Tired of FUD? How to manage three real threats in healthcare security
The healthcare industry has been the target of several cyber-attacks in the last few years. According to a study by KPMG, 81 percent of healthcare organizations were compromised by cyber-attacks in 2013 and 2014. This comes as no surprise as the healthcare industry possesses some of its patients’ most personal and valuable information.
Healthcare security is especially difficult to manage due to the range of potential attack vectors. Three important security risks to examine are the expansion of ransomware, the increase in mobile device usage and, with it, the proliferation of mobile health apps.
Defense against new threat vectors
Healthcare organizations are increasingly falling prey to ransomware, which is malware that restricts access to computer systems and forces users to pay a ransom, typically $10,000 or more, to remove the infection. Since health records are extremely valuable, and they can’t be easily replaced like credit cards, they are prime targets for ransomware attacks. Recently, MedStar, the health network of 10 Maryland hospitals, was attacked by SAMSAM ransomware through a JBoss Web application server.
While MedStar was able to bring all of its systems back online without paying the ransom, valuable time and resources were diverted to gaining control of the situation. While ransomware comes in many forms and is not easy to prevent, risk can be greatly reduced by backing up your files regularly and applying security patches to software and applications.
Protecting mobile data
Most hospitals allow staff to use their own personal mobile devices, recognizing that BYOD brings communication and productivity benefits. However, the practice puts sensitive data at risk and is a challenge to Health Insurance Portability and Accountability (HIPAA) compliance. Not only can a personal mobile device fall prey to datajacking, which is the illegal access and seizure of data in a mobile device through malware or a phishing email, but private information can also be seized through the physical loss or theft of the device itself.
First-generation solutions, like mobile device management (MDM), provide a persistent attack surface and can still be susceptible to malware attacks. For this reason, there are organizations turning to data-focused security, where the data, not the device, is the focal point of protection. The most popular data-focused approach is called virtual mobile infrastructure (VMI), which is a delivery model in which corporate mobile apps are hosted in a data center or secure cloud and delivered to a mobile device. With VMI, no data footprint is left on the device, so even if a device is found or stolen, the data remains protected.
Secure mobile app development
Mobile health apps serve a very important function for both healthcare professionals and patients, as well as users interested in monitoring their health. However, they’re also causing a lot of headaches. App developers must be cognizant of securing both the front-end and back-end of apps, as app binaries can be obtained through a mobile client to gain access to valuable information on the back-end. This was the key breakdown in the JP Morgan Chase hack that affected 76 million households. We, at Avast, also demonstrated this significant vulnerability to a major healthcare group by hacking their popular healthcare patient app and gaining access to entire medical records.
App developers must take full responsibility for the protection of their apps, not relying on Google Play or the Apple app store to guarantee their security. While there’s no one-size-fits-all approach to solving this growing problem, app developers need to make security a priority throughout the development process. There are also programs for testing apps for security flaws and vulnerabilities, so that the app can be tweaked accordingly before hackers can exploit them.
While healthcare security is a lot more nuanced and complicated than the three issues listed above, these issues illustrate how difficult it is to manage the security of a healthcare organization. With the tremendous value of health records, hackers will always try to steal this information through a variety of ways. Security is a constant process of education and proaction, and to be knowledgeable and up to date on vulnerabilities and solutions is vital to strong healthcare security management.