Healthcare organizations and the cloud: Benefits, risks, and security best practices

Healthcare organizations are moving their business-critical applications and workloads to the cloud, and while there are many benefits (lower costs, added flexibility and greater scalability), there are also inherent risks that cannot be overlooked.

Ensuring organizations’ sensitive data is being monitored and protected (24/7) is key and having analysts who clearly understand security in the cloud is critical. Hiring and staffing these roles can be quite difficult because of the skillset required. Outsourcing cybersecurity to a managed security service provider (MSSP) is one viable solution for healthcare organizations that are in the process of migrating to the cloud and are concerned with protecting patient information, sensitive data, and applications.

Why healthcare organizations are moving to the cloud

HIMSS Analytics conducted a survey of healthcare IT professionals about their views of cloud usage, with nearly two-thirds of respondents saying they are currently using the cloud or cloud services.

Why are healthcare organizations finally making the move? Many have started to look at the cloud as a disaster recovery and backup option in the event of a ransomware attack, which affected the healthcare sector in 2017. The cloud also enables increased operational and storage flexibility as more healthcare companies use applications like precision medicine and population health.

Who’s responsible for keeping the cloud secured?

With so much critical information being accessed and stored in the cloud, it’s important to know who is responsible for monitoring authentication, communication, and client access to devices as well as how they’re securing it. Cloud application vendors are motivated to secure their infrastructure against denial of service attacks, disruption to service delivery, and large backend infrastructure breaches to protect their business. However, control over data access, user credentials (in some cases the application servers themselves), and regulatory compliance rests on the user organization’s IT team – not the cloud vendor. In short, cloud infrastructure providers are responsible for protecting their service, while IT teams must ensure their organization’s private data and critical applications are protected.

Whether you are using cloud providers (such as AWS or Microsoft Azure) to host your sensitive applications and data, taking advantage of Microsoft Office 365, or leveraging the scalability of a cloud-based electronic health record (EHR) application, security is a shared responsibility between the IT security team and cloud provider. As more healthcare organizations turn to cloud services, it is becoming critical for IT and security teams to understand the delineation of responsibility.

Taking the right security measures in cloud infrastructures

Most of the same security risks that apply to data and applications residing within a traditional data center also apply to virtualized assets in cloud infrastructures like AWS, Azure, and others. Virtual servers can be infected with malware or ransomware, credentials can be stolen, and cyber criminals can extract data which makes cyber protection even more important.

Web applications are one of the most significant sources of enterprise data breaches, and public-facing web applications are often hosted on cloud platforms. Because cloud platforms are designed for easy sharing, data runs the risk of becoming unintentionally shared or exposed. Misconfigured cloud-based data stores have resulted in many vulnerabilities and threats.

To address these risks, IT security teams are adopting security tools such as virtualized firewalls, web application firewalls, intrusion detection systems, and vulnerability scanning tools developed for cloud infrastructures. These technologies are integrated using service provider application programming interfaces (APIs) that are designed to address the virtualized and dynamic nature of these environments.

Protecting SaaS applications in the cloud

Software as a service (SaaS) applications like EHR software, Office360, and Salesforce often store sensitive patient data and confidential business and operational information. A breach or inadvertent exposure of this data can result in compliance violations, revenue loss, significant recovery expense, and can damage irreparably the organization’s reputation.

MSSPs and cloud access security brokers (CASBs) can collect and analyze authentication, access control, and cloud application transaction logs to identify suspicious behavior. Such logs include downloads, logins, usage, and application specific behaviors that may be analyzed by an MSSP to determine indicators of compromise.

Importance of Maintaining HIPAA compliance

For healthcare organizations, the Health Insurance Portability and Accountability Act (HIPAA) is an omnipresent reality. HIPAA requires patient data to be properly protected, no matter where it is being stored. Those who fail to protect patient data face fines and other regulatory penalties.

To meet HIPAA requirements, IT security teams should apply the same level of vigor to safeguarding their cloud-based data and applications as they would to on-premise applications and data. This can include deploying virtualized firewalls, scanning virtual servers for vulnerabilities, and monitoring and retaining log events from the public cloud.

How MSSPs can help implement stringent security in the cloud

When cloud migration, many healthcare organizations consider implementing in-house security solutions. This means hiring security experts and around-the-clock staff to manage and respond to alerts. With the current cybersecurity skills shortage, finding and building the right team is not always easy.

