FBI warns against growing healthcare cyber risk


The mandatory transition from paper to electronic health records (EHR) will inevitably lead to an increase in cyber intrusions against healthcare systems—including medical devices—due to lax cybersecurity standards, and a higher financial payout for medical records in the black market.

Those are the key points highlighted in a private industry notification issued by the FBI. The document points out that the deadline to transition to EHR is January 2015, which will create an influx of new EHR coupled with more medical devices being connected to the internet, will generate a rich new environment for cyber criminals to exploit.

“According to open source reporting from SANS, Ponemon, and EMC²/RSA, the healthcare industry is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics, techniques and procedures (TTPs), much less against more advanced persistent threats (APTs),” it states.

“The health care industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.”

The notification cites a SANS report dated February 2014, which indicates health care security strategies and practices are poorly protected and ill-equipped to handle new cyber threats exposing patient medical records, billing and payment organizations, and intellectual property.

“Data analysis revealed multiple devices (e.g., radiology imaging software, digital video systems, faxes, printers) and security application systems (e.g. Virtual Private Networks (VPN), firewalls, and routers) were compromised,” states the notification.

“Once medical devices are compromised, malicious traffic is transmitted through VPNs and firewalls. The biggest vulnerability was the perception of IT health care professionals’ beliefs that their current perimeter defenses and compliance strategies were working when clearly the data states otherwise.”

It also cites the Ponemon Institute’s report of March 2013, which found that 63% of the health care organizations surveyed reported a data breach in the past two years with an average monetary loss of $2.4 million per data breach. The majority of each data breach resulted in the theft of information assets. Lastly, 45% reported that their organizations have not implemented security measures to protect patient information.

Further evidence is drawn from an EMC²/RSA White Paper published in 2013 indicated that in the first half of 2013, over two million health care records were compromised, which was 31% of all reported data breaches.

“Cyber criminals are selling the information on the black market at a rate of $50 for each partial EHR, compared to $1 for a stolen social security number or credit card number,” states the FBI notice. “EHR can then be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft. EHR theft is also more difficult to detect, taking almost twice as long as normal identity theft.”

FBI, Cyber Risk, Ponemon Institute, US, EMC²/RSA White Paper