Internet of Things to Complicate Compliance.
When evaluating security, organizations must evaluate every device that is connected to the Internet, whether directly or through the company's network. This includes everything from radiology software systems, to VPNs, to video conferencing equipment, to printers and faxes. The more devices that are connected, the more difficult this process becomes. The move to the Internet of Things is sure to exacerbate this problem as organizations have that many more devices to monitor and control. Healthcare providers should take steps to prepare now by enrolling their devices into device management programs, taking stock of devices that are owned by the company or owned by employees but used for company purposes (e.g., smartphones, tablets, etc.), and implementing processes to receive and address security incident warnings from those outside of an organization, who may not be business associates.
In February 2014, the SANS Institute, with support from Norse, published a report summarizing findings from a year-long analysis of cybersecurity threats in the healthcare industry. The amount of data collected was specific to the healthcare industry:
During the sample period [(September 2012 and October 2013)], the Norse threat intelligence infrastructure—a global network of sensors and honeypots that process and analyze over 100 terabytes of traffic daily—gathered data. The intelligence data collected for this sample included:The organizations that were compromised varied in size and financial resources:
About a third of the organizations represent small providers, while the rest represented clearinghouses, health plans, pharmaceutical companies and other types of medical organizations. Some of these providers were also quite large, with renowned research centers and teaching hospitals among the sources sending out the malicious packets. Interestingly, while most of the largest data breaches reported to the HHS Office of Civil Rights to date involved business associates, SANS found that a large percentage of the malicious IP traffic emanated from healthcare providers, with covered entities accounting for 78.6% of the compromised organizations:
Most strikingly, SANS noted:
Many of the organizations were compromised and, therefore, out of compliance forWhile it seems surprising that any organization would ignore a direct notice of an on-going security compromise, particularly an organization trusted with sensitive healthcare data, it is not unheard of (see e.g., the pending FTC case against LabMD, which was allegedly brought to the FTC by a security firm, and the FTC settlement with HTC America, where the FTC alleged that HTC ignored vulnerability reports from security experts ). But, as we continue to see data breaches in the healthcare space as well as healthcare providers becoming the victims of cyberattacks—such as the attacks against each of Anthem Inc. and Premera Blue Cross—healthcare providers will need to implement stronger policies and procedures to ensure that security warnings are not ignored.
These monitoring programs must include all systems and devices on the organizations' infrastructure. In its analysis, SANS evaluated the types of systems and devices emanating malicious traffic and found a wide variety of systems and edge devices. See Figure 1 below. Many of these devices—particularly network-connected edge devices such as printers, faxes, web cameras, and video conferencing systems are often overlooked as the source of security vulnerabilities, despite being recognized as potential entry points for hackers and cybercriminals.
When evaluating security, organizations must take a broad look at their environment and consider any network-connected device a potential source of a security vulnerability.
 Barbara Filkins, Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon, SANS Institute Whitepaper, 3, Feb. 2014.
 LabMD Inc. v. Tiversa Holding Corp. et al., Case No. 2:15-cv-00092, U.S. District Court for the Western District of Pennsylvania (Jan. 21, 2015); Press Release, Federal Trade Commission, HTC America Settles FTC Charges It Failed to Secure Millions of Mobile Devices Shipped to Consumers: Company Required to Patch Vulnerabilities on Smartphones and Tablets, Feb. 22, 2013, https://www.ftc.gov/news-events/press-releases/2013/02/htc-america-settles-ftc-charges-it-failed-secure-millions-mobile.
 Filkins, supra note 1, at 8.
 Nicole Perlroth, Cameras May Open Up the Board Room to Hackers, NYTimes.com, Jan. 22, 2013, https://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-boardrooms-at-risk.html
 Filkins, supra note 1, at 7.
Posted by Tatiana Melnik on March 28, 2015