How can a healthcare organization maximize the rewards of cloud-based data and applications while minimizing the security risks? One approach is to outsource the security monitoring, investigations, and incident response to an MSSP.

MSSPs have a service model that is well-suited for healthcare organizations with limited resources and strict compliance requirements. MSSPs can act as an extension of a healthcare organization’s IT security team at a fraction of the cost associated with hiring additional employees and operating a 24/7 security operations center (SOC).

When choosing an MSSP, it is important that healthcare organizations thoroughly evaluate providers and cross-reference their healthcare expertise to ensure a smooth transition to the cloud. Key questions organizations should ask an MSSP include:

    • Are you experienced with helping healthcare organizations protect their data and applications in the cloud?
    • Does your mix of security services include 24/7 monitoring, breach detection, and incident response?
    • Can you monitor log events from my preferred cloud provider and cloud-based application vendor?
    • How do you ensure we will receive accurate and relevant actionable alerts?
    • Can you manage or co-manage vulnerability management tools, virtualized firewalls, and endpoint security in cloud environments?
    • Do you have a single portal where we drill into security events and understand our security posture for both cloud-based and on-premise assets?
    • Do you offer HIPAA reporting and services to prepare us in the event of an HHS audit?

By asking these questions, healthcare organizations should be able to determine if the MSSP is equipped to handle security needs. Especially for healthcare organizations with limited budgets and small IT teams, a qualified MSSP can serve as an extension of their team, help improve cybersecurity posture, and make the most of moving to the cloud.

2017 Security Threats for Healthcare

From the Bon Secours Health System data breach impacting nearly 700,000 individuals to the $17,000 in ransom that Hollywood Presbyterian Medical Center paid hackers, 2016 wasn’t the best year for healthcare security. So what’s in store for 2017?

The healthcare industry is always going to be a target for hackers, yet security continues to be a challenge due to the overwhelming volume of security alerts generated each day, many of which are false positives, combined with a lack of internal resources. Even with the right technology, many IT teams simply don’t have enough hours in the day to investigate each threat thoroughly. This is why on average it takes over 200 days to identify a breach.

The industry is making great strides to improve their security measures and better protect their patients; yet each year, while some areas show steady improvement, there are new threats emerging that put hospitals at risk. The sheer volume of attacks that occurred in 2016 has elevated cybersecurity to the top of the priority list. An appropriate security solution has become an “absolute necessity” – especially given the lack of in-house resources and skilled security personnel that many organizations face.

Here are some things healthcare organizations should be on the lookout for in 2017:

1.     Money Money Money

Cyber criminals are profit motivated, and will always be drawn to the easy money. With lower ROI on stolen patient records thanks to a surplus on the black market, hackers will seek out more profitable channels of attack, such as ransomware, that allows hackers to block access to key systems or data until the victim pays a ransom. If 2016 is any indication, we will see more of these types of attacks in 2017.

2.     Hospitals Keep Paying  

Hospitals are perfect ransomware targets. Patient care is highly dependent on information technology and they cannot risk the liability of negative outcomes as the result of critical systems being unavailable. So, there’s a high likelihood that a hospital will pay the ransom, despite the fact there’s no guarantee they’ll gain access back to their systems. Although the industry is making progress on preventing ransomware attacks, as long as hospitals continue to pay, hackers will keep attempting it.

3.     The Real Stakes

The risk posed by medical device vulnerabilities is unsettling. Thankfully, there has not been any reports of patient harm due to hackers altering dosage parameters or masking medical alerts – but the threat is real and it only takes one successful attempt to endanger a life (or many). Given the risk and the abundance of malevolent actors, this is more likely to happen in 2017.

4.     On Cloud Nine

Healthcare organizations, like many other industries, are beginning to adopt cloud-based infrastructures. Unfortunately, storing data in the cloud is not secure by itself. Similar to traditional data centers, security systems and policies need to be put in place to protect cloud-based data and applications. Since cyber criminals focus on opportunity and profit, we can expect to hear more data thefts involving the cloud and the $3.73 billion in 2016 healthcare spending on cloud services to keep increasing.

5.     Data Encryption Matters

Today, there are still healthcare providers that allow unencrypted patient data to be stored on laptops and mobile devices. In 2017, we expect more healthcare organizations will adopt stricter data encryption policies based on PHI disclosures and fear from what could happen with a stolen laptop. The Ponemon Institute found “identity management” as the number one security strategy deemed most effective in 2016, but until all organizations adopt these policies, these types of disclosers and breaches coming from a stolen laptop or mobile device are inevitable.

