healthcare – McAfee Blogs https://securingtomorrow.mcafee.com Securing Tomorrow. Today. Thu, 18 Jul 2019 16:09:13 +0000 en-US hourly 1 https://securingtomorrow.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png healthcare – McAfee Blogs https://securingtomorrow.mcafee.com 32 32 Data Privacy and Security Risks in Healthcare https://securingtomorrow.mcafee.com/business/data-security/data-privacy-and-security-risks-in-healthcare/ https://securingtomorrow.mcafee.com/business/data-security/data-privacy-and-security-risks-in-healthcare/#respond Thu, 18 Jul 2019 15:00:15 +0000 https://securingtomorrow.mcafee.com/?p=95959

Healthcare is a business much like all verticals I work with; however, it has a whole different set of concerns beyond those of traditional businesses. The compounding threats of malware, data thieves, supply chain issues, and the limited understanding of security within healthcare introduces astronomical risk. Walking through a hospital a few weeks ago, I […]

The post Data Privacy and Security Risks in Healthcare appeared first on McAfee Blogs.

]]>

Healthcare is a business much like all verticals I work with; however, it has a whole different set of concerns beyond those of traditional businesses. The compounding threats of malware, data thieves, supply chain issues, and the limited understanding of security within healthcare introduces astronomical risk. Walking through a hospital a few weeks ago, I was quickly reminded of how many different devices are used in healthcare—CT scanners, traditional laptops, desktops, and various other devices that could be classified as IoT.

Sitting in the hospital, I witnessed people reporting for treatment being required to sign and date various forms electronically. Then, on a fixed-function device, patients were asked to provide a palm scan for additional biometric confirmation. Credit card information, patient history, and all sorts of other data was also exchanged. In my opinion, patients should be asking, “Once the sign-in process is complete, where is the patient data stored, and who has access to it? Is it locked away, encrypted, or sent to the “cloud” where it’s stored and retrieved as necessary? If it’s stored on the cloud, who has access to that?” I do recall seeing a form asking that I consent to releasing records electronically, but that brings up a whole new line of questions. I could go on and on …

Are these challenges unique to healthcare? I would contend that at some level, no, they’re not. Every vertical I work with has compounding pressures based on the ever-increasing attack surface area. More devices mean more potential vulnerabilities and risk. Think about your home: You no doubt have internet access through a device you don’t control, a router, and many other devices attached to that network. Each device generally has a unique operating system with its own set of capabilities and with its own set of complexities. Heck, my refrigerator has an IP address associated with it these days! In healthcare, the risks are the same, but on a bigger scale. There are lives at stake, and the various staff members—from doctors, to nurses, to administrators—are there to hopefully focus on the patient and the experience. They don’t have the time or necessarily the education to understand the threat landscape—they simply need the devices and systems in the hospital network to “just work.”

Many times, I see doctors in hospital networks and clinics get fed up with having to enter and change passwords. As a result, they’ll bring in their personal laptops to bypass what IT security has put in place. Rogue devices have always been an issue, and since those devices are accessing patient records without tight security controls, they are a conduit for data loss. Furthermore, that data is being accessed from outside the network using cloud services. Teleradiology is a great example of how many different access points there are for patient data—from the referring doctor, to the radiologist, to the hospital, and more.

Figure 1:  Remote Tele-radiology Architecture

With healthcare, as in most industries, the exposure risk is potentially great. The solution, as always, will come from identifying the most important thing that needs to be protected, and figuring out the best way to safeguard it. In this case, it is patient data, but that data is not just sitting locked up in a file cabinet in the back of the office anymore. The data is everywhere—it’s on laptops, mobile devices, servers, and now more than ever in cloud services such as IaaS, PaaS and SaaS. Fragmented data drives great uncertainty as to where the data is and who has access to it.

The security industry as a whole needs to step up. There is a need for a unified approach to healthcare data. No matter where it sits, there needs to be some level of technical control over it based on who needs access to it. Furthermore, as that data is traversing between traditional data centers and the cloud, we need to be able to track where it is and whether or not it has the right permissions assigned to it.

The market has sped up, and new trends in technology are challenging organizations every day. In order to help you keep up, McAfee for Healthcare (and other verticals) are focusing on the following areas:

  • Device – OS platforms—including mobile devices, Chrome Books and IoT—are increasingly locked down, but the steadily increasing number of devices provides other avenues for attack and data loss.
  • Network – Networks are becoming more opaque. HTTP is rarely used anymore in favor of HTTPS, so the need for a CASB safety net is essential in order to see the data stored with services such as Box or OneDrive.
  • Cloud – With workloads increasingly moving to the cloud, the traditional datacenter has been largely replaced by IaaS and PaaS environments. Lines of business are moving to the cloud with little oversight from the security teams.
  • Talent – Security expertise is extremely difficult to find. The talent shortage is real, particularly when it comes to cloud and cloud security. There is also a major shortage in quality security professionals capable of threat hunting and incident response.

McAfee has a three-pronged approach to addressing and mitigating these concerns:

  • Platform Approach – Unified management and orchestration with a consistent user experience and differentiated insights, delivered in the cloud.
    • To enhance the platform, there is a large focus on Platform Driven Managed Services—focused on selling outcomes, not just technology.
  • Minimized Device Footprint – Powerful yet minimally invasive protection, detection and response spanning full-stack tech, native engine management and ‘as a service’ browser isolation. This is becoming increasingly important as the typical healthcare environment has an increasing variety of endpoints but continues to be limited in resources such as RAM and CPU.
  • Unified Cloud Security – Spanning data centers, integrated web gateway/SaaS, DLP and CASB. The unification of these technologies provides a safety net for data moving to the cloud, as well as the ability to enforce controls as data moves from on-premise to cloud services. Furthermore, the unification of DLP and CASB offers a “1 Policy” for both models, making administration simpler and more consistent. Consistent policy definition and enforcement is ideal for healthcare, where patient data privacy is essential.

In summary, security in healthcare is a complex undertaking. A vast attack surface area, the transformation to cloud services, the need for data privacy and the talent shortage compound the overall problem of security in healthcare. At McAfee, we plan to address these issues through innovative technologies that offer a consistent way to define policy by leveraging a superior platform. We’re also utilizing sophisticated machine learning to simplify the detection of and response to bad actors and malware. These technologies are ideal for healthcare and will offer any healthcare organization long-term stability across the spectrum of security requirements.

The post Data Privacy and Security Risks in Healthcare appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/data-security/data-privacy-and-security-risks-in-healthcare/feed/ 0
80 to 0 in Under 5 Seconds: Falsifying a Medical Patient’s Vitals https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/80-to-0-in-under-5-seconds-falsifying-a-medical-patients-vitals/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/80-to-0-in-under-5-seconds-falsifying-a-medical-patients-vitals/#respond Sun, 12 Aug 2018 00:00:03 +0000 https://securingtomorrow.mcafee.com/?p=90812

With the explosion of growth in technology and its influence on our lives, we have become increasingly dependent on it. The medical field is no exception: Medical professionals trust technology to provide them with accurate information and base life-changing decisions on this data.

The post 80 to 0 in Under 5 Seconds: Falsifying a Medical Patient’s Vitals appeared first on McAfee Blogs.

]]>

The author thanks Shaun Nordeck, MD, for his assistance with this report.

With the explosion of growth in technology and its influence on our lives, we have become increasingly dependent on it. The medical field is no exception: Medical professionals trust technology to provide them with accurate information and base life-changing decisions on this data. McAfee’s Advanced Threat Research team is exploring these devices to increase awareness about their security.

Some medical devices, such as pacemakers and insulin pumps, have already been examined for security concerns. To help select an appropriate target for our research, we spoke with a doctor. In our conversations we learned just how important the accuracy of a patient’s vital signs is to medical professionals. “Vital signs are integral to clinical decision making” explained Dr. Shaun Nordeck. Bedside patient monitors and related systems are key components that provide medical professionals with the vital signs they need to make decisions; these systems are now the focal point of this research.

Exploring the attack surface

Most patient monitoring systems comprise at minimum of two basic components: a bedside monitor and a central monitoring station. These devices are wired or wirelessly networked over TCP/IP. The central monitoring station collects vitals from multiple bedside monitors so that a single medical professional can observe multiple patients.

With the help of eBay, we purchased both a patient monitor and a compatible central monitoring station at a reasonable cost. The patient monitor monitored heartbeat, oxygen level, and blood pressure. It has both wired and wireless networking and appeared to store patient information. The central monitoring station ran Windows XP Embedded, with two Ethernet ports, and ran in a limited kiosk mode at start-up. Both units were produced around 2004; several local hospitals confirmed that these models are still in use.

The two devices offer a range of potential attack surfaces. The central monitoring station operates fundamentally like a desktop computer running Windows XP, which has been extensively researched by the security community. The application running on the central monitoring station is old; if we found a vulnerability, it would likely be tied to the legacy operating system. The patient monitor’s firmware could be evaluated for vulnerabilities; however, this would affect only one of the two devices in the system and is the hardest vector to exploit. This leaves the communication between the two devices as the most interesting attack vector since if the communication could be compromised, an attack could possibly be device independent, affecting both devices by a remote attack. Given this possibility, we chose networking as the first target for this research. Dr. Nordeck confirmed that if the information passing to the central monitoring system could be modified in real time, this would be a meaningful and valid concern to medical professionals. Thus the primary question of our research became “Is it possible in real time to modify a patient’s vitals being transmitted over the network?”

Setup

When performing a vulnerability assessment of any device, it is best to first operate the device as originally designed. Tracking vital signs is the essence of the patient monitor, so we looked for a way to accurately simulate those signs for testing. Many hardware simulators are on the market and vary drastically in cost. The cheapest and easiest vital sign to simulate turned out to be a heartbeat. For less than $100 we purchased an electrocardiogram (ECG) simulator on eBay. The following image illustrates our test network:

In our test bed, the patient monitor (left), central monitoring station (right), and a research computer (top) were attached to a standard switch. The research computer was configured on a monitor port of the switch to sniff the traffic between the central monitoring device and the patient monitor. The ECG simulator was attached to the patient monitor.

Reconnaissance

With the network configured, we turned to Wireshark to watch the devices in action. The first test was to boot only the central monitor station and observe any network traffic.

In the preceding screenshot a few basic observations stand out. First, we can see that the central station is sending User Datagram Protocol (UDP) broadcast packets every 10 seconds with a source and destination port of 7000. We can also see clear-text ASCII in the payload, which provides the device name. After collecting and observing these packets for several minutes, we can assume this is standard behavior. Because the central station is running on a Window XP embedded machine, we can attempt to verify this information by doing some quick reverse engineering of the binaries used by the application. After putting several libraries into Interactive Disassembler Pro, it is apparent that the symbols and debugging information has been left behind. With a little cleanup and work from the decompilers, we see the following code:

This loop calls a function that broadcasts Rwhat, a protocol used by some medical devices. We also can see a function called to get the amount of time to wait between packets, with the result plugged into the Windows sleep function. This code block confirms what we saw with Wireshark and gives us confidence the communication is consistent.

Having gained basic knowledge of the central monitoring station, the next step was to perform the same test on the patient monitor. With the central station powered down, we booted the patient monitor and watched the network traffic using Wireshark.

We can make similar observations about the patient monitor’s broadcast packets, including the 10-second time delay and patient data in plaintext. In these packets we see that the source port is incrementing but the destination port, 7000, is the same as the central monitoring station’s.  After reviewing many of these packets, we find that offset 0x34 of the payload has a counter that increments by 0xA, or 10, with each packet. Without potentially damaging the patient monitor, there is no good way to extract the firmware to review its code. However, the central monitoring station must have code to receive these packets. With a bit of digging through the central station’s binaries, we found the section parsing the broadcast packets from the patient monitor.

The first line of code parses the payload of the packet plus 12 bytes. If we count in 12 bytes from the payload on the Wireshark capture, we can see the start of the patient data in clear text. The next function called is parse_logical_name, whose second parameter is an upper limit for the string being passed. This field has a maximum length of 0x20, or 32, bytes. The subsequent code handles whether this information is empty and stores the data in the format logical_name. This review again helps confirm what we see in real time with Wireshark.

Now that we understand the devices’ separate network traffic, we can look at how they interact. Using our network setup and starting the ECG simulator we can see the central monitor station and the patient monitor come to life.

With everything working, we again use Wireshark to examine the traffic. We find a new set of packets.

In the preceding screen capture we see the patient monitor at IP address 126.4.153.150 is sending the same-size data packets to the central monitoring station at address 126.1.1.1. The source port does not change.

Through these basic tests we learn a great deal:

  • The two devices are speaking over unencrypted UDP
  • The payload contains counters and patient information
  • The broadcast address does not require the devices to know each other’s address beforehand
  • When the data is sent distinct packets contain the waveform

Attacking the protocol

Our reconnaissance tells us we may have the right conditions for a replay attack. Such an attack would not satisfy our goal of modifying data in real time across the network; however, it would provide more insight about the requirements and may prove useful in reaching our goal.

After capturing the packets from the simulated heartbeat, we attempted to replay the captures using Python’s Scapy library. We did this with the patient monitor turned off and the central monitoring station listening for information. After several attempts, this test was unsuccessful. This failure shows the system expects more than just a device sending data packets to a specific IP address.

We examined more closely the packets that are sent before the data packets. We learned that even though the packets are sent with UDP, some sort of handshake is performed between the two devices. The next diagram describes this handshake. 

 

In this fanciful dialog, CMS is the central monitoring system; PM is the patient monitor.

To understand what is happening during the handshake, we can relate each phase of this handshake to that of a TCP three-way handshake. (This is only an analogy; the device is not actually performing a TCP three-way handshake.)

The central monitoring station first sends a packet to port 2000 to the patient monitor. This can be considered the “SYN” packet. The patient monitor responds to the central station; notice it responds to the source port of the initial request. This can be considered the “SYN,ACK.” The central station sends the final “ACK,” essentially completing a three-way (or three-step) handshake. Directly following this step, the patient monitor sends another packet to the initial port of the “SYN” packet. The central monitor responds to the patient monitor on port 2000 with a new source port. Immediately following, we see the data packets being sent to the new source port, 3627, named in the previous exchange.

This exam provides insight into why the replay attack did not work. The central station defines for each connection which ports will be open for the incoming data; we need to consider this when attempting a replay attack. Modifying our previous Scapy scripts to account for the handshake, we retested the replay attack. With the new handshake code in place, the test still failed. Taking another look at the “SYN,ACK” packets provides a potential reason for the failure.

At offset 0x3D is a counter that needs to be incremented each time one of these packets is sent. In this case the patient monitor’s source IP address is embedded in the payload at offsets 0x2A and 0x30. This embedded IP address is not as important for this attack because during the replay our scripts can become the patient monitor’s IP; however, this will become more important later. The newly discovered counter needs to be accounted for and incremented.

Emulating a patient monitor

By taking these new findings into account our replay attack becomes successful. If we can observe a certain ECG pattern, we can play it back to the central monitoring station without the patient monitor on the network. Thus we can emulate the function of the patient monitor with any device. The following video demonstrates this emulation using a Raspberry Pi. We set our Scapy scripts to load after booting the Pi, which mimics the idle function of the patient monitor. When the central monitor requests information about the patient’s vitals, the Pi provides the station with an 80-beats-per-minute wave form. This also works with the other vital signs.

