2013/01/11

Security: Healthcare systems are "soft-targets": the Next Big Exploit

Previous pieces on Security:
I'd been racking my brains as to how Cybercriminals can "monetise" e-Health Records and writing to someone else, think I've understood it finally after a "Top of the News" report by the Security for Professionals: SANS.

There are two ways to monetise e-Health Records:
  • Identity Theft. Huge amount of high-quality info. Medicare Cards are worth 'points' as Govt. ID's.
  • Ransomware: healthcare can't operate without its data and they print money by the truckload.
I'm wondering if the attacks reported out of QLD by /AUSCERT on Medical Practices is accidental.
If the CyberCrims haven't understood this yet, they will in 12 months.

In 1998, I couldn't see a way to monetise MP3's on the Internet. How do you charge for freely distributed files?
A: You don't... Apple invented end-to-end Security to sell iTunes to Content Providers.

The other group of attackers to be aware of are "Advanced Persistent Threats" (APT's) - known to do Cyber-Terrorism, and what better target than disrupting Healthcare? It is commonly believed the resources of Nation States are needed to pursue APT's.


The day this piece was written, I'd received a SANS Newsletter, the read for IT Professionals. The lead piece was a long investigative piece by the Washington Post on vulnerabilities in Healthcare Systems.

This is going to be a long running story with some really deep and disturbing implications and exploits.
What other practices/ventures of Organised Crime will we see turn up on the Internet?? We can only wonder...

Since 2004 when the Hackers turned Pro, Organised Crime has been moving in and repeating its real-world trade/tricks on-line. We've also seen more Organisation and increasingly "Industrial Scale" operations...


From the Washington Post article, a quote that shows NO understanding of the CyberCrime world and how dangerous this ignorance is:
OEMR’s leaders acknowledged the flaws but said it would take an experienced hacker to exploit them.
Yes, exactly correct, BUT dangerously ignorant and wrong:
  • which is why since the days of "script kiddies", pre-2000, the actual coders have packaged their exploits and on-sold them. That's the primary trade, the secondary market is those whom we perceive to be CyberCriminals... They are clowns running software they didn't write and don't know much about - but just as effective as anyone.
Also, theWashington Post article doesn't ask, "Why Eastern Europe?"
  • they are poor and their economies in disarray. People will do "whatever they have to do".
  • in the post Soviet Union era, that corrupt system has transformed into Organised Crime
  • there are large numbers of very talented, highly-trained and and motivated people available
  • they have some areas of very good Internet connectivity
News letter on SANS website.
**************************************************************************
SANS NewsBites                December 28, 2012          Vol. 14, Num. 102
**************************************************************************
TOP OF THE NEWS
  Health Care Sector Lagging Behind Others in Cybersecurity
  Banking Regulator Issues Warning Regarding DDoS Attacks Against Financial Institutions
  FOIA Docs Reveal NSA Industrial Control System Vulnerability Research
  US Legislators Approve National Defense Authorization Act Requiring Contractors To Report Breaches

***************************************************************************


TOP OF THE NEWS
 --Health Care Sector Lagging Behind Others in Cybersecurity
(December 25, 2012)

Researchers say that the health care sector is vulnerable to a variety of cyberattacks. The industry moved quickly to embrace the benefits offered by the Internet but in doing so, exposed medical devices and computers at medical facilities to hackers, who could potentially steal patient information to commit identity fraud and even launch attacks on critical systems within hospitals. Health care "lags behind [other industries] in addressing known problems." Granted, medical facilities have not been the target of attacks as frequently as financial, corporate, and military networks have, but the US Department of Homeland Security (DHS) has recently become concerned that health care could prove an enticing target for hackers. The most recent cybersecurity guidance from the Food and Drug Administration, which oversees medical devices, dates to 2005.

http://www.washingtonpost.com/investigations/health-care-sector-vulnerable-to-hackers-researchers-say/2012/12/25/72933598-3e50-11e2-ae43-cf491b837f7b_story.html

[Editor's Note (Murray): The healthcare sector lags in use, let alone the management, of IT.  Their failure to use electronic healthcare records is killing and impoverishing us.]

No comments: