Hackers used malware to penetrate Community Health Systems' firewall, and once inside, they made off with some 4.5 million medical records — a staggering but not surprising number to cyber security professionals.
While the uninformed may ask how such a thing could happen, the probable cause is user error. And with so many malicious apps on the market, it’s no wonder.
“The most likely path for the malware to get in is via the usual phishing attack that tricked someone into going to a compromised website,” said John Pescatore, a senior analyst at the SANS Institute. Pescatore said he has no inside information but that this is the most frequent explanation.
And that puts EHRs at risk. If one mobile device is compromised, the EHRs on the server are going to be vulnerable, according to Armando Orozco, mobile security expert and senior malware intelligence analyst for Malwarebytes.
Hackers use mobile devices “as a launch pad,” Orozco added.
Fake apps everywhere
Unlike the old days - the early to mid-'90s - when software was either purchased at a store or sent via the IT department, users today go to the Apple App Store or Google Play Store and download. For very few dollars every kind of application imaginable is available.
Unfortunately, unlike the old days, what users don’t know is where the software came from and where it is really going. No matter how much security is layered into the end-point application, EHRs at the other end, sitting behind elaborate firewalls created by the best security experts money can buy, are still seeing millions of medical records stolen annually.
The latest estimate since reporting became a requirement is that about 30 million records are at risk due to theft, data loss, hacking and unauthorized access, according to the Department of Health and Human Services.
[Commentary: Is healthcare a right or a responsibility?]
A 2014 report from Trend Micro on mobile applications, “Fake Apps,” found that “as of April this year, of the 890,482 sample fake apps discovered from serious sources, 394,263 were detected as malware.”
While 77 percent of the 50 most popular mobile applications had fake versions, 40 percent of the applications categorized as medical were also phony applications made to look just like the real thing. Of that 40 percent, half were deemed “malicious.”
What to know
Anti-virus software is the most commonly faked application category for mobile devices. Virus-Shield, which had been in Google’s Play Store until it was recently removed, saw 10,000 downloads and was given a 4.7-out-of-5 star rating system. Sold for only $3.99, it quickly became one of the top paid-for applications on Google’s site.
Until, that is, it turned out that all of its protection claims were bogus.
Games and Instant messaging applications are also popular to hackers, according to Trend Micro. And here even BlackBerry, which typically gets high marks for stopping cyber attacks, was a victim. BlackBerry Messenger (BBM) IM fell victim to a “Trojanized” version when an early, unreleased version was hacked and offered to users before its official release on Google’s site.
What you need to do
The first line of defense for hospital administrators is to ask vendors whether their solutions are “HiTrust” (Health Information Trust Alliance) certified. HiTrust, made up of executives from the tech and healthcare industries, is responsible for developing and constantly updating its Common Security Framework.
The framework is designed for any organization that creates, accesses, stores or exchanges medical or financial information and, as such, includes a “prescriptive set of controls” prior to certification.