Impact of emulation

Although we have not yet reached our goal of real-time modification, we must consider the implications of this type of attack. If someone were to unplug the monitor of a stable patient and replace it with a device that continued to report the same stable vitals, would that cause any harm? Probably not immediately. But what if the stable patient suddenly became unstable? The central station would normally sound an alarm to alert medical personal, who could take appropriate action. However, if the monitor had been replaced, would anyone know help was needed? The patient monitor also normally sounds alarms that might be heard in and outside of the patient’s room, yet if the monitor was replaced, those alarms would be absent.

In hospitals, nurses and other personal generally make periodic checks even of stable patients. So any deception might not last long, but it might not need to. What if someone were trying to kidnap a patient? A kidnapper would alert fewer people than would be expected.

Switching from a real patient monitor to an emulator would cause a short loss in communication from the patient’s room to the central monitoring station. Is this enough to make the scenario unrealistic or not a threat? We asked Dr. Nordeck if a short loss in connection could be part of a reasonable scenario. “A momentary disconnection of the ECG would likely go unnoticed as this happens often due to patient movement or changing clothes and, as long as it is reconnected, will be unlikely to cause an alert,” he said.

Modifying vitals in real time

Although emulating the patient monitor is interesting, it did not accomplish our goal of making real-time modifications. Using what we learned while testing emulation, could we perform real-time injection? To answer this question, we must first understand the difference between emulation and real-time injection.

Emulation requires a deeper understanding of how the initial connection, the handshake, between the two devices occurred. When considering real-time modification, this handshake has already taken place. But an attacker would not know which port the data packets are being sent too, nor any of the other ports used in the data stream. Plus, because the real patient monitor is still online, it will constantly send data to the central monitoring station.

One way to account for these factors is to use Address Resolution Protocol (ARP) spoofing. If the patient monitor is ARP spoofed, then the attacker, instead of the central monitoring station, would receive the data packets. This step would allow the attacker to determine which ports are in use and stop the patient monitor’s data from getting to the central monitoring station. Because we have already shown that emulation works, the attacker simply has to send replacement data to the central station while appearing as the patient monitor.

For example, consider the following original packet coming from the patient monitor:

The patient monitor sends a packet with the patient’s heartbeat stored at offset 0x71 in the payload. The patient monitor in this screen capture is at IP address 126.4.153.150. An attacker can ARP spoof the patient monitor with a Kali virtual machine.

The ARP packets indicate that the central station, IP address 126.1.1.1, is at MAC address 00:0c:29:a1:6e:bf, which is actually the Kali virtual machine. Wireshark recognizes two MACs with the same IP address assigned and highlights them, showing the ARP spoof.

Next the attacker from the virtual machine at address 126.4.153.153 sends false information to the central monitoring station, still at address 126.1.1.1. In this example, offset 0x71 has been changed to 0x78, or 120. (The attacker could choose any value; the following demo videos use the heartbeat value 180 because it is more alarming.) Also notice the IP address stored in the payload, which we discovered during the reconnaissance phase. It still indicates this data is coming from the original patient monitor address, which is different from the IP address on the packet’s IP header. Due to this implementation, there is no need for the attacker to spoof their IP address for the attack to be successful.

Two videos show this modification happening in real time:

 

Impact of real-time modification

Although the monitor in the patient’s room is not directly affected, real-time modification is impactful because medical professionals use these central stations to make critical decisions on a large number of patients—instead of visiting each room individually. As long as the changes are believable, they will not always be verified.

Dr. Nordeck explains the impact of this attack: “Fictitious cardiac rhythms, even intermittent, could lead to extended hospitalization, additional testing, and side effects from medications prescribed to control heart rhythm and/or prevent clots. The hospital could also suffer resource consumption.” Dr. Nordeck explained that short changes to a heartbeat would generally trigger the nurse or technician monitoring the central station to page a doctor. The doctor would typically ask for a printout from the central station to review the rhythm. The doctor might also order an additional test, such as an EKG, to verify the rhythm. An EKG, however, would not likely capture an abnormal rhythm if it is intermittent, but the test might reveal an underlying cause for intermittent arrythmia. Should the rhythm recur intermittently throughout the day, the doctor might make treatment decisions based on this erroneous printout.

The American Heart Association and American College of Cardiology publish guidelines that hospitals are to follow, including for “intermittent cardiac rhythms,” seen in this chart:

A decision tree for treating an intermittent heart rate. Source: American Heart Association.

The first decision point in this tree asks if the patient is hemodynamically stable (whether the blood pressure is normal). This attack does not affect the bedside monitor. A nurse might retake the patient’s blood pressure, which would be normal. The next decision point following the “Yes” path is a diagnosis of focal atrial tachycardia. Regardless of the medical terms and answers, the patient is issued medication. In the case of a network attack, this is medication the patient does not need and could cause harm.

Conclusion

This research from McAfee’s Advanced Threat Research team shows it is possible to emulate and modify a patient’s vital signs in real time on a medical network using a patient monitor and central monitoring station. For this attack to be viable, an attacker would need to be on the same network as the devices and have knowledge of the networking protocol. Any modifications made to patient data would need to be believable to medical professionals for there to be any impact.

During our research we did not modify the patient monitor, which always showed the true data; but we have proven the impact of an attack can be meaningful. Such an attack could result in patients receiving the wrong medications, additional testing, and extended hospital stays—any of which could incur unnecessary expenses.

Both product vendors and medical facilities can take measures to drastically reduce the threat of this type of attack. Vendors can encrypt network traffic between the devices and add authentication. These two steps would drastically increase the difficulty of this type of attack. Vendors also typically recommend that medical equipment is run on a completely isolated network with very strict network-access controls. If medical facilities follow these recommendations, attackers would require physical access to the network, greatly helping to reduce the attack surface.

One goal of the McAfee Advanced Threat Research team is to identify and illuminate a broad spectrum of threats in today’s complex and constantly evolving landscape. Through responsible disclosure we aim to assist and encourage the industry toward a more comprehensive security posture. As part of our policy, we reported this research to the vendor whose products we tested and will continue to work with other vendors to help secure their products.

The post 80 to 0 in Under 5 Seconds: Falsifying a Medical Patient’s Vitals appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/80-to-0-in-under-5-seconds-falsifying-a-medical-patients-vitals/feed/ 0
How McAfee Embedded Security Helps Medical Device Manufacturers Protect Their Products from Malware and Hacker Attacks https://securingtomorrow.mcafee.com/other-blogs/mcafee-partners/mcafee-embedded-security-helps-medical-device-manufacturers-protect-products-malware-hacker-attacks/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-partners/mcafee-embedded-security-helps-medical-device-manufacturers-protect-products-malware-hacker-attacks/#respond Wed, 10 Jan 2018 17:00:37 +0000 https://securingtomorrow.mcafee.com/?p=83655

Like other Internet of Things (IoT) devices, medical equipment is a vulnerable attack surface. By 2018, it’s expected that sales of medical devices will exceed 14 million units—more than five times the sales of 2012.1 Network- and cloud-connected medical devices used in clinical settings—nurse stations, patient monitors, communications, networks, diagnostic devices, testing, scanning systems, blood […]

The post How McAfee Embedded Security Helps Medical Device Manufacturers Protect Their Products from Malware and Hacker Attacks appeared first on McAfee Blogs.

]]>

Like other Internet of Things (IoT) devices, medical equipment is a vulnerable attack surface. By 2018, it’s expected that sales of medical devices will exceed 14 million units—more than five times the sales of 2012.1 Network- and cloud-connected medical devices used in clinical settings—nurse stations, patient monitors, communications, networks, diagnostic devices, testing, scanning systems, blood gas analyzers, and more—are just as much at risk as healthcare IT networks, laptops, and tablets.

