It is a common misconception that small business or small medical practices are immune to cyber attacks. The thought being that since they pale in comparison to larger corporations, the appeal to steal sensitive information is low. However, this is not the case. Larger corporations have tighter security measures. Cyber thieves know they can easily access and obtain confidential data from small practices that have many vulnerabilities in their security.
Vulnerabilities are an intractable part of the cyber security landscape. As long as healthcare organizations rely on computer hardware and software, security flaws will be found and exploited. The vast majority of vulnerabilities (99%) leveraged in cyber attacks are publicly known beforehand. This fact should ring alarms for every healthcare IT professional.
Exploits of known vulnerabilities:
71% experienced a security incident attributed to an exploit of a software vulnerability greater than three months old.
66% experienced an incident attributed to a vulnerability less than three months old. This was the third-most common driver of security incidents found.
Zero-day vulnerabilities – those that are not publicly known before they are exploited in an attack – are rare. They make great headlines, but they are expected to play a role in less than 0.1% of cyber attacks through 2020. However, 48% of IT security professionals surveyed said their organization experienced a zero-day attack in the last 12 months, according to the same Ponemon report.
Vulnerabilities vs. Reality
Resource constraints contribute to vulnerability problems. For example, an MRI machine can cost up to $3 million. The devices are often network-enabled and paired with a control PC. If a vulnerability is discovered in the machine and no patch exists, then the organization will likely tolerate the flaw and perhaps mitigate or ignore it long before the system is replaced. The burden falls on the IT staff to “make it work” perhaps by isolating the system on the network and tightening access controls.
However, even these mitigations can encounter constraints. Medical environments – and hospitals in particular – rely on fast and easy access to data to improve patient outcomes. This can pressure IT departments to “loosen” security controls and ease constraints, potentially elevating the risk of data breach.
These factors and others help to explain why healthcare organizations continue to rely on outdated systems known to have severe security flaws. According to a July 2017 survey of 305 healthcare IT professionals in the UK and US by Infoblox:
- 22% have systems running Windows 7, which was originally released in 2009. Windows 10 was released in 2015.
- 20% have systems running Windows XP, which reached end-of-life and stopped receiving routine patches in 2014.
Medical Device Security
Vulnerabilities discovered in medical devices – such as CT scanners, pacemakers, and drug infusion pumps – are a growing concern to healthcare professionals, and even lawmakers.
More than half (55%) of health IT security professional said medical device security is not part of their overall cyber security strategy, according to the Ponemon study. When asked to select their greatest concern with medical device security, 39% of healthcare IT security professionals cited patient safety.
While some devices can be updated or replaced, this is not always the case. In the Infoblox survey, 15% of healthcare IT professionals said they either cannot update these systems or are unsure if they can.
Misconfiguration can open a security flaw in even the most rock-solid systems. This can cause major data leaks, especially when the system is a public-facing database. On Jan. 25, 2018, a security researcher discovered a database owned by a Long Island medical practice had been misconfigured and left publicly available. This revealed the medical information of more than 42,000 patients, including more than 3 million “medical notes” such as a doctor’s observations. Accessing the information required only knowing the server’s IP address.
In March 2018, a nonprofit healthcare conglomerate based in St. Louis notified 33,420 patients affected by a data leak caused by a server misconfiguration. The leak publicly exposed scanned images of patient driver’s licenses, insurance cards, and medical documents.
Spectre and Meltdown
On Jan. 3, 2018, security researchers revealed two security vulnerabilities present in billions of systems worldwide. Known as Spectre and Meltdown, they are among the most widespread data security flaws ever discovered. In short, the flaws are related to how most modern processors handle data. When exploited, they can allow an attacker to bypass data access controls and steal sensitive data – including data from the kernel or other applications.
What Can You Do About It?
You need an IT support partner who thoroughly understands both HIPAA compliance and network security, as they have to work in tandem to keep your medical practice secure and clear of HIPAA violations. To learn more, call 678-389-6200 or see HIPAA Compliance and Network Security for Medical Practices.