Security threats are growing in abundance as more health organizations choose to host large quantities of patients' personal and medical information in data centers, locally and across the country. A recent study from McAfee discovered over 31 million new samples of malware in Q2 of 2014 alone, bringing the total number of threats to more than 250 million. However, that is just malware. There are too many threats to expect a healthcare providers IT department to have the ability to prevent all of them.
The lack of adequate security should come as no surprise. Community Health System recently lost approximately 4.5 million people's personal data. The worst part is that the data breach was caused by the Heartbleed bug, and the healthcare provider, let alone patients and employees, did not know about the vulnerability or attack until months later, after Heartbleed stopped generating media coverage. Now, many are worried that Shellshock will have similar consequences.
What is "Shellshock?"
Discovered about a week ago, Shellshock is the name given to a pair of vulnerabilities in Bash, a shell program found on Linux, Unix and OS X systems. InformationWeek reported that the exploit has a Common Vulnerability Scoring System score of 10, meaning that it should be taken very seriously. Additionally, the difficulty of exploiting Shellshock is considered to be low.
The result of both ratings has led to many hackers and cyberterrorists using Shellshock-designed malware at increasing rates. The Verge cited a report conducted by CloudFlare, a web-optimization company tracking the vulnerability, which said that the company alone has blocked approximately 1.1 million Shellshock attacks in its first week. The source also reported that attackers are sidestepping traditional computers and directly targeting Network Attached Storage devices, which are basically large hard drives commonly used in organizations' data centers. If successful, the cyber criminals can access any information on any devices connected to networks.
More bad news
While a patch for the source code was created, it requires users to apply it then recompile and redeploy the binary, which is hard for an average employee. That only applies to computers, however. InformationWeek reported that about 10 percent of personal computers run Linux or OS X, and many need to consider Shellshock's effects on the plethora of servers and Internet-connected devices used in hospitals and other health clinics. This applies to medical devices, cameras, network appliances and a lot more electronics. To fix those, the original manufacturers will need to send fixes as the scope goes far above an end user's knowledge.
Another problem is that the effects of Shellshock probably will not be immediately apparent, similar to Community Health Systems and Heartbleed. These vulnerabilities and malware are just the start of a new series of threats, InformationWeek reported. The source also noted that the healthcare industry is at the most risk to attacks like Shellshock and Heartbleed due to its reliance on embedded operating systems.
The cost of an attack could be massive if the results are anything like experts have seen with Community Health Systems. The alternative would be to replace all of the devices used in healthcare settings to prevent intrusions through the vulnerability. That is unlikely and could incur fees just as severe as an attack. Furthermore, many of these healthcare IT departments already have a lot on their plates with electronic health record system implementation, along with all of the other issues and concerns in the industry.
Two solutions
So, if replacing devices is costly, where do healthcare providers go from here? How do they prevent any Shellshock-based attacks? The first approach would be to seek out help from security experts. Finding a company that specializes in data center protection can go a long way toward preventing any similar threats in the future as well as ensure that NAS devices are protected from Shellshock in the short term. Those experts will have the know-how and ability to layer firewalls or set up proxies in an attempt to lead cybercriminals away from personal data.
Knowing that thousands of systems were vulnerable to Heartbleed, it should be expected that one intrusion attempt somewhere was successful. If Shellshock-based malware did happen to find its way into a healthcare provider's network, then having a security and data management service will at least give patients and employees peace of mind that another similar attack will not compromise any information or systems.
The other solution, which in reality should be combined with the former advice, is that IT administrators should brief other IT employees on improved security practices. InformationWeek reported that the U.S. Food and Drug Administration will be offering guidance to healthcare providers later this month and addressing the issue of Shellshock. So, in the meantime, it is important to ensure that steps are taken to protect medical devices from succumbing to attacks. If IT administrators do not know where to begin, they can even considering seeking advice from security organizations.
David Bailey is Senior Vice President at Protected Trust.
Protected Trust is a sponsor of the Print4Pay Hotel. I urge members and readers to visit their site to see their full line of products and services. More and more we need to provide well rounded strategic solutions for our customers. Protected Trust offers some unique solutions that can help us in our day to day efforts. Check them out here.
Comments (0)