https://hbr.org/2017/06/11-things-the-health-care-sector-must-do-to-improve-cybersecurity
No industry or sector is immune to hacking. That reality was made painfully clear in mid-May, when a cyberattacker using WannaCry ransomware crippled health care institutions and many other kinds of organizations around the world. In 2015 over 113 million Americans health records were exposed, and in 2016 the number was over 16 million.
Experian predicted that the health care sector would be the most heavily targeted vertical industry. A March 2017 report from the Identity Theft Resource Center indicated that more than 25% of all data breaches were related to health care. The estimated loss to the industry is $5.6 billion per year.
This article list things that should be done to improve security. Other sectors can also take a look at those recommendations to see if they would be good for them also.
4 Comments
Tomi Engdahl says:
A Fact Check on Medical Device Security
http://www.securityweek.com/fact-check-medical-device-security
Worrisome Chicken Little or savvy observer of truth?
This may have been your question while reading my previous article about the security of connected medical devices, “Sobering Thoughts When a Connected Medical Device Is Connected to You.” Did laying in a hospital bed, connected to an infusion pump like the one used by security researchers to demonstrate how breaching such a device could be used to administer a fatal dose of medicine, create unnecessary angst? Or, did it draw the facts into clear focus?
Medical device network vulnerability
Now let’s consider the network vulnerability of hospitals and other medical providers using that favorably timed news I mentioned. On Friday, May 12th, the WannaCry ransomware attack infected more than 230,000 computers in over 150 countries. The attack used two components: a propagation routine and a module used to perform extortion activities. The worm leveraged a Windows Server Message Block (SMB) vulnerability. This is a well-known attack tradecraft.
An industry unprepared to defend
We now have proof of network vulnerability and an actual documented attack in hand. Two points for the savvy observer. Thus, leaving the actual vulnerability of the medical devices in question. In May 2017, the Ponemon Institute issued a report (PDF) titled “Medical Device Security: An Industry Under Attack and Unprepared to Defend,” addressing this very subject. In the interest of full disclosure, the report was sponsored by Synopsys, my employer.
Some highlights include:
• 67 percent of medical device manufacturers and 56 percent of HDOs believe an attack on a medical device built or in use by their organization is likely to occur over the next 12 months.
• 80 percent of device makers and HDOs report that medical devices are very difficult to secure. The top reasons cited include lack of knowledge/training on secure coding practices and pressure on development teams to meet product deadlines.
• Only 9 percent of manufacturers and 5 percent of HDOs say they test medical devices at least once a year. Meanwhile, 53 percent of HDOs and 43 percent of manufacturers do not test devices at all.
The most compelling evidence for my case is that the report cites that “38 percent of respondents in HDOs say they are aware of inappropriate therapy/treatment delivered to the patient because of an insecure medical device and 39 percent of device makers confirm that attackers have taken control of medical devices.”
https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/medical-device-security-ponemon-synopsys.pdf
Tomi Engdahl says:
Sobering Thoughts When a Connected Medical Device Is Connected to You
http://www.securityweek.com/sobering-thoughts-when-connected-medical-device-connected-you
Tomi Engdahl says:
Several Hospira Drug Pumps Use Vulnerable Software: Researcher
http://www.securityweek.com/several-hospira-drug-pumps-use-vulnerable-software-researcher
A researcher who has analyzed the software installed on infusion pumps manufactured by Hospira says several models are plagued by the vulnerabilities disclosed earlier this year.
Tomi Engdahl says:
UK Blames North Korea for Cyberattack That Crippled Hospitals
http://www.securityweek.com/uk-blames-north-korea-cyberattack-crippled-hospitals
Britain on Friday blamed North Korea for a ransomware attack this year that a new report revealed affected a third of English hospitals and could have been prevented with “basic” IT security.
“This attack, we believe quite strongly that it came from a foreign state,” Ben Wallace, a junior minister for security, told BBC Radio 4′s Today programme.
“North Korea was the state that we believe was involved in this worldwide attack,” he said, adding that the government was “as sure as possible”.
The WannaCry attack in May infected some 300,000 computers in 150 countries, including in Britain’s National Health Service (NHS), Spanish telecoms company Telefonica and US logistics company FedEx.
Britain’s National Audit Office revealed the attack had hit NHS England particularly hard, forcing the cancellation of some 19,500 medical appointments.
Computers at 81 hospital groups across England were affected — a third of the total number of 236.
Some 600 general practitioners were also affected.