FBI Issues Healthcare Cyber-Alerts

Cites Transition to EHRs, Networked Medical Devices, as Risks
FBI Issues Healthcare Cyber-Alerts

The FBI recently issued two alerts to the healthcare sector warning of increased risk of cyber-intrusions against systems and medical devices, especially as healthcare providers transition to electronic health records.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

The two "private industry notices," or PINs, were issued on April 8 and April 17, with the latter being an update to the earlier alert, an FBI spokeswoman tells Information Security Media Group.

The April 8 alert, titled, Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain, is based on recent "open source" reports issued by industry researchers and other sources about increasing cyberthreats and related potential fraud facing the sector, the spokeswoman says.

A copy of the alert posted on a public website not associated with the FBI says, "Cyber actors will likely increase cyber intrusions against healthcare systems - to include medical devices - due to mandatory transition from paper to electronic health records, lax cybersecurity standards, and a higher financial payout for medical records in the black market."

The alert refers to the ongoing shift to EHRs, coupled with more medical devices being connected to the Internet, "generating a rich new environment for cyber criminals to exploit."

The alert says, "according to open source reporting from SANS, Ponemon, and EMC²/RSA, the healthcare industry is not technically prepared to combat against cyber criminals' basic cyber intrusion tactics, techniques and procedures, much less against more advanced persistent threats. The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely."

The FBI spokeswoman confirmed that a copy of the PIN on the public website appeared to contain the information "widely disseminated" by the FBI to an undisclosed number of unidentified organizations in the healthcare sector.

"We're trying to amplify what's been out in open source reports by issuing a PIN on our own," she says. "We're trying to educate people in the sector who are not aware."

The spokeswoman says alerts were not issued because of an imminent threat, but rather notes the January 2015 date when many healthcare providers will have transitioned to EHR systems as a result of the HITECH Act electronic health record incentive program.

She declined to say what new information or updates were contained in the April 17 PIN.

Reports Cited

The April 8 PIN cites several industry reports, including:

  • A SANS report dated February 2014, "indicating healthcare security strategies and practices are poorly protected and ill-equipped to handle new cyber threats exposing patient medical records, billing and payment organizations, and intellectual property."
  • A Ponemon Institute report dated March 2013, that says 63 percent of the healthcare organizations surveyed reported a data breach in the past two years with an average monetary loss of $2.4 million per data breach. That report said 45 percent of healthcare organizations have not implemented security measures to protect patient information.
  • An EMC²/RSA white paper published in 2013 indicating that in the first half of last year, more than 2 million healthcare records were compromised, which was 31 percent of all reported data breaches. "Cyber criminals are selling the information on the black market at a rate of $50 for each partial EHR, compared to $1 for a stolen social security number or credit card number. EHRs can then be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft. EHR theft is also more difficult to detect, taking almost twice as long as normal identity theft."

The notice ends: "FBI encourages recipients of this document to report information concerning suspicious or criminal activity to the local FBI field office."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network