While the main “focus group” consists of healthcare organizations, their auxiliary targets come from manufacturing, information technology, agriculture, and logistics industries. Let’s hear Symantec explain these statistics: “While these industries may appear to be unrelated, we found them to have multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly into healthcare firms, IT organizations that provide support services to medical clinics, and logistical organizations that deliver healthcare products”.
Symantec experts believe that the attacks were this successful and remained unnoticed for several years, “thanks” to the fact that there are a lot of outdated computers and software in the healthcare industry. It is not a big deal to compromise these systems as they often lack proper security solutions, so hacking couldn’t be discovered right away.
Every professional in every industry knows that security is important. Especially, in the modern era where such things are becoming a commonplace. But how to tackle the problem effectively?
Sure, the HIPAA Security Rule “requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information,” but it doesn’t provide a step-by-step guide of any kind. What are the ways doctors can protect PHI on their medical devices? Let’s outline the most important ones.
- The identification of each and every device on the network.
Identify everything that has a network connection: tablets, mobile phones, scanners, IoT devices, desktops, and laptops, etc. If your company adheres to BYOD policy, take time to identify those users as well.
- Minimization of the PHI amount.
Simple as that: the less PHI is being stored on your device, the less likely it will be a target for hackers.
- De-identification of the information.
It’s worth to anonymize the data, especially if it’s being used for statistical or research purposes. Secondly, the de-identification notably reduces the chances of exposing PHI if a breach occurs.
The data encryption is a must, no matter if it’s being transmitted to the cloud or stored on a device.
5. Regular checks and updates of your Internet security tools.
- Installed and repeatedly updated security software: make sure that you have the latest tools for protecting against viruses, malware, and malicious applications.
- Protect your architecture against unauthorized connections via firewalls.
- Remote wiping and disabling: it makes sense to reduce the time the data is stored on a device. Also, it’s important to adhere to the principle of mandatory deletion of obsolete PHI and PII.
Returning to Orangeworm, there are no clues or guesses, which may reveal their identity or location. However, one way or another, the group knows what they are doing: so far, it has attacked more than 100 organizations since 2015. For what is worth these numbers mercilessly illustrate the state of IT in healthcare – how sad is that. Despite their traditional or even out-dated techniques, “it may still be viable for environments that run older operating systems such as Windows XP,” the experts from Symantec explain. Just think about it: Windows XP in 2018.
The different systems healthcare professionals are using aren’t patched on a regular basis. “Some of them are embedded systems that, due to the way the manufacturer has created them, can’t be easily patched. If the healthcare IT department were to do so, it would cause significant problems with the way the vendor can support them,” comments Perry Carpenter, chief evangelist and strategy officer at KnowBe4.
No wonder that criminals gain profits from these weaknesses and force medical institutions to pay the ransom to recover stolen data. For instance, back in 2016 Hollywood Presbyterian Medical Center eventually paid 40 bitcoins, worth $17,000 this period of time, to resolve a ransomware attack. The market is active: in 2016, a database of 34,000 medical records stolen from a New York hospital was on sale for 30 bitcoins (valued at US$19,000), while another stolen database involving 690,000 medical records is selling for 643 Bitcoins (around US$411,000) – all courtesy of the dark web.
So what do you know about the orange worms? Well, now you’re informed. Forewarned is forearmed, as they say. However, it would be fair to say that improvements in healthcare cyber security aren’t going to happen overnight. It’s going to take time, commitment, and cooperation between organizations. The point is that even basic practices described above can make a contribution to the better security of healthcare networks.