Healthcare has been the most sought-after industry by both the good and the bad actors. Good- because we all need life-critical and life-saving services with improved treatment and patient care, especially in a time where we all have witnessed the most unprecedented pandemic of our lifetime which has jolted not just the economy but also abated the life expectancy significantly. Bad- threat actors with mala fide intentions find healthcare organizations an attractive target as these transmit, process and store highly sensitive, critical and personally identifiable information (PII) about their members, covered entities and patients.
The healthcare industry is besieged by a myriad of cybersecurity-related issues. These issues range from ransomware that compromise the integrity of healthcare systems and applications, to data thefts that makes the PHI/ePHI (confidentiality) go for a toss. Distributed denial of service (DDoS) attacks disrupt facilities’ availability to provide timely patient care. Perhaps the most critical issue is the compromise of healthcare applications and APIs that risks the privacy of patients, availability of critical life-saving infrastructure and integrity of healthcare entities’ data.
Ethically, the healthcare sector should be the last the cyber criminals should attack, but no exceptions are made when threat actors are looking to make money. Instead, the healthcare industry has seen a tremendous increase in attacks, more specifically the application layer attacks as that is the layer which is exposed the most to the outside world.
Here, we will provide you an insight into why the healthcare industry and its associated applications are bleeding the most, followed by its security requirements, attack vectors, and some reasons putting healthcare under exponential strain. It will also throw some light on why healthcare applications are considered “big game hunting” in the community of dark web and some causation factors behind the increase in the attack surface of healthcare applications. Then, we will change the course to look at some solutions in the form of best practices, Fortify’s capabilities and offerings catering to security requirements and challenges, complying with specific healthcare regulatory compliances and frameworks at control level, and a methodology for DAST, which is in line with the industry best practices for securing healthcare, and the industry at large.
Average Cost of a Data Breach by Industry
While other critical infrastructure sectors also experience these types of attacks, the cost and impact of a data breach in healthcare industry is astronomical. If we look at the average cost of a data breach by industry report of 2021 by IBM and the Ponemon Institute, we see healthcare to be at the top and much worse than the others, looming at US$ 9.23 million.
Data Source: Ponemon IBM Average Cost of a Data Breach Report 2021
Analyzing the trend over the last few years, it has also been observed that for 11 consecutive years, the healthcare industry is paying the most for data breaches and the average cost increased by almost 30% from $7.13 million in 2020 to $9.23 million in 2021.
This makes it more pertinent to analyze the healthcare industry through a cybersecurity lens and devise a framework tailor-made for this sector.
The nature of healthcare industry’s security requirements poses unique challenges. Here, cyber-attacks have much greater ramifications in terms of human lives, which are way beyond financial loss and breach of privacy. Now let us look at some of its key security requirements.
HEALTHCARE SECURITY REQUIREMENTS
The primary security requirement of any industry is to protect its covered entities, assets, attributes and its associated data. And when the assets to secure holds a lot of multi-dimensional sensitive information (PII, PHI/ePHI, in case of healthcare applications), then the security focus needs to be highly sensitized.
So, we have prioritized the list of entities relevant to healthcare security, which includes, but not limited to:
· Customers or identity of the individuals
· Health care providers, including doctors, clinics, hospitals, nursing homes, and pharmacies
· Insurance providers
· Health care clearinghouses
· Payment providers
· Third party providers or business associates (third parties that perform certain functions or activities that require the use of personal health information (PHI) including, for example, claims processing or administration), etc.
· Healthcare Plans
Along with the entities, comes the vital assets that supports the healthcare industry, which includes, but not limited to:
· Critical healthcare data
· HEALTHCARE SPECIFIC APPLICATIONS (web- based, mobile, COTS applications),
· Medical IOT devices
Healthcare data is readily available on healthcare applications. These include names, addresses, dates of birth or death, social security numbers (SSNs), health insurance identification numbers (HINs) and account numbers representing payment instruments such as credit card details. These, combined with demographic data, provide enough information for healthcare cyber-threat actors to steal identities or commit healthcare fraud. Additionally, presence of personal information about one's health and relevant records makes healthcare applications an attractive option for cyber-criminals as it has a tremendous underground market value.
Protection of all the web facing healthcare applications, combined with the sensitive PII/ PHI data on them is a key security requirement of a healthcare industry. Of course, compliance is one of them, into which we will also dive in this blog. Let us now understand the various attack vectors/ opportunities, most relevant to healthcare industry.
Security Challenges and Issues in the Healthcare Industry
Top Attack Vectors for Healthcare
Hackers perform extensive healthcare application’s reconnaissance and will go to great lengths to identify a target by looking at how many pages there are per application, what all sensitive information does it seek from its customers and patients, assess what security mechanisms and controls are implemented, if there is an outdated software in the architecture, what CMS its running-on and identify its associated vulnerabilities. It only takes one loophole/vulnerability for hackers to break into critical healthcare applications/ APIs and create catastrophic downtime and potential data breach of PII/PHI leading to regulatory fines including GDPR in the EU, CCPA, UL 2900-2-1 standard for connected health care devices and HIPAA – which is the biggest healthcare compliance standard, among others.
This section of the blog will explore top attack opportunities or vectors for healthcare applications which includes, but not limited to:
- It has been observed that lack of security controls in healthcare applications (input validation, escaping special characters, allowing untrusted data to reach the backend servers, using vulnerable and outdated components with known vulnerabilities, etc.) is the most common reason for so many attack vectors.
- A higher level of domain distribution exists in most healthcare web applications, as it contains different types of web pages specific to every covered entity and links to other third-party domains and subdomains which contributes to larger attack surface.
