20 Feb 2014

Cybercrime Increasingly Targets Health Care, Report Says

375 US-based health care organizations were compromised in 2013 and the numbers will keep growing, a according to a SANS cyber threat report.

From September 2012 to October 2013, the health care industry - including universities, large health systems, national associations - and several global pharmaceutical organizations, suffered 50,000 unique malicious events.

As a result, medical organizations, including 72 percent of health care providers, are sending malicious traffic through medical devices, conferencing systems, web servers, printers and edge security technologies, such as VPNs, firewalls and routers. This implies the devices are compromised and don’t comply with privacy and security regulations for patients’ data.

The compromised organizations are most concentrated in California, Texas, New York and Florida, states also known for high rates of medical fraud.

The report says security practices and strategies in the industry are not efficient, despite IT professionals’ positive perception. Some of the most exploited devices include misconfigured surveillance cameras, which are apparently not secured upon implementation.

“Most network admins change the factory defaults for router firewalls, but they often overlook other network-attached devices, such as surveillance cameras and network-attached printers or fax machines,” the report says.

Medical organizations are not immune to cybercrime and “reports of breaches against health care organizations, large and small, continue to rise—as do the regulatory fines they are facing for the exposure of protected patient data,” the report concludes.