- For all intents and purposes, the worst is yet to come with healthcare malware and virus attacks. To this point, the large majority of attacks have been a result of failed physical or administrative safeguards. But it’s also important to evaluate the current technical data security threats in healthcare settings. Data is becoming increasingly valuable to hackers as EHR become more prevalent and connected to different networks and ensuring your system is ready, beyond just firewalls and normal authentication, for malware attacks is becoming more and more critical.
For example, UNC Hospitals’ Information Security Office reported on Jan. 16 that it had seen suspicious activity on its computers and network attributed to the Trojan malware referred to as Zeus, or Gameover Zeus. According to the UNC website, Eastern European cyber criminals run Zeus, which has affected more than 675,000 Windows machines, potentially compromising login credentials, banking records, and other confidential information.
The Dell SecureWorks team reported back in July 2012 that a private peer-to-peer (P2P) version has been found since the ZeuS source code was leaked in May 2011. The P2P version removes the centralized command and control (C2) infrastructure previously required to push configuration files, updates, and collect information harvested from infected computers:
Web injects are usually more difficult for a victim to identify than a classic phishing attack, because the expected URL is displayed in the web browser and works even with encrypted HTTPS sessions. Web injects display forms that request information, including credit card numbers, social security numbers, mother’s maiden name, ATM PINs, and date of birth. In addition, web injects can be used to bypass two-factor authentication security features by prompting the victim for the required information.
So why is this significant for healthcare providers? Because they’re not the only handlers of patient data and institutions such as payment providers have been targeted in Zeus P2P attacks.
Zeus, of course, is just one of the big malware threats that healthcare security officers need to be aware of. A few that come to mind include drive-by malware, ransomware (criminals use ransomware to infect users’ devices for extortion), remote Trojans, mobile malware (sheer volume and older versions of Android remain vulnerable) and phishing links.
Problems with legacy systems
This past October, the MIT Technology Review published an article on healthcare malware and one area of focus was on how to handle older systems that may be functional, but not necessarily secure. The Review referenced one example at Beth Israel Deaconess Medical Center in Boston where 664 pieces of medical equipment were running on older Windows operating systems that manufactures wouldn’t allow the hospital to change, even to add antivirus software, as of publishing date. The root of these disagreements were over whether modifications could pose a problem in U.S. Food and Drug Administration regulatory reviews, Kevin Fu, an expert on medical device security and computer scientist at the University of Michigan and the University of Massachusetts, Amherst, said this:
Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There’s little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.
Of course, there are plenty of barriers to these patches as well. John Halamka, Beth Israel’s CIO and a Harvard Medical School professor, told the Review that he began asking manufacturers for help in isolating their devices from the networks after some malware issues but it couldn’t be patched because of [regulatory] restrictions.