Thursday, December 1, 2022

The Number of Data Breaches in Healthcare Doubled in Three Years...

 I happened to come across an article recently on the website Bankinfosecurity.com that dealt with the continuing problem of data breaches in healthcare.  Due to the amount of computing infrastructure in healthcare, combined with the NEED for fast access to data to save lives, that sector of the market is a big target for cyber criminals.

What I get upset about is the aspect that criminals mucking around in hospital networks could very easy cause loss of life.  Now I realize that also applies to lots of other sectors that are battling Ransomware and other threats... the Colonial Pipeline hack could have affected EMS or other emergency departments that save lives.  However, hacking hospitals seems to have a very direct "cause and effect".

I suppose that criminals don't let those trivial details really enter into the mental equation, but it should.  The basic idea is that because of the need to access medical data quickly and efficiently, hospitals will face huge pressure to pay a ransom as the data is in the best interest of the patients.

Dental offices, while not frequently dealing with life and death issues, can still be targets of cyber criminals.  However, since many dental offices are still privately owned, the potential for high dollar payouts are not there.  Large corporate dental clinics might be better targets for ransomware, simply because they have more money for ransoms, but there is also the fact that encrypting a private practice system would take the owner's livelihood away and perhaps they might be willing to pay to get that back.  I once had a doctor tell me their cyber security posture was "stay small and they won't think I have any money".  While it IS a strategy, it's not one that I would endorse.

To read the article on bankinfosecurity, follow this link.  

There is also a really great article on the DPR website that was written by my good buddy Brett Callow and his friend Meredith Griffanti.  They are both experts in cyber security and were awesome about writing this article on "Protect Your Dental Practice from Ransomware".  These 2 are well known and established experts in the field of cyber security, so if you are a dental professional, be sure to follow the link and read this article.  

4 comments:

  1. The whole situation is super frustrating.

    On the smaller side (think dentists, chiropractors, small healthcare offices, etc...) there's this dumb idea that you need to hire the cheapest Managed Service Provider to take care of everything. Those MSPs will promise the moon (we'll handle patching, security, etc...) and then they don't deliver on things the client won't notice.

    If someone gets breached, they just wave the excuse of "it was an advanced persistent threat" or "it's a new virus that got around the AV software". In other words, "it's not my fault" your network got breached.

    Most of them are completely incompetent. I ran into one a few years ago that used the password "letmein123" for *all* their domain admin accounts for *all* their clients. To this day, when I take over a healthcare company from them, I can get in without having to call them for an admin password. They even deployed this batch file to every computer:

    net user /add ITADMIN letmein123
    net user ITADMIN letmein123
    net localgroup administrators ITADMIN /add
    wmic useraccount where "Name='ITADMIN'" set PasswordExpires=false
    wmic useraccount where "Name='ITADMIN'" set PasswordExpires=false

    On the side of larger places (hospitals, DSOs, etc...) there's a *huge* amount of economic pressure to reduce costs everywhere coupled with "we want this newfangled thing". IT is told "install this", not "We want to use this, but we need to know if it's secure, how well it will integrate with our network, etc..."

    Just last month, I dealt with a company that was contracting out insurance stuff to India. It took hours on the phone to communicate with their IT staff only to be told they would be connecting in via RDP and after 30 days of constant prompting, they still refuse to change their default password.

    Another company I dealt with that handles "patient communication and online reviews" uploads the entire contents of the patient database--including social security numbers, birthdates, credit card numbers, financial history, medical conditions, allergies, etc... It's a ton of info they absolutely don't need...and it's all done through an insecure HTTP connection. When I brought up the security of the patient data I was told "CompanyX brings us around $8,000 in revenue every month. We aren't changing."

    Thankfully they're "cyber insurance". Just pay a few thousand dollars every month for millions in coverage, and when their dumb decisions end up destroying people's credit or leaking embarrassing information, the insurance company will pay though the nose to buy everyone "credit monitoring".

    The best part is there are tons of cyber insurance companies out there that basically just check to see if you have any inbound ports open on your router and call it "good". They don't check to see if you're still running Windows 7. They don't care if various programs require you to run as a full-on administrator. They don't care if you're running SQL 2005 (end of life) on a Windows 2008 server (end of life) and it's internet accessible via IIS 5 (end of life).

    It's like one of the former MSPs I used to work for. I told them we hadn't taken a successful backup in over 30 days and we needed to hire more staff so things like that could be monitored. The reply was "God protects our company, don't worry about it."

    Great disaster recovery plan.

    ReplyDelete
  2. Dang, Aaron! These are all great points. It certainly seems like no one is interested in locking the barn until a thief takes off with all of the horses.
    Would you be up for an interview in 2023?

    ReplyDelete
  3. Thanks John. I've never done an interview before. I'm an engineer--so I have a face for radio. ;)

    But I guess I'd be up for one. If blogger doesn't give you my email address when I comment, let me know.

    ReplyDelete
  4. Hi Aaron, you email didn't come across, but you can always DM me that info via Twitter. My handle is @jflucke
    I think you have a LOT to offer the profession!

    ReplyDelete