Internet of Things to Complicate Compliance.

When evaluating security, organizations must evaluate every device that is connected to the Internet, whether directly or through the company's network. This includes everything from radiology software systems, to VPNs, to video conferencing equipment, to printers and faxes. The more devices that are connected, the more difficult this process becomes. The move to the Internet of Things is sure to exacerbate this problem as organizations have that many more devices to monitor and control. Healthcare providers should take steps to prepare now by enrolling their devices into device management programs, taking stock of devices that are owned by the company or owned by employees but used for company purposes (e.g., smartphones, tablets, etc.), and implementing processes to receive and address security incident warnings from those outside of an organization, who may not be business associates.

In February 2014, the SANS Institute, with support from Norse, published a report summarizing findings from a year-long analysis of cybersecurity threats in the healthcare industry. The amount of data collected was specific to the healthcare industry:
During the sample period [(September 2012 and October 2013)], the Norse threat intelligence infrastructure—a global network of sensors and honeypots that process and analyze over 100 terabytes of traffic daily—gathered data. The intelligence data collected for this sample included:
  • 49,917 unique malicious events
  • 723 unique malicious source IP addresses
  • 375 U.S.-based compromised health care-related organizations [1]
The organizations that were compromised varied in size and financial resources:
About a third of the organizations represent small providers, while the rest represented clearinghouses, health plans, pharmaceutical companies and other types of medical organizations. Some of these providers were also quite large, with renowned research centers and teaching hospitals among the sources sending out the malicious packets. [2]
Interestingly, while most of the largest data breaches reported to the HHS Office of Civil Rights to date involved business associates, SANS found that a large percentage of the malicious IP traffic emanated from healthcare providers, with covered entities accounting for 78.6% of the compromised organizations:
  • Health care providers—72.0% of malicious traffic
  • Health care business associates—9.9% of malicious traffic
  • Health plans—6.1% of malicious traffic
  • Health care clearinghouses—0.5% of malicious traffic
  • Pharmaceutical—2.9% of malicious traffic
  • Other related health care entities—8.5% of malicious traffic [3]
Most strikingly, SANS noted:
Many of the organizations were compromised and, therefore, out of compliance for
months, and some for the duration of the study—meaning they never detected their compromises or outbound malicious communications, nor did they acknowledge warnings from the Norse response team.[4]
While it seems surprising that any organization would ignore a direct notice of an on-going security compromise, particularly an organization trusted with sensitive healthcare data, it is not unheard of (see e.g., the pending FTC case against LabMD, which was allegedly brought to the FTC by a security firm, and the FTC settlement with HTC America, where the FTC alleged that HTC ignored vulnerability reports from security experts [5]). But, as we continue to see data breaches in the healthcare space as well as healthcare providers becoming the victims of cyberattackssuch as the attacks against each of Anthem Inc. and Premera Blue Cross—healthcare providers will need to implement stronger policies and procedures to ensure that security warnings are not ignored.

These monitoring programs must include all systems and devices on the organizations' infrastructure. In its analysis, SANS evaluated the types of systems and devices emanating malicious traffic and found a wide variety of systems and edge devices. See Figure 1 below[6]. Many of these devicesparticularly network-connected edge devices such as printers, faxes, web cameras, and video conferencing systems are often overlooked as the source of security vulnerabilities, despite being recognized as potential entry points for hackers and cybercriminals.[7]



Specifically:
  • Connected medical endpoints. The findings of this study indicate that 7 percent of traffic was coming from radiology imaging software, another 7 percent of malicious traffic originated from video conferencing systems, and another 3 percent came from digital video systems that are most likely used for consults and remote procedures. . . .
  • Internet-facing personal health data. The study shows 8 percent of malicious
    traffic was emitted through a web-based call center website, backed by a VoIP PBX,
    in use by a medical supply company. Also we found indications of a compromised
    personal health record (PHR) system. . . .
  • Security systems and edge devices. In this study, most of the malicious traffic passed through or was transmitted from VPN applications and devices (33 percent), whereas 16 percent was sent by firewalls, 7 percent was sent from routers and 3 percent was sent from enterprise network controllers (ENCs). This indicates that the security devices and applications themselves were either compromised, which is a common tactic among malware families, or that these “protection” systems are not detecting malicious traffic coming from the network endpoints inside the protected perimeter—inside the firewall or behind the VPN concentrator. . . . [8]
When evaluating security, organizations must take a broad look at their environment and consider any network-connected device a potential source of a security vulnerability.


-------------------------------------
[1] Barbara Filkins, Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon, SANS Institute Whitepaper, 3, Feb. 2014.

[2] Id.

[3] Id.

[4] Id.

[5] LabMD Inc. v. Tiversa Holding Corp. et al., Case No. 2:15-cv-00092, U.S. District Court for the Western District of Pennsylvania (Jan. 21, 2015); Press Release, Federal Trade Commission, HTC America Settles FTC Charges It Failed to Secure Millions of Mobile Devices Shipped to Consumers: Company Required to Patch Vulnerabilities on Smartphones and Tablets, Feb. 22, 2013, https://www.ftc.gov/news-events/press-releases/2013/02/htc-america-settles-ftc-charges-it-failed-secure-millions-mobile.

[6] Filkins, supra note 1, at 8.

[7] Nicole Perlroth, Cameras May Open Up the Board Room to Hackers, NYTimes.com, Jan. 22, 2013, https://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-boardrooms-at-risk.html

[8] Filkins, supra note 1, at 7.

-------------------------------------

Posted by Tatiana Melnik on March 28, 2015