- Insecure Page Creation Method: By scanning these distributed domains of healthcare applications, we can easily identify web pages developed with insecure code and practices. It’s important to follow a shift left approach, i.e., DevSecOps process as part of your SDLC, to ensure applications are tested continuously in an automated fashion from development through to production.
- Active Content: Number of healthcare apps developed with active content increases the attack surface as it is generally linked to the number of healthcare products, services, third party services being on offer online. More active content increases the risk of malicious scripts being inputted through online forms, which can lead to Magecart attacks and credit card skimming.
- It has been observed and vindicated through various research that a significant number of healthcare applications are running over HTTP with unencrypted login forms or with very weak authentication.
- Improper session management which deals with various vulnerabilities such as session fixation, hijacking, overriding etc. has also been identified as another major attack vector for targeting the healthcare applications.
Current State of the Healthcare Industry
In the last couple of years, the strain on healthcare has risen exponentially, owing to several factors, some of which includes, but not limited to:
- COVID: Healthcare industry has been under tremendous pressure, particularly from COVID. On top of saving lives and vaccine roll outs, they are also under attack by cybercriminals. COVID-19 pandemic has switched more healthcare and pharma businesses to remote working. This unexpected rise has overstretched the IT resources of Security, Dev and Ops to set up remote infrastructure - prioritizing IT availability over security and possibly leaving applications and systems exposed on the Internet. This is something that opportunistic attacker will certainly check while preparing an attack.
- Another aspect of surmounting pressure on healthcare industries is outdated and complex systems or components with known vulnerabilities which is a common application security issue that OWASP has continued to highlight in the OWASP Top 10, moving it up from A9 to A6 in 2021. This is especially critical as we see a surge in malware attacks on healthcare organizations’ legacy applications as the focus for healthcare industry has been majorly on healthcare devices, drugs, vaccines and formulae, etc. rather than in securing IT infrastructure or primarily the web applications.
- Something which you can’t see or don’t know of is something you can never protect. Same is the plight with various healthcare applications. We have observed that most of the EU and US based healthcare organizations do not have visibility of the digital footprints of their public facing web applications and web services, which opens a whole world of attack vectors and exponentially increasing their risk exposure.
- We have also observed that many in the healthcare industry do not put much emphasis on regular or managed application security assessments, due to their priorities on saving lives. They follow more of an ad-hoc approach, thereby lagging significantly behind in the ever-evolving cyber space of vulnerabilities and exploits.
- And for the chosen few, who have regular or managed AST program in place, most of them lack processes, skills, and tools for risk-based vulnerability prioritization, thereby leaving them with a plethora of vulnerabilities that keeps piling up with every application scan happening at regular intervals. This leaves them with ad-hoc patching that keeps them on the brink of a compromise.
- Less Security tied to DevOps is something which is common with every industry, not just health care, where focus is not so much on security, but expansion i.e., to acquire, produce and innovate more.
Now, let us understand why healthcare application landscape is considered a breeding ground for threats.
Healthcare Applications: An Inviting Ground for Threats
Healthcare industry has been a breeding ground for threats, which is also known as “Big Game Hunting” in the hacker community as they hold a bundle of extremely valuable patient data, PHI/ePHI, Intellectual Property including valuable research and formulae. This section in the blog will explore several factors which are responsible for making healthcare an attractive breeding ground for hackers. Factors are motivated by sensitive information which has an extremely high value in dark-web community such as personal data, which includes, but not limited to:
- PII: Personally Identifiable Information (which is more from an EU specific data compliance standard)
- PI: Personal Information (which is more from an American specific data compliance standard)
- PCI: Payment Card Industry Data
- PHI/ ePHI: (electronically) Protected Health Information
- SPI: Sensitive Personal Information
- Private Information, Intellectual and research data, etc.
- Regulated, Business, Confidential, and High-Risk Crown Jewel Data
Now, let us understand these factors which breeds the attackers and provides them an opportunity to attack.
- Vulnerable s/w acquisitions: This is something drawn from previous professional experience wherein, mergers and acquisitions were quite a norm with some of the major healthcare giants. The merged infrastructure and the web applications had the ability to traverse to the backbone network of the acquiring entity, thereby, jeopardizing the security of the whole organization.
- Large number of unmanaged and unknown healthcare web apps and web services, holding critical personal information and data with loose security controls has also been one of the motivations for inviting attackers.
- Multiple studies have revealed that both in US and EU, usage of legacy, old and obsolete software is rampant in healthcare industry, even though they are prohibited fundamentally.
- Digital sprawl from legacy systems and shadow IT, opens a plethora of vulnerabilities
All these factors put together make healthcare a lucrative breeding ground for hackers with the most coveted reward of sensitive information.
Stay tuned for part two of my blog series where we look at solutions to counter these challenges listed above.
More About Fortify
CyberRes Fortify delivers software resilience for modern development with a holistic, inclusive, and extensible application security platform from a trusted partner that supports today’s enterprises. This comprehensive suite of products brings holistic security and visibility to developers, AppSec professionals and key stakeholders with automated integrations for any tool, anywhere in the SDLC and a robust set of capabilities available on-premises, SaaS and as-a-service.
Join our Fortify Community. Have technical questions about Application Security products? Visit the Fortify discussion forum. Keep up with the latest Tips & Info about Application Security. Check out our Fortify Unplugged YouTube channel that highlights demos, use cases and thought leadership around AppSec. We’d love to hear your thoughts on this blog. Log in or register to comment below.