|
Healthcare organizations (HCOs) are facing a new threat. They're being targeted by financially motivated attackers that steal and sell valuable data -- including identities -- and computing resources. Armed with sophisticated tools, attackers exploit countless software vulnerabilities that exist in the multitude of systems a provider relies upon, including web-based applications such EHR/EMR systems. The consequences of an attack can include reductions in quality of care, service disruptions, reduced revenues, higher operating costs, and regulatory fines. Current security approaches, including network or perimeter defenses, do not adequately protect against the new threat, and can be bypassed. It is imperative that healthcare organizations conduct a vulnerability assessment of their critical applications, and evaluate intrusion prevention as a key compensating control to mitigate the growing risk.
1. Introduction
It's a typically busy morning at the hospital, with all operating rooms booked to capacity. Down in the ER, doctors are treating a steady stream of emergencies. Over in radiology, several patients are being prepped for MRIs. But at 8:35am, the day's steady rhythm is shattered. Something's wrong. The operating room doors won't open. Shortly after, the nurses in the ICU can't log onto the computers. At 9:05, pagers stop working. And by 11am, the MRI machine has crashed, leaving a waiting room of frustrated, anxious patients. Meanwhile, a thousand miles away, a middle-aged man sits alone at his PC, and smiles to himself, as the wreckage unfolds. A few keystrokes later and he's into the database of the hospital's EHR/EMR system, calmly extracting valuable data from thousands of patients that he'll quickly sell for a tidy profit.
Another Hollywood thriller, set in the distant future? Unfortunately not. Although this perfect storm of events is unlikely to occur in a single morning, this is the reality that healthcare providers operate in today. Healthcare organizations are being targeted by attackers.
2. The New Threat
Until recently, attention-seeking hackers were the main IT security threat to businesses, including healthcare organizations. They would write code, unleash it into cyberspace, and hope for their 15 minutes of fame. These types of mass attacks often had no particular target in mind; they would simply seek out vulnerabilities in a system-typically in operating systems and networks-and exploit them.
But that was when hackers and their motives were less dangerous. Recently though, security intelligence experts have detected "the tell-tale signs of organized crime gangs and government espionage in attacks, and a hacker community much more motivated by financial gain than personal or political fulfillment." (Forrester, "Increasing Organized Crime Involvement Means More Targeted Attacks", August 2, 2005)
Hackers have now become attackers who target particular organizations or groups or users. Motivated by money, revenge, and perhaps in the future by terror, they take control of computing devices to steal identities and confidential data that can then be sold, to use for illegal purposes like sending spam, or to disrupt operations and the delivery of services. And while some attackers might be faceless strangers on the other side of the world, others lurk within your midst. There is a significant risk from insiders - employees, contractors and consultants -- who easily bypass perimeter security and other traditional IT security solutions.
Now that most HCOs have strong perimeter defenses including network firewalls, user authentication, configuration management, and data encryption, attackers have set their sights on the next most vulnerable part of your system: software applications.
3. Applications - The Heart of Your Healthcare Facility
HCOs increasingly rely on computerized systems and software applications. Large hospitals often have tens of thousands of computerized devices, ranging from diagnostic systems, like X-ray and MRI machines, to portable bedside monitors, wireless/telemetry monitors, clinical systems, wireless PCs, and enterprise servers. Each of these systems run on software applications, many of which are commercial off-the shelf (COTS) applications, while others are one-off, custom applications, developed for a specific organization. It is not uncommon for an HCO to run 100's of applications.
Without these systems, healthcare facilities
"The FBI is investigating unauthorized changes simply cannot reliably provide the high-made to a MySQL database that underlies an quality services they - and their patients -- electronic medical record system at an Indiana-have come to expect.
|