Typical attacks targeting such devices are ransomware, internal and external data exfiltration, distributed denial-of-service attacks, malware introduced via infected external memory devices, and network attacks. A single connected medical device can potentially be exploited to enable large-scale data theft.

Medical device manufacturers have a responsibility to secure their devices to prevent breaches and to protect the privacy of patient and healthcare facilities’ data. They must ensure their products conform to strict regulatory compliance mandates dictated by the Health Insurance Portability and Accountability Act (HIPAA) and the requirements for medical devices issued by the US Food and Drug Administration (FDA).

Healthcare information is rich in both financial and personally identifiable data, making it a highly profitable target for cybercriminals. In the black market, a health record can fetch as much as $60, compared to $15 for a Social Security number.2 It’s estimated that approximately 100 million healthcare records were compromised just in the first quarter of 2015.3 A recent study reveals that the average cost of a healthcare breach in 2016 was $4 million per incident—up 29% since 2013.4

Let’s take a look at the trajectory of a typical threat that targets poorly secured medical devices. The implications can be devastating, with the potential for costly data breaches.

  1. An employee (either inadvertently or with malicious intent) installs malware on a connected medical device via a USB drive.
  2. The malware connects the infected device to an external command and control server.
  3. The perpetrator wipes out the data and overwrites a server’s Master Boot Record.
  4. The server affects hundreds or thousands of devices, potentially disabling them.

McAfee helps medical device manufacturers thwart attacks and comply with strict regulatory mandates and requirements by providing an array of embedded security solutions, including application control with whitelisting, antivirus and anti-malware protection, device security management, advanced data protection, encryption, and simplified, streamlined device management. McAfee solutions can be customized to meet the design requirements for a manufacturer’s medical device.

Siemens Healthineers—a global leader in medical imaging, laboratory diagnostics, and healthcare information technology—recognizes that system security is a critical concern among healthcare providers and customers. They employ trusted McAfee embedded security and solutions to ensure that security is designed into their devices at the outset. The Siemens Ultrasound System Security is an embedded antivirus solution powered by McAfee that offers a comprehensive defense against unwanted applications, blocking both known and unknown threats. In addition, their RapidLab1200 blood gas analyzer uses McAfee whitelisting to secure the device and prevent unauthorized applications from running on it. To learn more about how network security can be breached via a medical instrument and how Siemens works with McAfee to protect patient data on blood gas analyzers, view this informational video created by Siemens.

To learn about McAfee solutions for embedded medical systems and ensure that your devices have the best possible security, visit: https://www.mcafee.com/us/resources/data-sheets/ds-embedded-control-for-healthcare.pdf.

 

1 https://www.parksassociates.com/blog/article/dec2013-medical-devices

2 http://arnoldit.com/wordpress/2017/01/10/medical-records-are-the-hot-new-dark-web-commodity/

3 http://www.csoonline.com/article/2931474/data-breach/attackers-targeting-medical-devices-to-bypass-hospital-security.html

4 http://fortune.com/2016/06/15/data-breach-cost-study-ibm/

 

The post How McAfee Embedded Security Helps Medical Device Manufacturers Protect Their Products from Malware and Hacker Attacks appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-partners/mcafee-embedded-security-helps-medical-device-manufacturers-protect-products-malware-hacker-attacks/feed/ 0
How to Protect Your Child from Identity Theft in 8 Easy Steps https://securingtomorrow.mcafee.com/consumer/family-safety/protect-child-identity-theft-8-easy-steps/ https://securingtomorrow.mcafee.com/consumer/family-safety/protect-child-identity-theft-8-easy-steps/#respond Tue, 27 Jun 2017 14:00:09 +0000 https://securingtomorrow.mcafee.com/?p=75316 With all the things to knock out on your parenting to-do list, when’s the last time you thought to monitor the status of your child’s identity? If you look at the growing risks, monitoring your child’s identity — starting as early as birth — could become as important as regular dental check-ups. Identity fraud is […]

The post How to Protect Your Child from Identity Theft in 8 Easy Steps appeared first on McAfee Blogs.

]]>
child identity theftWith all the things to knock out on your parenting to-do list, when’s the last time you thought to monitor the status of your child’s identity? If you look at the growing risks, monitoring your child’s identity — starting as early as birth — could become as important as regular dental check-ups.

Identity fraud is at an all-time high with 15.4 million U.S. victims in 2016, up 16 percent, according to the latest Javelin Strategy study. An earlier Javelin report focusing on child identity theft estimated that 1 in 40 U.S. households with children under age 18 had at least one child whose personal information had been compromised by thieves.

Sadly, anyone with a name and a social security number (SSN) is prone to identity theft — yes, even our children. Identity thieves are increasingly using children’s SSNs since theft in this age group often goes undiscovered for extended periods of time, often until the child grows up and applies for a car or student loan. Thieves often use a child’s identity to apply for government benefits, to open bank and credit card accounts, apply for a loan or utility service, or rent a place to live.

These ambivalent thieves don’t play favorites and have learned the hot spots for child identity data: schools, pediatrician offices, banks, (stealing) mom’s purses, and (robbing) home offices. A growing area of concern involves medical identity theft, which gives thieves the ability to access prescription drugs and even expensive medical treatments.

8 things parents can do:

  1. Educate your kids. Talk candidly to your child about identity theft and the fallout. Help your child understand the tricks of those who make a living stealing the identities of others. Instruct them to keep private information private and to ask you for permission before sharing personal information with anyone.
  2.  Alert your kids to online scams. Identity thieves will befriend children online and chat them up for private information with the goal of using that information to steal their identity. Thieves are skilled at trolling social networks looking at user profiles for birth dates, addresses, and names of family members to piece together the identity puzzle. child identity theft
  3. File a fraud alert. By submitting a fraud alert in your child’s name with the credit bureaus several times a year, you will be able to catch any credit fraud early. Since your child hasn’t built any credit, anything that comes back will be illegal activity. The fraud alert will remain in place for only 90 days. When the time runs out, you’ll need to reactivate the alert. You can achieve the same thing by filing an earnings report from the Social Security Administration. The report will reveal any earnings acquired under your child’s social security number.
  4. Know the warning signs. If a thief is using your child’s data, you may notice: 1) Pre-approved credit card offers addressed to them arriving via mail 2) Collection agencies calling and asking to speak to your child 3) Court notices regarding delinquent bills.If any of these things happen your first step is to call and freezetheir credit with the three credit reporting agencies:  Equifax, Experian, and TransUnion.
  5. Get security software. One safeguard against identity theft of any kind is full device security such as McAfee LiveSafe™ service.
  6. Be aware of data risks. Thieves can get your child’s information in several ways. For example, a family member may want to use a child’s identity to start over, or a parent may have a questionable girlfriend or boyfriend living in the home or visiting often. Another way information gets stolen if a parent loses a wallet, purse, or personal paperwork that has a child’s SSN information on it. A digital security breach at a bank, pediatrician’s office, or business could also land your child’s information in criminal hands.child identity theft
  7. Get fierce about protecting your child’s data. Draw a very thick line when it comes to sharing your child’s SSN as well as secondary information such as date of birth, address, and mothers’ maiden name. Also, never carry your child’s (or your) physical Social Security card in your wallet or purse. Keep it in a safe place, preferably under lock and key, where thieves can find it. Only share your child’s data when necessary (school registration, passport application, education savings plan, etc.) and only with trusted individuals.
  8. Report theft. If you find a violation of your child’s credit of any kind, your first step is to call IdentityTheft.gov to report the crime and begin the process of restoring your child’s credit. This will include 1) Filing a report with the FTC online or call 877-438-4338; 2) filing a police report; 3) contacting credit agencies and request the removal of all accounts, inquiries, and collection notices linked with your child’s name and SSN; 4) contacting creditors and request they close any account associated with your child’s SSN; 5) keeping a detailed journal of every person you contacted, the dates and times, and notes on each conversation.

