Mike Hanley, director of Duo Labs looks at how cybersecurity in the healthcare industry compares to other industries looking to protect data
Securing endpoints in the healthcare industry can be challenging. Large hospital systems often have thousands of workstations used by many different employees in addition to personal and work-issued smartphones and tablets.
These devices access patient data and send data over different networks to patients and between healthcare systems. Network-connected medical devices also bring another point of entry to a hospital’s environment and patient data.
Keeping these endpoints up-to-date with the latest versions of operating systems, browsers, plugins and more is no simple task for healthcare IT admins. Furthermore, they may use applications with dependencies on software versions commonly targeted by malicious hackers.
It only takes one outdated device for a hacker to exploit a known vulnerability, install malware, steal passwords and/or gain access to an entire healthcare system and databases of patient data.
Healthcare endpoints vs. others
Duo took a look at our customers in the healthcare industry compared to the rest of our users to gain insight into the current security health of their devices. We found many differences:
- Healthcare customers are logging into twice as many applications as the average user, widening the attack vector.
- Twice as many healthcare endpoints have Flash installed and three times as many healthcare customers have Java installed on their devices, again, putting them at greater risk of vulnerabilities and exploitation.
- Healthcare customers choose Internet Explorer 11 as their preferred browser, compared to the latest version of Chrome for other users.
- Another 22% of healthcare customers browse dangerously on unsupported versions of IE.
- It’s a Windows shop at healthcare organisations, at 82%. 10% of healthcare customers are on Windows 10, another 3% run the unsupported version of the operating system, Windows XP.
Large attack vector
We found that the average healthcare customer has around four applications they log into with Duo’s two-factor authentication, compared to our other customers that have 2.5 each.
That means healthcare customers are logging into almost twice as many applications as the average user - meaning healthcare customers have more accounts to target, increasing their chances of a compromise.
Outdated Flash and Java
Not only are they logging into more applications, our dataset also shows that twice as many healthcare endpoints have Flash installed compared to the rest of our users. Many exploit kits leverage Flash vulnerabilities that target outdated versions of the software, making it a popular and easy way to compromise a device, gain access and steal data.
On average, there are three times as many healthcare customers with Java installed on their devices, at 36%. Only 12% of non-healthcare users have Java installed. Java is another plugin commonly exploited.
What could account for why healthcare users are running Java? Many popular electronic healthcare record (EHRs) systems and identity access and management (IAM) software supporting e-prescriptions require the use of Java.
Another 33% of healthcare customers have both Flash and Java installed on their devices used to log into healthcare networks, making them susceptible to vulnerabilities that affect either.
Internet Explorer vs. Chrome users
The browser of choice for healthcare prevails as Internet Explorer (IE) 11, at 33%, compared to Chrome 48 (the latest version) for all other users, at 28%. Unfortunately, 22% of healthcare customers browse using outdated versions of IE, including versions 8, 9 and 10, compared to just 6% of other users.
This is obviously a security issue as outdated browsers are another target to exploit. The use of outdated versions of IE is particularly worrisome as Microsoft announced its end of life for versions <10 of IE in January of this year, meaning they will no longer release security updates or patches for the browser.
Windows 10 and Windows XP
While healthcare is overwhelmingly running the Windows operating system (82%), they’re not all running the latest version, Windows 10. Only 10% of healthcare customers have adopted Windows 10, compared to 15% of other Duo users.
Meanwhile, 3% of healthcare customers run Windows XP as opposed to 1% of all other users. Microsoft announced its end of life for Windows XP two years ago. The security consequences of continuing to run Windows XP after this date is outlined by the company in its announcement:
“Without critical Windows XP security updates, your PC may become vulnerable to harmful viruses, spyware, and other malicious software which can steal or damage your business data and information. Anti-virus software will also not be able to fully protect you once Windows XP itself is unsupported”.
Earlier this year, Melbourne Health’s networks were infected with malware after an exploit compromised the Royal Melbourne Hospital’s pathology department, which was running Windows XP.
The malware, known as Qbot, affects Windows versions XP to 7. It’s capable of stealing passwords, and logging keystrokes. According to ITNews.com, the malware bypassed the health department’s enterprise antivirus suite, successfully evading detection (just as Microsoft warned users in its end of life announcement). The infection forced hospital staff to resort to manual offline workarounds, using telephones and fax machines.
Our dataset also revealed that 76% of healthcare customers are running Windows 7. With more than 500 known vulnerabilities affecting Windows 7, there are many ways for an attacker to easily exploit flaws of an outdated OS to gain unauthorised access to a healthcare organisation’s environment. Mainstream support for Windows 7 ended in mid-January, but Microsoft is still providing extended support and security patches through 2020.
One critical vulnerability allows for elevation of privileges, known as CVE-2014-4113. This flaw allows an attacker to run arbitrary code in kernel mode and install programmes, alter data, or create new accounts with full admin rights. Windows 7 and Windows XP are most at risk, as these versions don’t have a new security feature that blocks the exploit code, as in Windows 8 and later versions, according to a Trend Micro blog.
Security recommendations
How can healthcare organisations protect against the threat of malware and breaches due to outdated software? Duo recommends they employ the following:
- Keep OS, browsers, Flash, Java and other software up to date, and apply patches as soon as they’re available from vendors
- Enable strong access security controls, like strong, unique passwords; two-factor authentication; and access security policies to detect, warn, notify and block outdated devices
- Enable and require a minimum standard of security features on your users’ devices, including encryption, screen lock, passcodes, Touch ID and more
- Encrypt patient data while in transit, and in storage; never transmit patient data over public networks