“The typical health care facility is a complex IT environment,” Palmer says.
Denial-of-service attacks can be as disruptive to health care facilities as they are to any other organization. In 2014, a DDoS attack against Boston Children's Hospital made some online services, such as patient appointment scheduling, sporadically inaccessible. The circumstances around that attack were unusual because it was a protest involving a controversial custody case, but experts say DDoS attacks accompanied by ransom demands are on the rise. Attackers flood the networks, then promise to stop if the organization pays them to go away.
IT basics matter
Consider endpoint security in health care organizations. Keeping these endpoints up to date with the latest versions of operating systems, browsers, plugins, and installed applications is not a simple task. Some applications may rely on Flash or Java, which are commonly targeted by malicious adversaries.
A recent analysis by authentication provider Duo Security found that twice as many health care endpoints have Flash installed and three times as many have Java, compared to endpoints in non-health-care organizations.
The common recommendation -- to uninstall Flash and Java from client machines -- doesn’t take into account the fact that many custom applications within the sector require Flash or Java. Many popular electronic health care record (EHR) systems and identity access and management software supporting e-prescriptions require Java, for example.
A different analysis by Forcepoint found that health care organizations are 376 percent more likely to see Dropper (malware that backdoors compromised machines for further attacks) than non-health-care organizations.
Duo’s analysis also found that nearly half of health care providers use Internet Explorer 11 or older, exposing those systems to various attacks. Health care organizations are also more likely than other industry sectors to still have Windows XP systems. The presence of outdated software partly explains why health care organizations are more likely to see certain types of attacks.
“This type of landscape can cause the perfect cybersecurity storm,” says Grayson Milbourne, security intelligence director at Webroot.
Basic IT practices, such as asset inventory, patch and configuration management, and network security are critical in this kind of heterogeneous environment. A complete inventory lets IT know which systems actually run those applications so that IT can uninstall Flash and Java (and unused instances of custom applications) on the remaining systems.
Regularly patching and updating Flash, Java, the Web browser, operating system, and other applications ensures these security holes can’t be targeted by Web-based attacks. Many exploit kits target zero-day vulnerabilities in Flash and Java, so IT needs to evaluate which systems really require Internet access. Uninstalling the Web browser on machines that still need to be networked can reduce the possibility of infection via a Web-based attack. There is no good reason to have a Web browser installed on a machine monitoring fetal heartbeat, for example.
Sign up for CIO Asia eNewsletters.