2016 Predictions #7: Healthcare Technology Advances Will Open Up New Attack Vectors

This is the seventh in our series of cybersecurity predictions for 2016. Stay tuned for more through the end of the year.

2015 was a rough year for the healthcare industry – more than 112 million healthcare records were breached, according to the HHS breach portal. That's nine times (9x) higher than 2014. C-level executives at healthcare organizations understand that cyberattacks can have a direct impact on patient care, but they still struggle to advance their security maturity to the point that other industries with a longer history of regulation (i.e., financial services) have reached.

2016 will prove to be a year of innovation for healthcare organizations as they rush to implement new technologies that enhance the patient experience, such as remote patient monitoring and video visits, while many of the same core information security challenges persist.

Here's a look at my top 2016 predictions for the healthcare industry.

The number of breached healthcare records caused by sophisticated cybersecurity attacks will continue to increase

In addition to the fact that there were nine times (9x) more breached healthcare records in 2015 compared to 2014, the top six healthcare breaches in 2015 account for over 98 percent of the 112 million total breached records for the year. Each of the top six was caused by an advanced cyberattack. All signs indicate that sophisticated and targeted cyberattacks in the healthcare industry are increasing with a few of the largest breaches linked to China-sponsored attackers.

In 2016, we will continue to see an increased number of targeted cyberattacks, resulting in major breaches in the healthcare industry. The healthcare providers who will be least impacted are those who:

1. Conduct regular end-user security training to reduce successful phishing.
2. Enforce a robust threat and vulnerability management program to identify risks.
3. Deploy an advanced integrated security architecture to prevent cyberattacks on the network, on the endpoint, and in the cloud.

The IoT revolution will take off in the healthcare industry

For those who don't know, the Internet of Things (IoT) revolution will go mainstream in 2016. The IOT refers to the vast array of WiFi-enabled sensors that will be available to track everything from the level of milk in your fridge to the angle of your blinds, according to the time of day. According to Gartner, there will be 6 billion of them by 2018. The IoT revolution has many applications within the healthcare industry, including remote patient monitoring for high-risk patients and behavior modification to help with obesity and smoking problems. As these devices get smaller and less expensive, we will see more healthcare practices use them to treat patients.

I wrote a blog post recently in response to the FDA's alert for all healthcare providers to stop using Hospira's Symbiq drug infusion pump due to a cybersecurity vulnerability that presented a significant risk to patient safety – the first ever alert of its kind. Billy Rios is the name of the amateur security researcher who identified the vulnerability working out of his garage. This gives you an idea of the amount of research that has been conducted on medical devices (generally, very little). In my recent job as a security lead for a hospital network, I worked directly with multiple medical device manufacturers and was surprised at the extent to which medical device security is an afterthought.

If the IoT devices used in healthcare are produced in the same manner (innovation first, security as an afterthought) they are likely to be compromised by two types of attackers: those interested in profiting (by stealing health data) and those who desire to impact patient safety just because they can. The healthcare providers who will be least impacted are those who adopt strict security standards for their medical devices and make efforts to reduce risk by segmenting their network-connected medical devices.

Healthcare organizations will begin to move critical applications and infrastructure to the cloud

“Cloud” has been a buzzword in healthcare IT for years now as industry leadership strategizes to adopt such technology that has significant opportunities for cost savings, performance and scalability. 2016 will be a transition year for many healthcare organizations that will migrate a portion of their critical infrastructure and applications to the private cloud by the end of the year.

• Big players in the EMR application space (e.g., Epic, Cerner, McKesson) will begin to offer cloud-hosted EMR solutions, and healthcare providers will start executing two-year plans to migrate their EMR to a fully managed private cloud service model.
• Healthcare providers will begin to deploy certain elements of critical infrastructure to cloud services like Amazon Web Services and virtualize things like Active Directory domain controllers and next-generation firewalls.
• Cloud-based file sharing and collaboration sites like Box.com will become more prevalent in the healthcare industry, as users urge leadership to provide an easier method to share data.

Attackers will look to mobile devices as the next best vector into healthcare networks

In 2015, we saw a tremendous amount of spear phishing and email malware in the healthcare industry, but mobile devices are likely to be the next target. In a recent HIMSS survey, 90 percent of responders in the healthcare industry said they maintain mobile devices to engage patients in their organizations. Mobile devices in hospitals are often used to connect to EMRs and view PHI, which introduces a slew of risks, most notably: 1) The ability to connect to unsecured public Wi-fi allows eavesdropping, and 2) Normally benign mobile apps can be poisoned with malicious code, such as the recent discovery of XCodeGhost by Palo Alto Networks Unit 42, which allows the attacker to phish passwords and URLs through infected iPhone apps.

Healthcare is already a targeted industry for attackers, and mobile devices are becoming more integrated into patient care services. It’s only a matter of time before mobile devices become a popular vector to steal health records.

The best mitigation for the risks outlined in these healthcare cybersecurity predictions is a combination of improving both security processes and security technology. Read more about joining the community of 1100+ healthcare organizations who trust Palo Alto Networks to provide the technology required to prevent cyberattacks and protect patient care.

Have a happy and prosperous 2016!

Want to explore more of our top 2016 cybersecurity predictions? Register now for Ignite 2016.