This pro-active mindset can be a bit unnerving. However, with the current data spills, the weekly news regarding security breaches have started to lose their shock factor. Taking these few steps and getting fierce about data protection can save your child (and you) countless hours and even years of credit headaches. Identity theft can affect a job search, a mortgage rate, and sadly, even a victim’s self-esteem for years to come.

ToniTwitterHS

 

 

Toni Birdsong is a Family Safety Evangelist to McAfee

The post How to Protect Your Child from Identity Theft in 8 Easy Steps appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/family-safety/protect-child-identity-theft-8-easy-steps/feed/ 0
Over 7,000 Patients’ Data Compromised in Bronx Lebanon Hospital Data Breach https://securingtomorrow.mcafee.com/business/7000-patients-data-compromised-bronx-lebanon-hospital-data-breach/ https://securingtomorrow.mcafee.com/business/7000-patients-data-compromised-bronx-lebanon-hospital-data-breach/#respond Fri, 19 May 2017 16:30:01 +0000 https://securingtomorrow.mcafee.com/?p=74314 While all of us were focusing on the massive WannaCry ransomware attack that hit more than 150 countries last Friday, other breaches managed to fly under the radar, including one large data breach that impacted the Bronx Lebanon Hospital Center in New York City. The breach exposed the records of over 7,000 patients. What kind […]

The post Over 7,000 Patients’ Data Compromised in Bronx Lebanon Hospital Data Breach appeared first on McAfee Blogs.

]]>
While all of us were focusing on the massive WannaCry ransomware attack that hit more than 150 countries last Friday, other breaches managed to fly under the radar, including one large data breach that impacted the Bronx Lebanon Hospital Center in New York City. The breach exposed the records of over 7,000 patients.

What kind of medical records were compromised? Unfortunately, a lot. Specifically, patients’ mental health and medical diagnoses, HIV statuses, sexual assault and domestic violence reports, as well as names, home addresses, and social security numbers. The actual length of time these records were left exposed is not known, but it seems that anyone who was a patient at the hospital between 2014 and 2017 is potentially at risk.

How did this breach happen? Some sources believe a misconfigured Rsync backup server hosted by the third-party records management vendor iHealth Solutions was left susceptible. This instance is indicative of a larger trend in the industry where institutions move to adopt new technology architectures, yet don’t take steps to protect the legacy systems that they transitioned from. Turning off access to that system does not equal a secure system, especially when it’s still connected on the network and not patched and maintained in the same way it used to be.

Here are a few takeaways to remember when building a security strategy and preventing future attacks:

1.     Make data flows a priority.

The identification of those not only allows you to identify information about what data is involved and touched by whom (which can help with your Data Loss Protection and Identity Management initiatives). It also gives you visibility on what systems talk to each other in what way. That is critical to know when architecting a security solution as the initial vector of the attack and the final malware that exfiltrates data or impacts workflow don’t often share the same technology protocols or application stacks.

2.     Have a response strategy that involves your emergency management and risk group.

The former will aide in containing and recovering clinical and operational impact due to the incident, while the latter is the conduit to your cyber liability insurance policy who will be one the resources to provide services like incident response, call center management, law suit protections, etc.

3.     Advise patients to get insurance providers involved.

While credit monitoring is helpful in response to a medical data theft scenario, it is good practice for impacted patients to follow up with their insurance providers, who can provide claim processing information to make sure patients are not victims of medical fraud. Additionally, prompt patients to update their passwords for patient portals with doctors, hospitals, and insurance companies.

To gain further insight on how to protect yourself from breaches like this and to stay up-to-date on all cybersecurity news, make sure to follow @McAfee and @McAfee_Business.

The post Over 7,000 Patients’ Data Compromised in Bronx Lebanon Hospital Data Breach appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/7000-patients-data-compromised-bronx-lebanon-hospital-data-breach/feed/ 0
A New Angle on Cyber-attacks: Medical Conditions Become Targets https://securingtomorrow.mcafee.com/business/new-angle-cyber-attacks-medical-conditions-become-targets/ https://securingtomorrow.mcafee.com/business/new-angle-cyber-attacks-medical-conditions-become-targets/#respond Fri, 24 Mar 2017 21:06:39 +0000 https://securingtomorrow.mcafee.com/?p=70711 When reading the news over the past few days, the following article posted by the Washington Post triggered something in me: ‘Seizure-inducing tweet leads to a new kind of prosecution’. In short, the case is about a journalist named Kurt Eichenwald, who suffers from epilepsy and received a Tweet late last year containing a flashing […]

The post A New Angle on Cyber-attacks: Medical Conditions Become Targets appeared first on McAfee Blogs.

]]>
When reading the news over the past few days, the following article posted by the Washington Post triggered something in me: ‘Seizure-inducing tweet leads to a new kind of prosecution’. In short, the case is about a journalist named Kurt Eichenwald, who suffers from epilepsy and received a Tweet late last year containing a flashing image. The journalist claimed to have suffered from a seizure due to the tweet. The actor’s motive for sending the Tweet containing the animated strobe image was revenge for a critical piece the journalist wrote on President Trump. He probably never thought of the possibility of being convicted for “aggressive assault with a deadly weapon”.

Figure 1Picture of image sent to victim [source justice.gov]
Normally, someone’s medical condition is not publicly available unless you openly discuss it on social media. But, I have to wonder, was this a one-of-a-kind situation or is this something we need to start becoming more aware of?

Last year, we reported several occasions of ransomware attacks targeting the healthcare sector, a sector that was formerly a no-go for most cybercriminals. Besides ransomware, 2016 was also the year where databases with patient-records and PII were being offered on the underground markets (see our report)

What if someone buys a database from a hospital, selects all epileptic patients, combines it with other leaked data around social accounts, and sends an ‘extortion note’ to the hospital? I bet that gave you the same chills as it did me.

Past research by Barnaby Jack has demonstrated vulnerabilities in insulin pumps, and he was looking into pacemakers right before he passed away. What if vulnerabilities in these devices are matched up with leaked patient records?

I have no intention to scare you, but do want to create awareness around the possible scenarios that could develop if we are not paying attention. We need to work better together, discuss the risks, and unite to help. That way, we can truly protect and defend the vulnerable people in our society.

The post A New Angle on Cyber-attacks: Medical Conditions Become Targets appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/new-angle-cyber-attacks-medical-conditions-become-targets/feed/ 0
Doctoring Data: Why Cybercriminals Have Their Eye on Healthcare https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/healthcare-data-cybercrime/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/healthcare-data-cybercrime/#respond Fri, 20 Jan 2017 23:33:52 +0000 https://securingtomorrow.mcafee.com/?p=68162 Fun fact: your healthcare data is worth roughly 10 times as much as your credit card number. Well, to a cybercriminal at least. Why the value increase, you may ask? Insurance fraud—and a lot of it. Which translates to a lot of billing for fake treatments and stolen prescriptions. And before you write that off […]

The post Doctoring Data: Why Cybercriminals Have Their Eye on Healthcare appeared first on McAfee Blogs.

]]>
Fun fact: your healthcare data is worth roughly 10 times as much as your credit card number. Well, to a cybercriminal at least. Why the value increase, you may ask? Insurance fraud—and a lot of it. Which translates to a lot of billing for fake treatments and stolen prescriptions. And before you write that off as someone else’s problem, remember the ramifications of stolen health data last longer and have a deeper effect than any other kind of stolen data.

