The U.S. Federal Bureau of Investigation recently warned healthcare organizations that the security practices within...
the sector are not as robust as those in other industries, increasing the possibility of successful attacks on healthcare entities.
According to the private notice obtained by news agency Reuters, the FBI said that lax healthcare security poses a risk to Americans' personal medical records and other sensitive data. The report noted that such records are already a lucrative target for attackers as they contain information that can be used to access bank accounts and obtain prescription medications.
Researchers at Dell SecureWorks have said previously that criminals were garnering approximately $20 for complete health insurance credentials. In comparison, credit card details were commanding fees in the range of $1 to $2 dollars, before the massive data breach at retailer Target reportedly flooded the market with illicit card numbers.
"The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors," said the FBI in its notice, "therefore the possibility of increased cyber intrusions is likely."
An FBI spokesperson declined further comment.
The FBI notice, issued April 8, did not contain any mention of the Healthcare.gov website, meant to serve as a central exchange for the purchase of healthcare insurance in the U.S. The site has been the subject of criticism for its lax security practices since its October 2013 launch, though there has been no actual evidence that the site has been successfully breached.
Healthcare.gov did force its users to reset passwords in the wake of Heartbleed OpenSSL vulnerability, which was discovered after the release of the FBI notice.
"There’s no indication that Heartbleed has been used against HealthCare.gov or that any personal information has ever been at risk," according to a Healthcare.gov statement. "However, we’re resetting current passwords out of an abundance of caution, to ensure the protection of your information."
The two-page FBI warning also mentioned a February 2014 report issued by the SANS Institute, which noted that the healthcare sector is not currently prepared to tackle a number of growing security risks, particularly the explosion in Internet-connected medical devices that are part of the Internet of Things (IoT).
"Connected medical devices, applications and software used by health care organizations providing everything from online health monitoring to radiology devices to video-oriented services are fast becoming targets of choice for nefarious hackers taking advantage of the IoT to carry out all manner of illicit transactions, data theft and attacks," said the SANS Institute report. "This is especially true because securing common devices, such as network-attached printers, faxes and surveillance cameras, is often overlooked. The devices themselves are not thought of as being available attack surfaces by health care organizations that are focused on their more prominent information systems."