FBI Cyber Division Bulletin: Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions

Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain

2 pages
April 8, 2014

(U) Cyber actors will likely increase cyber intrusions against health care systems—to include medical devices—due to mandatory transition from paper to electronic health records (EHR), lax cybersecurity standards, and a higher financial payout for medical records in the black market.

(U) The deadline to transition to EHR is January 2015, which will create an influx of new EHR coupled with more medical devices being connected to the Internet, generating a rich new environment for cyber criminals to exploit. According to open source reporting from SANS, Ponemon, and EMC²/RSA, the health care industry is not technically prepared to combat against cyber criminals’ basic cyber intrusion tactics, techniques and procedures (TTPs), much less against more advanced persistent threats (APTs). The health care industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.

(U) A SANS report dated February 2014, indicates health care security strategies and practices are poorly protected and ill-equipped to handle new cyber threats exposing patient medical records, billing and payment organizations, and intellectual property. Data analysis revealed multiple devices (e.g., radiology imaging software, digital video systems, faxes, printers) and security application systems (e.g., Virtual Private Networks (VPN), firewalls, and routers) were compromised. Once medical devices are compromised, malicious traffic is transmitted through VPNs and firewalls. The biggest vulnerability was the perception of IT health care professionals’ beliefs that their current perimeter defenses and compliance strategies were working when clearly the data states otherwise.

(U) According to a Ponemon Institute report dated March 2013, 63% of the health care organizations surveyed reported a data breach in the past two years with an average monetary loss of $2.4 million per data breach. The majority of each data breach resulted in the theft of information assets. Lastly, 45% reported that their organizations have not implemented security measures to protect patient information.

(U) An EMC²/RSA White Paper published in 2013 indicated that in the first half of 2013, over two million health care records were compromised, which was 31% of all reported data breaches. Cyber criminals are selling the information on the black market at a rate of $50 for each partial EHR, compared to $1 for a stolen social security number or credit card number. EHR can then be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft. EHR theft is also more difficult to detect, taking almost twice as long as normal identity theft.

(U) Reporting Notice

(U) The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to the local FBI field office. The FBI’s 24/7 Strategic Information and Operations Center can be reached by telephone at 202-323-3300 or by e-mail at SIOC@ic.fbi.gov. FBI regional phone numbers can be found online at http://www.fbi.gov/contact/fo/fo.htm. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact.