Covering Disruptive Technology Powering Business in The Digital Age

Home > DTA news > News > Healthcare not so healthy in preventing cyber attacks
Healthcare not so healthy in preventing cyber attacks
June 27, 2016 News

Cybercriminals are attacking the healthcare industry more than any other. Why? It’s a gold mine of privately identifiable information usually running on older, unpatched versions of Windows and ripe for being exploited through ransomware or data breaches.

Evidence of this is overwhelming:

  • IBM’s 2016 Cyber Security Intelligence Index states healthcare is now the number one target with more than 100 million healthcare records compromised.
  • The SANS Institute said healthcare’s major weakness was the mishmash of old end-point devices, mixed with IoT (healthcare monitors) all running on reasonably insecure Wi-Fi networks. “Exploited medical devices, conferencing systems, web servers, printers and edge security technologies all sending out malicious traffic from medical organisations. Some of these devices and applications were openly exploitable (such as default admin passwords).”
  • Ponemon Institute found 94% of medical institutions had either suffered or had an attempted attack.
  • Price Waterhouse Coopers survey showed that Australia had the highest level of detected cybersecurity incidents up 109%
  • In January, the Royal Melbourne Hospital discovered a virus on its Windows XP computers (iTWire report here) interfering with the delivery of meals and pathology results. Its IT team was unable to successfully shut down the virus as it continued to mutate, forcing pathology staff to adopt manual processes.
  • A recent survey by Healthcare IT News and HIMSS Analytics, revealed that more than 50% healthcare organisations said they had been attacked but a further 25% would not know if they were attacked. When asked if they would pay ransomware to get up and running, only 4.9% said no.
  • The global move to digitise health records means the records contain not only medical data but social security numbers, healthcare numbers, addresses, contact details, even financial details

I could add numerous reports from all the major antivirus/malware and networking companies, but I think you get the drift.

It is a case of physician heal thyself or at least pay experts to do it for you. I spoke to Tim Blombery, chief solutions strategist, ANZ – A10 Networks about the issues. He has a 20-year history in networks and security, starting in VMS/NT support at Transfield in the mid 90s and working extensively in Europe and the UK before a stint at Juniper Networks and now A10. There is not much he does not know about networks and their protection.

Why is healthcare an attractive target?

Patient data is crucial in life-and-death situations; so healthcare organisations don’t have the luxury of holding out on paying ransoms.

Non-IT healthcare workers may have lower cybersecurity awareness and are less likely to recognise attacks because hospitals focus on protecting patient privacy.

Healthcare workers who manage urgent patient care in emergency situations are focusing only on trying to do the job at hand. Those types of employees are not considering if they should click on a link, how strong their password is, or if they are authenticating properly, etc. Because of this, adoption of advanced security controls is significantly lower across in this space.

Blombery acknowledges that the mishmash of operating systems, IoT devices and networks is par for the course in healthcare so it needs a different solution for endpoint protection. He says the best way is to secure the perimeter of healthcare organisations via SSL traffic inspection. But there are issues with that too.

Healthcare security professionals are adopting SSL encryption and agree that it is necessary for patient privacy protection, but hackers are now using it to their advantage. Malware can be easily concealed in encrypted traffic to bypass security controls. Since eight of the top 10 websites use encrypted traffic — Facebook, LinkedIn, Google, YouTube — it creates a massive vulnerability. Once ransomware gets into a system or network — particularly a disparate older networks — via malware embedded in email attachments or drive-by download it becomes incredibly difficult to mitigate.

The Australian government has addressed this specific problem as part of the prime minister’s cyber security strategy. In the cyber defence section, the Australian Signals Directorate describes the third stage of a targeted cyber intrusion: ‘Cyber adversaries use available network protocols and ports allowed by an organisation’s gateway firewall, such as encrypted HTTPS/SSL …’

Blind spots are still evident in most systems

Many firewalls are not capable of providing the depth of protection required to mitigate encrypted traffic. Intrusion detection systems (IDS)/intrusion prevention systems (IPS), network monitoring and other traditional defences can’t inspect encrypted traffic. Close to 70% of current Web traffic is encrypted.

The fact is that 80% of organisations with firewalls, IPS or unified threat management (UTM) appliances do not decrypt SSL traffic. One report showed that when SSL is inspected, the average performance of seven leading next-generation firewalls (NGF) decreased an average of 81% when decrypting SSL traffic with 2048-bit keys.

Why is SSL decryption so critical?

When ransomware is installed, it reaches out to a command and control server (C&C) to obtain an encryption key. This communication can be hidden in encrypted SSL traffic to avoid detection. However, SSL decryption exposes the communication so security controls can stop ransomware before it can receive the key needed to perform the encryption, pre-emptively stopping the attack.

Tips for prevention?

The Pharmacy Guild of Australia is actively encouraging their constituency to upgrade security and push encryption as a necessary protocol. While this is a step in the right direction, it fails to address the potential for blind spots created by SSL traffic. This simply underlines the lack of awareness about SSL vulnerabilities.

Only SSL inspection can remove blind spots to stop attacks before they begin. SSL inspection is the solution to the next big cybersecurity challenge. Naturally, A10 has SSL inspection on some ofits products.

This article was originally published on and can be viewed in full