Healthcare organizations continue to be a prime target for hackers; if they’re not prepared, they could be very susceptible to attacks. Hospitals and healthcare organizations must remain vigilant and be aware of the threats to their environment.

If you don’t have the internal resources to manage this and are looking for a partner who can help you keep your networks and patients safe, contact us to learn how we can help address these issues.



Medical devices growing concern in healthcare IT security

Practically every hospital and healthcare institution invariably depend upon medical devices.  These devices produce a sizable amount of data and despite the fact that very little of this data is retained for any longitudinal patient benefit, the data must be safeguarded per federal requirements.  Proficio’s security engineers have worked with a number of healthcare IT security teams and have on several occasions discovered malicious software within medical devices exposing the network to international threats.

Medical devices are driving significant advances in medical research, clinical diagnostics and operational efficiencies, however, they remain particularly vulnerable because of the unique hardware and software systems they depend on.  Medical devices cannot simply be individually firewalled or easily monitored yet they remain vital components in our healthcare system.

A recent security risk assessments of a mid-size research hospital discovered  more than 5,000  devices, most of which required network connectivity to transmit imaging and diagnostic results to a downstream piece of software.  Proficio has found an incredible variety of device types, most of which are susceptible to malware.  Most concerning are the life-support devices not simply monitoring patient health but actually providing vital respiratory, circulatory and pulmonary  life support.

For IT security practitioners, medical devices can be a challenge. Unclear regulatory governance and unique technological requirements have led to the use of outdated operating systems that run applications with little or no software security which has made them easy targets for malware or even proxies for advanced threats. Clearly these devices are connected to the hospital’s network and core IT infrastructure yet most hospitals we have assessed do not believe they are a threat.  In reality, these devices can and do contain malware capable of crippling a hospitals network. Security holes such as poorly secured wireless access points, unprotected staff consoles or publicly available network ports could all be easily exploited by an amateur attacker with simple rudimentary pen testing tools.  Considering the ramifications of even a minor breach, hospitals cannot continue to ignore the threats posed by outdated or unpatched medical devices.  Information has always been the backbone of the medical industry and the sad truth is that it is only a matter of time before a cyber-attack leads directly to human casualties.

In our next blog, well discuss some key steps hospitals can take to protect themselves and their patients from malicious actors.

Anthem Inc. Data Breach – Healthcare Increasingly Target of Hackers

On January 27th, Anthem discovered that the login information for database administrators had been compromised. The investigation is ongoing, but the data breach could affect up to 80 million Anthem customers.

Information stolen includes member names, member health ID numbers/Social Security numbers, dates of birth, addresses, telephone numbers, email addresses and employment information, plus some income data. The attack also affected Anthem’s subsidiary companies such as Amerigroup, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare.

This attack may be the largest cyber attack in the healthcare industry. Last year’s intrusion at Community Health Systems (CHS) involved the records of 4.5 million consumers. According to statistics maintained by the federal government’s Office for Civil Rights at the Department of Human Services, there have been 740 major healthcare breaches over the last five years.

Why are Hackers Increasingly Targeting Healthcare?

Explanations for the increase in the size and magnitude of cyber attacks in the healthcare industry include the following:

1. Medical records are more valuable to cyber criminals. Experts say medical records are 10X more valuable then credit cards because they can be used for medical fraud, identity theft and false tax return filings.

2. Healthcare organizations lack the resources and systems to defend their data from attackers. Compared to financial services and energy companies, healthcare organizations are considered soft targets.

3. Chinese state sponsored cyber terrorists may behind recent security breaches. The goal of these groups is broader than financial benefit and may include stealing medical research or using the data for espionage.

Anatomy of Targeted Attacks

Hackers have hundreds of ways to create and execute data-stealing attacks. Advanced Persistent Threats are commonly classified in multiple stages or kill chains. These usually start with planning and reconnaissance include techniques like spear phishing, credential dumping, and the use of remote administration tools to move laterally through the network, and and end with data exfiltration.

Questions to Test Your Readiness to Respond to a Targeted Attack

1. Are you monitoring critical and suspicious security events on a 24×7 basis?

It may be obvious, but US business hours are the least likely time zone for Chinese hackers to work. Many organizations have invested in
advanced security products such as database firewalls or next-generation malware detection software, but unless the alerts from
these systems are monitored, correlated, investigated and quickly remediated, the risk of a data breach is much higher.

