FBI notice: Healthcare security not as mature as other verticals

The security practices in place at healthcare organizations is not up to par with those of other, more mature industries, according to an FBI notice.

The U.S. Federal Bureau of Investigation recently warned healthcare organizations that the security practices within the sector are not as robust as those in other industries, increasing the possibility of successful attacks on healthcare entities.

According to the private notice obtained by news agency Reuters, the FBI said that lax healthcare security poses a risk to Americans' personal medical records and other sensitive data. The report noted that such records are already a lucrative target for attackers as they contain information that can be used to access bank accounts and obtain prescription medications.

Researchers at Dell SecureWorks have said previously that criminals were garnering approximately $20 for complete health insurance credentials. In comparison, credit card details were commanding fees in the range of $1 to $2 dollars, before the massive data breach at retailer Target reportedly flooded the market with illicit card numbers.

"The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors," said the FBI in its notice, "therefore the possibility of increased cyber intrusions is likely."

An FBI spokesperson declined further comment.

The FBI notice, issued April 8, did not contain any mention of the Healthcare.gov website, meant to serve as a central exchange for the purchase of healthcare insurance in the U.S. The site has been the subject of criticism for its lax security practices since its October 2013 launch, though there has been no actual evidence that the site has been successfully breached.

Healthcare.gov did force its users to reset passwords in the wake of Heartbleed OpenSSL vulnerability, which was discovered after the release of the FBI notice.

"There’s no indication that Heartbleed has been used against HealthCare.gov or that any personal information has ever been at risk," according to a Healthcare.gov statement. "However, we’re resetting current passwords out of an abundance of caution, to ensure the protection of your information."

The two-page FBI warning also mentioned a February 2014 report issued by the SANS Institute, which noted that the healthcare sector is not currently prepared to tackle a number of growing security risks, particularly the explosion in Internet-connected medical devices that are part of the Internet of Things (IoT).

"Connected medical devices, applications and software used by health care organizations providing everything from online health monitoring to radiology devices to video-oriented services are fast becoming targets of choice for nefarious hackers taking advantage of the IoT to carry out all manner of illicit transactions, data theft and attacks," said the SANS Institute report. "This is especially true because securing common devices, such as network-attached printers, faxes and surveillance cameras, is often overlooked. The devices themselves are not thought of as being available attack surfaces by health care organizations that are focused on their more prominent information systems."

Dig deeper on Emerging Information Security Threats

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

1 comment

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close