In 2017 the NHS found itself the target of a security breach. But what makes the healthcare industry vulnerable? New research by eSentire looks at just this, dissecting the cybersecurity issues that face the sector at present. We explore the healthcare threat report
In December 2017 eSentire published a report, Industry Threat Report: Healthcare, on cybersecurity in healthcare, which considered why the healthcare industry is a growing target and revealed some of the common exposures and attack method’s used by cybercriminals.
The report not only found an increase in the number of breaches reported by medical organisations, but also found that the introduction of web portals and connected medical devices have further exposed healthcare. As general practice becomes more tech-led it is important that the practice team is aware of and up-to-date with the threats that are out there and how to avoid them.
Vulnerability point observations
Publicly accessible network admin panels, unsecure web services for patients and several devices exposed to the internet and running outdated software, mean that health organisations have a greater ‘threat surface’ – with more exposure, they are more susceptible to threats.
The report highlights that many healthcare organisations use single-factor authentication (1FA) for their VPN services and have instances of devices running the Windows XP operating system – which is widely considered outdated. In addition to this, externally-facing vulnerabilities were discovered that exist in commonly exploited software such as OpenSSL, Microsoft Windows Server 2003, PHP, Apache Struts, and Microsoft IIS.
The report also identifies different attack types – something that it benefits practices for staff to be aware of. Two such were:
- over-exposed threat surface and poor vulnerability management which represent a weak security posture and greatly increases an organisation’s susceptibility to opportunistic threats;
- the hijacking of Point of Sale (PoS) devices (specifically identified in hospitals), such as credit card readers used in payment processing.
Opportunistic attacks were also pinpointed; the report revealed that vulnerabilities going back as far as 1999, such as CVE-1999-0517, are still regularly attempted by opportunistic threat actors. It showed that OpenSSL’s Heartbleed (CVE-2014-0160) is the most targeted vulnerability across all industries, followed by vulnerabilities in ASUS routers (CVE-2014-9583), Apache Struts (CVE-2017 5638), and Microsoft IIS (CVE-2000-0778, CVE-2000-0071, CVE-1999-1538).
Similar vulnerabilities for the same software were found in externally-facing services among healthcare organisations, making them attractive targets for low-effort attacks. Most of these attacks require no action on the user’s part – attackers need only to find an exposed device through reconnaissance scans and run the exploit, often using the same tool that found the vulnerability in the first place.
Observed threat types
Compared to other industries, healthcare organisations experience a medium amount of traffic per sensor. They also tend to have a larger ratio of phishing (or fraud) traffic than other industries – likely because the email addresses of healthcare professionals are less protected from the public than in other industries.
Healthcare personnel are also more likely to open a phishing email given the high number of unpredictable emails they receive in the process of ordering drugs and equipment and collaborating with other healthcare providers. Healthcare networks also experience a large degree of reputation blocks, in which an organisation’s security provider automatically blocks traffic from known threats.
The following technical recommendations were made in the report and are applicable to the healthcare industry and beyond:
- perform regular patch management to defend against opportunistic attackers;
- harden externally-facing servers;
- replace consumer-grade routers with professional-grade routers;
- raise staff awareness around phishing;
- monitor critical servers and Point-of-Sale (PoS) devices for indicators of compromise;
- implement 2-factor authentication, especially on critical, externally-facing services;
In addition to these technical recommendations, the following strategic recommendations should be considered:
- employ a dedicated security team, including a chief security officer;
- include security assessments in decision-making when purchasing medical equipment;
- engage government and industry partners to enable information-sharing with cybersecurity professionals abroad.
How cyber-secure is your practice? As we continue to undergo a digital transformation it can be assumed that issues of cyber-security will increase. Now is the time to ensure that you are practicing precaution.
You can read the full report here.