Researchers have found a trove of information on a file-sharing site that could allow attackers to breach electronic medical records and payment information from healthcare providers such as nursing homes, doctors’ offices and hospitals.
The Wall Street Journal reports that the information found includes passwords to network firewalls at healthcare providers, the type of equipment the providers’ networks use, and precise blueprints of facilities, including locations of computers and printers.
The site, 4shared.com, held information on three nursing homes, the WSJ found: the Bronx Center for Rehabilitation & Healthcare in New York; the Glengariff Healthcare Center in Glen Cove, N.Y.; and the Campbell Hall Rehabilitation Center in Campbell Hall, N.Y.
It’s not known if personal information has been taken out of any of the nursing homes.
One home, Glengariff, wasn’t aware that its information was online until the WSJ contacted it.
But a spokesman told the newspaper that the data, including passwords, dated to 2007 and that the passwords had been changed since then – when the Center installed new medical records software.
Bronx Center told the WSJ it learned of the security breach in early 2012 and switched security providers. A spokesman said that the nursing home hadn’t received any reports of stolen identities.
The Campbell Hall Rehabilitation Center hadn’t responded to the WSJ’s requests for comment as of Wednesday morning.
The news is disheartening, but not surprising.
Judging by a recent SANS report on cyberthreats in healthcare, the industry should be on life support. It’s bleeding from a million holes.
As it is, healthcare is pushing into digitised records, the US is wrestling with its HealthCare.gov debacle, electronic health information is being increasingly swapped online, and the Internet of Things means that more medical devices than ever are hooked up and exposed as attack surfaces.
SANS published a recent report on the state of security in health care, basing it on threat intelligence data gathered by the security company Norse.
The report details how healthcare organizations of all types have been and continue to be compromised by successful attacks.
- Every type of healthcare organization was represented in the study’s data set of compromises, from hospitals to insurance carriers to pharmaceutical companies.
- Compromised devices included everything from radiology imaging software, to firewalls, web cameras and mail servers.
- A significant number of compromises were due to very basic issues such as not changing default credentials on firewalls.
The data sample included: 49,917 unique malicious events, 723 unique malicious source IP addresses, and 375 compromised health care-related organisations based in the US.
The data came from healthcare clearinghouses, health plans, pharmaceutical companies and other types of medical organisations.
About a third of the contaminated organisations were small providers, although some of the providers were quite large, the report says, with some being renowned research centers and teaching hospitals.
Many of the compromised healthcare organisations were out of compliance for months – some even for the entire duration of the study – having never detected their compromises or been aware that their systems were sending out malicious communications.
The report lists the specific sources of “malicious traffic” which came from the organisations:
Connected medical endpoints.
With hackers taking advantage of the increasing ubiquity of the Internet of Things, major sources of malicious traffic were radiology imaging software (7%), video conferencing systems (7%), and digital video systems (3%) used for consults and remote procedures.
Other sources included medical devices, applications and software used in online health monitoring, radiology devices, and other devices that security staffers might not think of as viable attack surfaces, such as network-attached printers, faxes and surveillance cameras.
Internet-facing personal health data
A medical supply company’s web-based call center website, backed by a VoIP PBX, sent out 8% of the malicious traffic the study analysed. The researches also found indications of a compromised personal health record (PHR) system.
Security systems and edge devices
The largest proportion of the study’s analysed malicious traffic (33%) passed through or was transmitted from VPN applications and devices. 16% was sent by firewalls, 7% from routers and 3% from enterprise network controllers (ENCs).
This either means that the devices and applications themselves were compromised – a typical tactic among malware families, the report says – or security systems aren’t detecting the malicious traffic inside the firewall or behind the VPN. No detecting means no reporting and that means they’re out of compliance with privacy and security regulations for patient data, the report points out.