So why does this kind of theft have such a powerful effect? First off, these transactions end up on your medical records, which could potentially result in a mistaken diagnosis, incorrect treatment, unnecessary delays—the list goes on. But the true value behind healthcare data not only lies behind the reaping of these tangible benefits, but in the data’s longevity.

Credit card companies can detect fraud and cancel a card in the blink of an eye. Healthcare data, however, connects policy numbers to employee numbers, which are difficult to change, leaving the control out of the hands of the insurer. Adding to this longevity is ambiguity. Is that an MRI for your arm, or fraud? Did you ask for this prescription, or did a cybercriminal? It’s impossible to know. Not to mention, it’s extremely difficult for providers to be able to determine fraud while still complying with HIPAA.

And though most healthcare attacks are against hospitals or insurance companies, that doesn’t mean that these attacks won’t directly impact you and your personal data. Additionally, that doesn’t mean that your personal devices won’t be targeted for compromise of this kind of healthcare data as well—as the increase in healthcare apps makes that data so readily available. And with the complications from this kind of breach seeming endless, it’s up to you to start taking preventative measures now, to protect yourself from this emerging type of identity theft.

For starters, here are a few tips and best practices to follow:

  • Maintain good password hygiene. There’s a password for everything these days, especially for accessing insurance information online. Therefore, don’t use the same passwords across online accounts, especially for apps that require self-identifying information, and make sure your logins complex. Additionally, you can use a password to make sure you can keep track of all of your unique credentials.
  • Regularly review activity. Similar to checking your credit card activity, routinely log in to your health insurance or benefit provider’s website and review recent activity. Make yourself aware of all activities listed, check the prescriptions and treatments ordered, and immediately flag anything that is suspicious or incorrect.
  • Look into a monitoring service. A monitoring service won’t, unfortunately, prevent your identify from being stolen or protect you from fraud, but they can provide early warning if its set to happen. Typical services scan for usage of personal info and mentions of your document numbers in criminal marketplaces, then alert you of anything that comes up.

And, of course, stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter.

gary

The post Doctoring Data: Why Cybercriminals Have Their Eye on Healthcare appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/healthcare-data-cybercrime/feed/ 0
Cyber-Attacks on Healthcare: Where Greed is More Powerful Than Ethics https://securingtomorrow.mcafee.com/business/cyber-attacks-healthcare-greed-powerful-ethics/ https://securingtomorrow.mcafee.com/business/cyber-attacks-healthcare-greed-powerful-ethics/#respond Thu, 19 Jan 2017 21:03:03 +0000 https://securingtomorrow.mcafee.com/?p=68104 This week, a group of cybercriminals lowered the ethics bar by extending their attacks on the healthcare sector, beyond providers such as hospitals and clinics, to a non-profit cancer support organization. Little Red Door provides diagnostics, treatment, and supplies to under-served cancer patients. Sadly, this is just the latest example of hackers’ exploitation of the […]

The post Cyber-Attacks on Healthcare: Where Greed is More Powerful Than Ethics appeared first on McAfee Blogs.

]]>
This week, a group of cybercriminals lowered the ethics bar by extending their attacks on the healthcare sector, beyond providers such as hospitals and clinics, to a non-profit cancer support organization.

Little Red Door provides diagnostics, treatment, and supplies to under-served cancer patients. Sadly, this is just the latest example of hackers’ exploitation of the healthcare sector.

Last Friday, the computer systems of five hospitals in the UK’s Barts Health NHS Trust group were taken offline in response to a Trojan malware attack. Luckily, no patient data seems to have been taken, the virus has been quarantined, and most systems have since recovered from the attack (minus file-sharing). But the attacks were the latest notable reminder that legacy systems, a fragmented workforce, and inconsistent security defenses continue to put hospital cybersecurity in critical condition.

Why cybercriminals target healthcare

Last year, we saw a series of attacks on hospitals across the U.S. Hospitals have become a prime target because they usually operate legacy systems and medical devices with weak security and they have a life or death need for immediate access to information. For instance, it appears Barts Health uses the unsupported Window XP operating system.

But the trend also represents a notable shift in ransomware attackers’ focus from consumer to organizations with weak security. This new form of crime appears to be paying well. One ransomware developer posted a screenshot of his digital wallet that showed a balance of US$94 million, earned in about six months.

Why IoT medical devices pose an IT challenge

Ransomware attacks can target medical devices, which are more challenging to protect and clean up than servers and workstations. Recovering from these attacks not only includes the ransom payment but also the costs of downtime and system recovery. Some hospitals have experienced partial or complete network downtime of five to 10 days. McAfee’s Foundstone Incident Response team identified at least 19 hospital ransomware attacks during the first half of 2016, across six countries. Most of the hospitals that paid the ransom had no contingency plans for this type of event.

What we can do to protect healthcare IT systems

For Little Red Door, the organization decided not to play by the attackers’ rules, refusing to pay them, noting that its funds are intended to “help cancer patients and their families.”

For organizations, seeking to avoid such choices, we recommend the following Top 10 list for protecting healthcare systems from malware infections and prompt recovery:

  • Develop an incident response plan, so that if your systems are compromised you can get back in operation quickly.
  • On general-purpose devices, keep the patches up to date. Many of the vulnerabilities exploited by these attackers have patches available.
  • Whitelist medical equipment to prevent unapproved programs from executing.
  • Do not rely on default settings for endpoint protection. Turn on advanced endpoint protections that can block malware executables from running.
  • Add or enhance your antispam filter. Most ransomware attacks use uncommon file formats, packed several levels into .zip files to evade detection, so make sure you are scanning for them.
  • Block unnecessary programs and traffic. Many ransomware control servers use Tor to get their encryption key. If you can block this traffic, you can stop the encryption process.
  • Use network segmentation to separate critical devices required for patient care from the general network.
  • Keep backups completely disconnected from the production network, so that ransomware payloads cannot corrupt your backup data.
  • Reduce or eliminate the use of local disks to store sensitive data. Secure network drives can be restored more quickly, assuming the backups are clean.
  • Almost one in 10 spam messages is still being opened, so ongoing user awareness training is critically important.

 To learn more about these recent hospital cyber-attacks and what you can do to protect against them, please see our McAfee Labs Threats Report: September 2016 feature on healthcare cyber-attacks.

The post Cyber-Attacks on Healthcare: Where Greed is More Powerful Than Ethics appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/cyber-attacks-healthcare-greed-powerful-ethics/feed/ 0
How Valuable Is Your Health Care Data? https://securingtomorrow.mcafee.com/consumer/identity-protection/how-valuable-healthcare/ https://securingtomorrow.mcafee.com/consumer/identity-protection/how-valuable-healthcare/#respond Mon, 31 Oct 2016 04:51:29 +0000 https://blogs.mcafee.com/?p=63794 This blog was written by Bruce Snell. Health care is a hot topic in security right now. A quick search for “hospital ransomware” returns a laundry list of news reports on hospitals as targets of cyberattacks. However, it is not just ransomware that people need to worry about. In the report Health Warning: Cyberattacks Are […]

The post How Valuable Is Your Health Care Data? appeared first on McAfee Blogs.

]]>
This blog was written by Bruce Snell.

Health care is a hot topic in security right now. A quick search for “hospital ransomware” returns a laundry list of news reports on hospitals as targets of cyberattacks. However, it is not just ransomware that people need to worry about. In the report Health Warning: Cyberattacks Are Targeting the Health Care Industry, our McAfee Labs team digs into the dark underbelly of cybercrime and data loss involving health care records. In this case, the darkrefers to the dark web.

