Posted by Rick Reid, Healthcare Marketing Manager
Aruba, a Hewlett Packard Enterprise company
For many years, Healthcare records have been extremely valuable to the criminal world. In 2014, it was reported that Healthcare records were 10x more valuable than standard financial data – as the opportunity for identity theft and medical fraud utilizing those stolen records was much higher. Despite a fairly steady drop in the black-market prices of medical records since then, they are still a high-value hacking target, with reported incidents still coming in. The drop in value has precipitated an increase in ransomware, which encrypts target files and asks owners for a sum of money for the encryption key. This has the advantage of not actually having to remove files or figure out how to sell them afterwards.
2016 saw an increase in the public visibility of ransomware attacks with several high-profile reported incidents in the Healthcare space. A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 – which is a 300% increase over reported attacks in 2015. Repercussions from successful infiltrations include a compromised ability to provide care, financial hits if/when the ransom is paid, public relations issues when it is made public, and possible HIPAA violation penalties.
Typical attack vectors for both record theft and ransomware rely on users to do something with their personal or corporate devices connected to the hospital network – visit a compromised webpage or open a suspect attachment. Clinicians, staff, patients and visitors need to be educated to do their part in preventing their devices from being the next attack point.
Hospitals have to deal with growing attack vectors as more and more biomedical devices are connecting to the network. There are over 10,000 different types of medical devices; most of them are connecting to the network today. An individual hospital will have hundreds; even thousands of devices, all with a variety of network and security configurations
On boarding biomed devices to the network, both wired and wireless, poses challenges to network security. Most are not 802.1X capable and rely on older, less secure protocols for both wired and wireless network access. Biomed devices don’t have usernames and passwords; no one initiates the network connection. They send and receive data autonomously.
Network access control solutions, like Aruba ClearPass, help healthcare organizations manage what can connect to the network and what can be accessed once connected. ClearPass allows devices onto the network securely, and then assigns appropriate privileges according to their function. Clinician devices are allowed to connect to patient scheduling systems, while biomed devices can not.
How do you protect the network when a medical device is compromised, establishes a connection, and begins malicious activity after it is authenticated? Aruba Exchange allows for integration partners like Attivo Networks to detect and stop attacks before they can create a problem. The Attivo ThreatMatrix Platform sets up traps for malicious invaders using deception decoys and lures so the attacker goes after the trap, rather than a real corporate asset.
Once the attacker takes the bait and a potential threat is identified, Attivo generates an alert and tells ClearPass to disconnect or quarantine the compromised device. From there the security team can track down the owner and investigate further on whether the device is a server, an end user’s laptop, or a biomedical device. Attivo shares relevant attack information, including attack signatures, what nodes are infected, and overall activity that accelerates defense and mitigation tactics.
Patient record theft and ransomware have proven to be lucrative markets for attackers and isn’t going away soon. As healthcare increasingly transitions to digital health models, with clinicians and staff exclusively using mobile tools to provide care; smart medical devices are becoming the norm. It is increasingly important to protect your network against all kinds of attacks. A comprehensive security strategy should include controlling how devices connect to the network as well as making sure that malicious code, once on the network, is identified and quarantined as soon as possible.