2. Have you developed advanced SIEM Use Cases to identify hacking approaches like credential dumping and lateral propagation?

If your SIEM system or service provider relies on base content and rules are not being constantly updated, the chance of identifying a targeted attack is low.

3. Are you using advanced cross-device correlation and pattern discovery techniques in conjunction with threat intelligence data to identify suspicious behavior?

Accurate prioritization of alerts helps identify real threats and minimizes time wasted chasing false positives.

4. Do high priority security alerts trigger automated responses like blocking traffic to or from an IP address?

24×7 active defense can block known abusive attackers and off-load operations teams to focus on critical issues.

5. Are you retaining your security logs for 12 months?

Effective forensic analysis often requires more than 90 days of log data.

Proficio provides advanced cloud-based cyber security services and data breach prevention solutions to many healthcare organizations.

How Healthcare Organizations Can Avoid Damaging Security Incidents and Loss of Patient Data

Pharmacy Quality Solutions Shares Why Their Business Chose Proficio

Pharmacy Quality Solutions, the leading provider of performance management services, talks about why they partnered with Proficio to strengthen their security posture.

TARGET: SingHealth Patient Data Breach

Singapore authorities reported on a cyber-attack affecting SingHealth, the largest group of healthcare institutions in Singapore. This cyber-attack is the largest known cyber-attack targeting organizations based in Singapore that has been reported by Singapore news media. The cyber-attack appears to have resulted in a data breach affecting around 1.5 million patients who visited SingHealth between May 1, 2015 to July 4, 2018. The data breach included personally identifiable information such as names, NRIC, address, gender and race. Around 160,000 of these patients also had their outpatient prescriptions stolen. The Prime Minister of Singapore’s personal information was targeted as part of the attack.

The attack was first identified by database administrators from the Integrated Health Information System (IHIS) on July 4, 2018, when they identified anomalous activity on one of SingHealth’s IT databases. By July 10th, investigators confirmed it was a cyber-attack, with data stolen between June 27 and July 4.

Although attribution to the exact party that performed the attack is speculative with the data that is publicly available, a statement by the Singapore Health Ministry stated that “It [the attack] was not the work of casual hackers or criminal gangs.” We expect to be able to understand more about the attackers once more technical data is available.

Proficio Threat Intelligence Recommendations:

  • Ensure that any sensitive data is encrypted, and limit access of employees and other stakeholders by their roles using the principle of least privilege. Passwords that are stored should be encrypted, and strong password policies should be enforced.
  • Review the organization’s data retention policies on the duration and the types of PII data that should be stored. To further limit data exposure, companies are advised to purge customer’s PII if it is unneeded for business purposes and not required anymore to be retained by law.
  • Any potential victim can check if their data have been compromised by accessing the following website:

General Information – Click Here

125+ cybersecurity companies in healthcare to know | 2018

Healthcare organizations face an increasing threat from cyber attacks and hospitals are spending big to ensure their patients’ data is protected. In 2017, healthcare spending on IT reached $100 billion and there were around 32,000 intrusion attacks per day on healthcare organizations, according to FortiGuard Labs, as reported by CSO.

Here are more than 125 companies focused on cybersecurity for hospitals, health systems and other healthcare organizations…

Read More

TARGET: Nuance Communications – Lost Revenue and PHI

Nuance Communications, a healthcare software company which specializes in speech and imaging, has had a run of bad luck with external and internal incidents in 2017.

Last year NotPetya malware cost the company $92 million in revenue, mainly from the disruption of transcription services and systems used by healthcare customers. Nuance quickly attempted to restore client functionality which took over a month for complete remediation and restoration. This attack constituted a security incident under the HIPPA Security Rule but not a breach of PHI under the BNR (Breach Notification Rules).

In December 2017, only months following the NotPetya incident, there was an unrelated data breach from a former Nuance employee involving the PHI of 45,000 individuals. The records included healthcare provider’s patient assessments, diagnoses, dates of service and care plans. The attacker  stole these records through an unauthorized access of a transcription platform.

Nuance stated that it continues to enhance its security protection to prevent further cyberattacks as these incidents have resulted in negative press and has lost potential revenue.

Proficio Threat Intelligence Recommendations:

  • Proper network segmentation to mitigate the spread of malware outbreaks
  • Implement and enforce access controls to prevent unauthorized access
  • Backup critical systems and store them off-network


General Info – Click Here