Following up on the Hidden Data Economy report, we looked further to see if medical data was showing up for sale. We found dark web vendors offering up medical data records by the tens of thousands. One database for sale offered information on 397,000 patients!

2016-10-27_17-36-06

These databases contained not only names, addresses, and phone numbers of patients, but also data about their health care insurance providers and payment card information.

What’s it worth?

Of course, for this to be worth a cybercriminal’s time, they must be able to profit from it. We are finding that health care records to be a bit less valuable than records such as payment card records that contain financial information. The going price for a single record of information on a user that includes name, Social Security number, birth date, account information such as payment card number (referred to as fullz in dark web lingo) can range from $14 to $25 per record. Medical records sell for a much lower price, anywhere from a fraction of a cent to around $2.50 per record.

Does this mean medical records are not as valuable? Although not as lucrative as fullz, medical record information has  higher value than just a username/password record when sold on the dark web. We think that sellers are trying to maximize their gain from the data theft. In one underground market forum, a seller listed 40,000 medical records for $500, but specifically removed the financial data and sold that separately.

Why is the health care industry a target?

Although there are regulations and guidelines for the health care industry to protect patient information, the industry itself faces many challenges. Foremost, the focus of the majority of health care workers is the treatment of patients. Because they are dealing with life and death situations, the equipment used to treat patients must be working and available at a moment’s notice. This means there is often little time to install a patch or an update on a piece of medical equipment. The equipment may also be running an outdated operating system that simply cannot be patched to protect against the latest threats. It is not uncommon to see medical equipment running on Windows 95. The medical industry is also subject to FDA regulations and approvals. There may be equipment that is approved by the FDA only on an older operating system and would need to be recertified if updated.

How do I stay safe?

Unfortunately, these data breaches are outside the control of the average person. Health care providers typically use the information they collect from you for your treatment, so you cannot withhold your home address or phone number. As a consumer, you need to be alert for health care data breaches that potentially impact you.

  • Pay attention to the news: Once discovered, medical data breaches tend to make the evening news. Even if you went to a health care provider only once to get an x-ray because you thought you broke your thumb and that provider experiences a data breach, odds are your information was compromised.
  • Monitor your credit score: A common use for resold information is the opening of credit cards or bank accounts. Subscribing to a credit-monitoring service will help you know if a new account has been opened without your knowledge.
  • Watch out for phishing: If your contact information has been stolen, you are almost certain to be the target of numerous phishing attempts. Keep an eye out for suspicious emails and text messages. You can read one of my previous blogs for tips on how to spot a phishing attempt.

The nature of today’s digital world can unfortunately cause our personal and private data to be leaked. If you stay vigilant, you can reduce the impact these breaches will have on your life.

Stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, and “Like” us on Facebook.

Stay Safe!

The post How Valuable Is Your Health Care Data? appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/identity-protection/how-valuable-healthcare/feed/ 0
A ‘Second Economy’ Prognosis for Health Care Cybersecurity https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/second-economy-prognosis-health-care-cybersecurity/ Wed, 26 Oct 2016 19:01:39 +0000 https://blogs.mcafee.com/?p=53497 McAfee CTO Steve Grobman has pointed out that gaining the upper hand in cybersecurity requires that we extend our thinking beyond the physical economy of money, assets, goods, and services to a Second Economy defined by the currencies of trust, time, and money. As in other industries, health care is working toward maximizing efficiencies, containing […]

The post A ‘Second Economy’ Prognosis for Health Care Cybersecurity appeared first on McAfee Blogs.

]]>
McAfee CTO Steve Grobman has pointed out that gaining the upper hand in cybersecurity requires that we extend our thinking beyond the physical economy of money, assets, goods, and services to a Second Economy defined by the currencies of trust, time, and money.

As in other industries, health care is working toward maximizing efficiencies, containing expenses, capturing revenues, and delivering enhanced services through networked devices. Unfortunately, the new opportunities also involve challenges born of a reliance on fragmented cybersecurity strategies built around siloed architectures, and a failure to recognize the value of the extensive data stores the health care sector manages. Losing intellectual property and business confidential information could destroy whole pharmaceutical or biotech companies. Losing personal, sensitive patient data could squander the precious currency of trust in digital medicine, in care providers, and their application of technology.

A McAfee Labs report released today details some of the consequences of health care industry players failing to appreciate the value of data, the attractiveness of that data to cybercriminals, and the ecosystem growing around the theft of such data. The report, Health Warning: Cyber Threats Targeting and Compromising the Health Industry, features three areas of focus.

The value of protected health information

In recent years, McAfee has observed the cybercriminal community extend its data theft efforts beyond financial account data to medical records.

Although credit and debit card numbers can be canceled and replaced quickly, this is not the case for protected health information (PHI) that does not change. This “nonperishable” PHI could include family names, mothers’ maiden names, social security or pension numbers, payment card and insurance data, and patient address histories. McAfee Labs found stolen medical records available for from $0.03 to $2.42 per record.

Cybercriminals analyze the data, and perhaps cross-reference it with data stolen from other sources to identify lucrative fraud, theft, extortion, character assassination, or blackmail opportunities across the population of patients.

Targeting intellectual property

Our research and analysis on the targeting of biotechnology and pharmaceutical firms suggest that the economic value of their intellectual property and business confidential information is considerably higher than the cents- and dollars-per-record data McAfee’s researchers identified within patients health care accounts.

When you consider that research and development is a tremendous expense for these industries, it should be no surprise that cybercriminals are attracted to this category of data theft.

McAfee researchers found evidence that formulas for next-generation drugs, drug trial results, and other business confidential information constitutes significant value. The stores of such data at pharmaceutical companies, their partners, and even government regulators involved in bringing new drugs to market have become premium targets of cybercriminals.

Ecosystem of health care data theft

McAfee also identified cybercriminals leveraging the cybercrime-as-a-service market to execute their attacks on health care organizations. Researchers found evidence of the purchase and rental of exploits and exploit kits to enable the system compromises behind health care data breaches. The researchers even observed efforts by cybercriminals, through online ads and social media, to recruit into their ranks health care industry insiders with access to valuable information.

The Second Economy challenge

The growth and evolution of the market for stolen health care data and the hacking skills required to steal it suggest that the business of cybercrime in this vertical industry is good and growing. Given the increasing threat to the industry, breach costs ought to be evaluated in new Second Economy terms—in which lost trust can inflict as much damage upon individuals and organizations as lost funds.

In health care, gaining the upper hand in cybersecurity means rejecting conventional defense paradigms in favor of radical new thinking. Where health care organizations have relied on old playbooks, they must be newly unpredictable. Where they have hoarded information on attacks, exploits, and threats, the industry must become more collaborative. Where they have undervalued cyber defense overall, they must prioritize it.

In the Second Economy, trust is the prime casualty of cybercrime. In an industry in which the personal is paramount, the loss of trust could be catastrophic to its progress and prospects for success.

The post A ‘Second Economy’ Prognosis for Health Care Cybersecurity appeared first on McAfee Blogs.

]]>
How ‘Weaponized’ Medical Data Could Be as Damaging as Clinton’s Emails or Trump’s Videos https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/weaponized-medical-data-damaging-clintons-emails-trumps-videos/ Wed, 26 Oct 2016 19:01:01 +0000 https://blogs.mcafee.com/?p=53491 The 2016 presidential election in the United States will be remembered for a great many things. Never before in US history has the disclosure or nondisclosure of personal information figured so prominently in public debate. Never before has the ability to compromise and disclose personal information been used as a political weapon to damage the […]

The post How ‘Weaponized’ Medical Data Could Be as Damaging as Clinton’s Emails or Trump’s Videos appeared first on McAfee Blogs.

