real that former Vice President Dick Cheney revealed on CBS’s “60 Minutes” in 2013 that he had the wireless capability on his pacemaker disabled.

A Prime Opportunity for Service Providers

Good help can be hard to find, especially when it comes to experts in the complex field of cybersecurity.  Carriers who are experienced (either by themselves or with partners) in protecting their infrastructure and offering services to small- and medium-sized businesses can benefit from new revenue streams by offering security solutions to the healthcare sector.

[You may also like: The Healthcare / Cyber-Security Connection]

There are three major ways a Service Provider can get into the business of selling an MSSP service:

  1. White label an existing service. This is the least risky of the options, and requires no upfront capital. It’s also the fastest way to bring a service to the market. The carrier gets to focus on sales, marketing, and back-office support, but delegates the security expertise and the technology to a partner. This can be sold as a part of connectivity or compute/storage services as part of a high-value bundle.
  2. Build your own service. This takes the most time, capital, and resources, but also offers the highest margins and overall NPV. If you have an in-house IT team that can operate and manage a network security solution, you can maximize your return on investment.
  3. Get the best of both worlds. A third option is to start with a white-labeled service before transitioning to managing it in-house. You forego large capital expenditures up front so you can focus on marketing and selling the service while building back-office operations and expertise. You’ll be able to quickly serve customers and gauge enthusiasm while planning to migrate operations in house over time to recognize the large profit streams in the later years.

This post was updated on September 13, 2019.

Read “The Trust Factor: Cybersecurity’s Role in Sustaining Business Momentum” to learn more.

Download Now

Security

GDPR and HITECH: Can the Past Predict the Future?

June 27, 2017 — by David Hobbs2

gdpr-hitech-compliance-960x640.jpg

In February of 2017, Memorial Healthcare System settled their HIPAA violation fines for $5.5 Million USD. During an investigation, it was discovered that over 100,000 patient records had been impermissibly accessed. Allegedly, an ex-employee retained access to personal identifying information and sold data records to people who filed fraudulent tax returns using the data. Federal criminal charges were filed against the ex-employee.

Fines, Fines, Fines

The first question that comes to mind is: Why did the hospital get such a hefty fine if an ex-employee was responsible? According to the report from the Office of Civil Rights, “At the root of this breach was MHS’s failure to follow its own polices and deactivate the login credentials of a former employee from an affiliated physician’s office. Over the course of roughly a year, these credentials were repeatedly used to gain access to MHS’s data systems and client ePHI.”

[You may also like: Healthcare is in Cybercriminals’ Crosshairs]

This isn’t the only case of the office of Civil Rights issuing fines over HIPAA violations. We’ve seen numerous violations and breaches resulting in multi-million dollar fines. Many organizations didn’t believe that a data breach would ever result in fines, and some thought that cyber insurance would cover them and so didn’t bother securing their systems.

In 2013, California’s Cottage Health System notified 32,755 of its patients whose protected health information had been compromised after the health system and one of its third-party vendors, inSync, stored unencrypted medical records on a system accessible to the Internet. As a result, the data may have been publicly available on search engines like Google. Columbia Casualty Company insured Cottage Health System for data breach.  Because Cottage Health System failed to properly secure their system, Columbia Casualty Company has challenged the insurance claim in court.

[You may also like: Think Cybersecurity Insurance Will Save You? Think Again.]

Evolving Regulations

General Data Protection Regulation (GDPR) is the new global compliance initiative from the EU. The GDPR implements a two-tiered approach to categorizing violations and related fines. The most significant breaches of the GDPR’s obligations can result in a fine of up to 4 percent of a company’s annual global revenue, or €20 million (whichever is greater).

These higher-tier violations include failing to obtain the necessary level of customer consent to process data, failing to permit data subjects to exercise their rights including as to data erasure and portability, and transferring personal data outside the EU without appropriate safeguards.

For less serious violations, which include failing to maintain records of customer consent or failing to notify the relevant parties when a data breach has occurred, the maximum fine is limited to 2 percent of annual global revenue, or €10 million (whichever is greater).

[You may also like: WAF and DDoS Help You on the Road to GDPR Compliancy]

Companies not located in the EU but that process the data of EU customers will have to appoint a representative in the EU. In relation to enforcement, we can take a look at the USA and determine how this might work in Asia.

The GDPR directs EU authorities to develop international cooperation mechanisms to support its extraterritorial reach, which could potentially build upon existing treaties and mutual investigative assistance agreements the EU has in place with the U.S. Federal Trade Commission.  Companies should be aware that the EU is increasing its efforts to work with and through American authorities to investigate American targets, which may yield increased scrutiny on companies with an EU web presence.

What’s Next?

If we look at India for a moment, the Indian outsourcing industry nearly stands at over 150 Billion USD, contributing nearly 9.3% to the GDP. More than 100 Billion USD of revenues comes from overseas, largely attributed to cross border data flow, that too from majority of countries of western regions and the EU. With factors like data privacy and security becoming an important determinant in outsourcing, the global landscape on data flows is likely to be impacted.

[You may also like: The Impact of GDPR One Year In]

Other industries you may not think about, such as airlines, car rentals and hotels which allow booking from the internet, may be impacted.

Will the HITECH Act fines become the harbinger of much larger fines to come? Which countries will have cooperation with the EU, and which might get banned? Would banning nations from doing business with EU citizens force compliance?  Would “content filtering” the internet for offenders cause a large disruption in their business?

Read “2019 C-Suite Perspectives: From Defense to Offense, Executives Turn Information Security into a Competitive Advantage” to learn more.

Download Now