Data security consultant and research firm the SANS Institute estimates that millions of healthcare IT systems are compromised and fail to meet HIPAA’s network security requirements in its Health Care Cyberthreat Report. The report was developed based on data related to healthcare organizations in the U.S. gathered over a 13 month-period by Norse, a global threat intelligence network that collects data on malicious traffic through its system of sensors that analyze more than 100 TB of traffic daily.
The network recorded malicious traffic coming from healthcare systems to develop the report and the results of the report show that compliance efforts aren’t even close to keeping up with data thieves. Business associates are also proving to be entry points for data vulnerabilities.
HIPAA network security rules require healthcare organizations to protect patient data, and to develop risk analyses to mitigate those threats. The report shows that a large number of healthcare organizations are out of compliance because they have been compromised and are sending malicious traffic.
Malicious events affect all types and sizes of organizations. The report listed the breakdown of the type of organizations that were compromised and the percentage of malicious traffic emanating from them:
- Healthcare providers: 72.0%
- Healthcare business associates: 9.9%
- Other related healthcare entities: 8.5%
- Health plans: 6.1%
- Pharmaceutical: 2.9%
- Healthcare clearinghouses: 0.5%
The report also shows that healthcare networks compromised by malicious data breaches are not restricted to desktops and servers, putting a spotlight on IT systems that support mHealth and bioengineering. Medical devices and applications such as connected medical endpoints, internet-facing personal health data and security systems are also part of the networks sending malicious traffic. According to the SANS report, 65% of malicious events came from network edge systems or devices such as firewalls, routers and VPNs.
The fact that security devices and applications are emitting the most malicious traffic is significantly troubling for healthcare organizations. The report suggests that assessment for system configuration and potential vulnerabilities should be an ongoing process of detection to prevent security breaches, followed by improvement and attestation that the improvements have been made.