]]>
The 2016 presidential election in the United States will be remembered for a great many things. Never before in US history has the disclosure or nondisclosure of personal information figured so prominently in public debate. Never before has the ability to compromise and disclose personal information been used as a political weapon to damage the public perception of the presidential candidates. Moreover, never before have the personal health histories of the candidates figured so prominently in efforts to qualify or disqualify them as fit or unfit to serve as president.

A report released this week by McAfee reveals the ease by which nation-states, domestic political actors, corporations, or activist groups could steal and expose the medical records of political opponents in the same way that the disclosure of incriminating email messages, video recordings, private documents, and speech transcripts has already been used as a political weapon in 2016.

The market for your medical data

The report shows that huge caches of detailed medical records can be purchased for a mere $0.03 to $2.42 per record and browsed to identify the names of political candidates and their family members. Such records contain protected health information such as family names, mothers’ maiden names, social security numbers, payment card and insurance data, and patient addresses. But they also include more sensitive information such as medical histories, details of medical conditions, mental health issues, medications taken, and the state of treatment for a variety of perhaps embarrassing afflictions or addictions.

McAfee suggest that cybercriminals already mine and analyze millions of such records, cross-reference them with data from other sources, and assemble profiles around individuals who appear to be the most viable targets for crimes such as fraud, data theft, extortion, identity theft, and blackmail. Such crimes have gone digital along with so many other things in our world, and it is not a stretch to foresee them going political in the near future (assuming they already have not).

The “weaponization” of medical records

Although this political season suggests nothing is truly disqualifying, just a couple of years ago former Florida Governor Jeb Bush was deemed disqualified as a presidential candidate on account of, among other things, his daughter’s very public drug addiction. The theft, identification, and public disclosure of data exposing such cases would constitute a political “weaponization” of personal medical records.

Such a disclosure or threat of disclosure targeting a close relative could certainly prove damaging or threatening enough to force a politician from an election contest, or even out of politics altogether.

In 2016, Republican candidate Donald Trump has been criticized for releasing an allegedly inadequate and unconvincing doctor’s letter attesting to his “tremendous” state of health. The health of Democratic candidate Hillary Clinton has been questioned following the release of a mere four seconds of video depicting her exhibiting dizziness. Though these two candidates are not known for quitting, consider that a disclosure of medical records challenging the “robust health” assertions of most campaign teams might prove pivotal in the final days of a contentious election.

Health care hackers-for-hire

 Nor is it a stretch to assert that cyber capabilities—hacking skills, tools, and infrastructure— are beyond the reach of political actors.

Recent press reports claim that around 500 million Yahoo email accounts appear to have been compromised by a mercenary cyber gang. McAfee has identified cyber gang services available for hire specifically for the purpose of attacking health care organizations. Researchers found evidence of the purchase and rental of exploits and exploit kits to enable the system compromises behind health care data breaches.

In one case, a relatively non–technically proficient cyber thief purchased tools to exploit a vulnerable health care organization, and even leveraged free technical support to orchestrate his attack. The McAfee research found that this actor extracted more than 1,000 medical records that the technical support provider said was worth as much as $15,564.

This data breach–enabling ecosystem is so developed that McAfee was able to uncover the brazen efforts of cybercriminals to recruit as accomplices, through online ads and social media communications, health care industry insiders with workplace access to patients’ information.

Prognosis: unprecedented?

McAfee’s report reveals how financial resources can command the technical means for launching cyber-attacks via a marketplace for health care hackers-for-hire and stolen medical data. All that remains is the motive, criminal or political, and the media opportunity to release damaging data through organizations such as WikiLeaks or press outlets.

To believe that such an event is unheard of, despite evident public disclosure of weaponized emails, video, and documents, would be to ignore that the 2016 US election season has entered the realm of the unprecedented..

 

 

 

 

The post How ‘Weaponized’ Medical Data Could Be as Damaging as Clinton’s Emails or Trump’s Videos appeared first on McAfee Blogs.

]]>
Measuring the ROI of Better Threat Defense: A Healthcare Study https://securingtomorrow.mcafee.com/business/measuring-roi-better-threat-defense/ Wed, 21 Sep 2016 18:30:30 +0000 https://blogs.mcafee.com/?p=52742 This blog was written by Barbara Kay. In the absence of hard figures, improved threat detection can be difficult to sell to executive management, especially when competing with mandated projects and buzzword-rich initiatives. We’ve created a program that helps CISOs influence and drive urgency through quantifiable business outcomes that speak to organizational goals. Here’s an […]

The post Measuring the ROI of Better Threat Defense: A Healthcare Study appeared first on McAfee Blogs.

]]>
This blog was written by Barbara Kay.

In the absence of hard figures, improved threat detection can be difficult to sell to executive management, especially when competing with mandated projects and buzzword-rich initiatives.

We’ve created a program that helps CISOs influence and drive urgency through quantifiable business outcomes that speak to organizational goals. Here’s an example of how this worked for a hospital as they tried to improve their detection rates. You can extrapolate to your business, or contact us to customize this process. Our value management office calculated these numbers based on this company’s estimates, modelled against a baseline derived from industry statistics and peer organizations.

Like many companies, this hospital was not keeping up with Indicator of Compromise (IoC) data. In this case, they were investigating only about one-third of IoCs. That’s not unusual: In research of relatively sophisticated security operations centers, McAfee research found that on average 1 in 4 alerts are not triaged. What’s the cost of not evaluating these IoCs? Here’s the math.

Statistics that influence costs:

  • Percent of IoCs that lead to an actual compromise                                5%
  • Percent of successful threats that are major incidents                         .01%
  • Average cost of a major incident (Source: Ponemon)                          $5.8 million
  • Average cost of a minor incident                                                              $397
  • Average annual growth in security threats and events                          30%

This hospital’s calculation:

  • Average number of IoCs received per day                                                 50
  • Number of IoCs addressed with current resources                                 18
  • Gap of unaddressed IoCs                                                                              32
  • Number of IoCs addressed daily after McAfee ESM deployed             144
  • Savings from avoided cost                                                               $574K per year

I know most of you are burning to ask why the hospital would want to overprovision their ability to address IoCs. Like many health care providers, this hospital is growing, pursuing mergers and acquisitions. While managing increasing volumes of events, they are looking to improve detection of targeted threats and ransomware. Additionally, they know that their patient data represents particularly lucrative targets for cybercriminals. So the additional capacity provides them breathing room to accommodate more signals and respond to more sophisticated threats.

McAfee Enterprise Security Manager (ESM), McAfee’s SIEM solution, can ingest IoCs and other threat intelligence via standard interfaces, as well as data from hundreds of systems. This hospital wanted to validate data from specific devices, including (XYZ applications/sensors). ESM can collect events from these devices, and then use dynamic content packs to flag data exfiltration, database monitoring, HIPAA compliance, and other risks to prioritize alerts. It can also automatically consume and report historical and real-time hits from third-party threat intelligence and IoCs from targeted malware and ransomware. With the advent of threat intelligence from industry organizations such as the National Health Intelligence Sharing and Analysis Center (NH-ISAC), as well as use of McAfee Advanced Threat Defense to reveal malicious artifacts within malware, the hospital will be able to filter alerts against high fidelity data sources to better detect attacks.

IoC evaluation wasn’t the hospital’s only reason to buy a SIEM, but at $574K x 3 years = $1.72 M, the cost avoidance was greater than their entire investment in ESM and other McAfee products.

If you’d like to learn more about this program, email vmo@mcafee.com, and visit mcafee.com for examples of successful SIEM deployments in health care, public sector, financial services, and more.

The post Measuring the ROI of Better Threat Defense: A Healthcare Study appeared first on McAfee Blogs.

]]>