Sophos Cloud Optix
Researchers have found a trove of information on a file-sharing site that could allow attackers to breach electronic medical records and payment information from healthcare providers such as nursing homes, doctors’ offices and hospitals.
The Wall Street Journal reports that the information found includes passwords to network firewalls at healthcare providers, the type of equipment the providers’ networks use, and precise blueprints of facilities, including locations of computers and printers.
The site, 4shared.com, held information on three nursing homes, the WSJ found: the Bronx Center for Rehabilitation & Healthcare in New York; the Glengariff Healthcare Center in Glen Cove, N.Y.; and the Campbell Hall Rehabilitation Center in Campbell Hall, N.Y.
It’s not known if personal information has been taken out of any of the nursing homes.
One home, Glengariff, wasn’t aware that its information was online until the WSJ contacted it.
But a spokesman told the newspaper that the data, including passwords, dated to 2007 and that the passwords had been changed since then – when the Center installed new medical records software.
Bronx Center told the WSJ it learned of the security breach in early 2012 and switched security providers. A spokesman said that the nursing home hadn’t received any reports of stolen identities.
The Campbell Hall Rehabilitation Center hadn’t responded to the WSJ’s requests for comment as of Wednesday morning.
The news is disheartening, but not surprising.
Judging by a recent SANS report on cyberthreats in healthcare, the industry should be on life support. It’s bleeding from a million holes.
As it is, healthcare is pushing into digitised records, the US is wrestling with its HealthCare.gov debacle, electronic health information is being increasingly swapped online, and the Internet of Things means that more medical devices than ever are hooked up and exposed as attack surfaces.
SANS published a recent report on the state of security in health care, basing it on threat intelligence data gathered by the security company Norse.
The report details how healthcare organizations of all types have been and continue to be compromised by successful attacks.
Key findings:
- Every type of healthcare organization was represented in the study’s data set of compromises, from hospitals to insurance carriers to pharmaceutical companies.
- Compromised devices included everything from radiology imaging software, to firewalls, web cameras and mail servers.
- A significant number of compromises were due to very basic issues such as not changing default credentials on firewalls.
The data sample included: 49,917 unique malicious events, 723 unique malicious source IP addresses, and 375 compromised health care-related organisations based in the US.
The data came from healthcare clearinghouses, health plans, pharmaceutical companies and other types of medical organisations.
About a third of the contaminated organisations were small providers, although some of the providers were quite large, the report says, with some being renowned research centers and teaching hospitals.
Many of the compromised healthcare organisations were out of compliance for months – some even for the entire duration of the study – having never detected their compromises or been aware that their systems were sending out malicious communications.
The report lists the specific sources of “malicious traffic” which came from the organisations:
Connected medical endpoints.
With hackers taking advantage of the increasing ubiquity of the Internet of Things, major sources of malicious traffic were radiology imaging software (7%), video conferencing systems (7%), and digital video systems (3%) used for consults and remote procedures.
Other sources included medical devices, applications and software used in online health monitoring, radiology devices, and other devices that security staffers might not think of as viable attack surfaces, such as network-attached printers, faxes and surveillance cameras.
Internet-facing personal health data
A medical supply company’s web-based call center website, backed by a VoIP PBX, sent out 8% of the malicious traffic the study analysed. The researches also found indications of a compromised personal health record (PHR) system.
Security systems and edge devices
The largest proportion of the study’s analysed malicious traffic (33%) passed through or was transmitted from VPN applications and devices. 16% was sent by firewalls, 7% from routers and 3% from enterprise network controllers (ENCs).
This either means that the devices and applications themselves were compromised – a typical tactic among malware families, the report says – or security systems aren’t detecting the malicious traffic inside the firewall or behind the VPN. No detecting means no reporting and that means they’re out of compliance with privacy and security regulations for patient data, the report points out.
Image of nursing home courtesy of Shutterstock.
“But a spokesman told the newspaper that the data, including passwords, dated to 2007 and that the passwords had been changed since then”
Love that part – changed the password when they changed software – but probably not again since.
If you have sensitive data on your network your passwords should be changed weekly. Of course people always complain about it – but too darn bad if you ask me!
Everyone complains about password changes until they end up in a multi-million dollar HIPAA violation lawsuit…Then, they blame you for not fixing things with your own money since they don’t allocate enough funds for data security.
Welcome to the world of electronic medical records where your life will be laid bare for the whole world to peruse. You better think 10 times before you open your mouth to a doctor who is recording it to be sent to a government database. There is no such thing as doctor patient confidentiality anymore. You better think 10 times about certain medications for depression and anxiety, because it will be used as an excuse to deny you your 2nd amendment rights. If you don’t want the world to know your business you better keep it to yourself.
The healthcare business still uses faxing as state of the art technology. To say doctors and staff are far behind the technology curve is too kind. Most know nothing about security and feel it is beneath them to be burdened.
My doctor tried to talk me into allowing her to put my medical records online. I spoke to her about the serious cyber security issues going on in the world today. She then told me that the US Fed Gov was forcing doctor’s nationwide to have at least 25% of their patients online by the end of 2014 or her office could be fined. What’s up with that? We all know about the global cyber security problem. So why do agencies/banks and so on keep pushing for more and more connectivity? Banks chose to move the ATM’s to the Internet…very foolish…so it’s there fault too for making it easier for thieves to steal customer data/money. Same goes for SCADA-centric entities like power companies…moving stuff to the Internet to save money and make administration easier…how foolish. Those who make such decisions should be held personally responsible for cyber security break-ins, along with the thieves of course.