WAAR 2015: Is Healthcare industry treating the symptoms and not the cause of cyber-attacks?
Our ADC team has just published WAAR #6highlighting Healthcare vertical as 10x more likely to be a victim of XSS (Cross-site Scripting) attacks. We have observed that XSS attacks have increased across all verticals, but the number of XSS attacks on the Healthcare vertical is disproportionately higher in comparison. Healthcare web applications suffer massively more XSS attacks—415 incidents that are 57% of the incidents—and significantly more than other industries for which only 5% – 16% of the attack incidents were XSS. XSS attacks are not new; we can only surmise that more cybercriminals are getting into the mix with the abundant availability of attack kits from the cybercrime marketplace. Even if the success rate ends up being less than 1%, there is evidence supporting the economics of targeting Healthcare.
Value of Health Records
Health records are estimated to be ten times more valuable than credit card numbers according to both FBI reports and ABI research. Consumers also don’t have the ability to monitor their medical records. Hence, it takes longer for consumers to realize that their medical information has been stolen or compromised. Credit card industry is aggressively pushing for chip and pin technologies to counter fraud.
The Healthcare vertical has some unique challenges when it comes to budgeting for information security. Healthcare firms not only have to keep up with data protection requirements and the evolving cyber-attacks but also find a way to modernize medical equipment/services and cut health care costs for its customers. Invest in the latest MRI scanner/virtual care offering or protect patient records with a state-of-the-art Web Application Firewall? – Tough calls nonetheless. Recent data breaches at Anthem Blue Crossand ULCA Health are harsh reminders to protect sensitive data at all costs.
Lack of Security Mindset
Healthcare probably had the corner on Internet of Things, long before the term IoT got coined. There is a wide range of connected devices, most of them likely running older operating systems and developed without a security mindset. Naturally, Healthcare is a very juicy target for cyber criminals, not just for patient records, but also to host malicious botnets.
SANS Institute and security vendor Norse released a report in Feb 2014 stating “Poorly protected medical endpoints, including personal health devices, become gateways, exposing consumers’ personal computers and information to prowling cybercriminals.”
Over Reliance on Compliance
Electronic Medical Records have unintentionally added fuel to the fire; patient records are probably on Information Management Systems that may be severely at risk from theft. Healthcare is also heavily compliance based where obtaining the assessor’s stamp of approval is used as a proxy for having sound, constant risk management and data security controls. Security and Compliance are often bundled together due to the overlap of controls, but in reality both have different end goals.
The writing on the wall is clear for Healthcare “Leapfrog the attackers by taking a security first approach and deploy solutions based on threat intelligence to combat against data leaks/breaches.”
Please join us for a live webinar on November 18, 2015, at 9 a.m. pacific / 12 noon eastern, Itsik Mantin, Director of Security Research at Imperva, will detail key insights from the Imperva Application Defense Center annual Web Application Attack Report.