Healthcare Avoids Black Hat 2014 Spotlight

Image courtesy of Black Hat USA 2014

Considering just how vulnerable the healthcare industry is to global network hacking, it's no small accomplishment to avoid the main spotlight at the cybersecurity event of the year ‒ Black Hat USA 2014.


It's also hard to imagine that Black Hat's white hot spotlight won't reappear fairly soon when you consider this quote from a healthcare CIO earlier this year.


We see about a million hits a day from China alone trying to break into our network. Bert Reese ‒ CIO of Sentara (as quoted to Healthcare IT News in Top Healthcare CISO's Hard To Come By)


Now in its 17th year, Black Hat's signature event was in Las Vegas for the better part of last week with a record number of about 8,000 attendees. Many of the cybersecurity legends (and faithful followers) gathered to compare notes and trade exploits of the latest security hacks, vulnerabilities and data breaches. About 150 vendors were also on hand demonstrating their latest solutions in the ever increasing cyber arms race.


Healthcare has always been a key part of hacker conferences like Black Hat, but largely in the high‒profile arena of medical devices. In this category, infusion pumps and cardiac defibrillators often take center stage as high‒profile targets that deliver a dramatic effect. Barnaby Jack (who was arguably the industry's leading showman until his untimely death just before Black Hat 2013) was among the first to deliver a lethal dose of insulin remotely using a hack he built and demonstrated at the Hacker Halted conference in 2011. Other researchers were able to hack an implantable cardiac defibrillator back in 2008.


Wireless devices were once again front‒and‒center at this year's Black Hat with the increasingly popular Nest home thermostat (recently acquired by Google for $3.2 billion). The dramatic demo was provided by a team of University of Central Florida hackers and represents an emerging trend of devices known as the 'internet‒of‒things.' These are relatively newer devices that are network accessible and always on, but often lack any basic software or hardware security protection. As one hacker suggested, this device can be turned quite literally into a 'fly-on-the-wall.' It also reminded me how the user profiles of Fitbit wearers were searchable online using Google ‒ and often included the sexual activity as recorded by the device ( TechCrunch ‒ July 2011).


Relative to actual healthcare ‒ and recognizing just how much the industry lags in network and data security ‒ the FBI issued a Private Industry Notification (PIN) to healthcare providers earlier this year. Health data tends to have much higher black market value for things like insurance fraud and as a way to obtain prescriptions for controlled substances.


The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely. FBI quote as provided to Reuters ( April, 2014 here).


Sometime in 2013, hackers also penetrated the networks of the top three medical device manufacturers ‒ including Medtronic, Boston Scientific and St. Jude Medical.


The economics of it are fairly simple: There is great reward and only slight risk for state actors, or hackers in other countries, to steal or attempt to steal as much intellectual property as it can from U.S. companies that are often decades ahead in technology and research. Hackers break into networks of 3big medical device makers ‒ SFGate, Feb10, 2014


Earlier this month, I worked with Norse Corporation to highlight the vulnerability of a 380‒bed hospital which appeared on the Norse sensor network as a malicious device. It turned out to be an inexpensive multi‒function‒printer which was directly accessible to any browser attached to the internet from anywhere in the world.


Healthcare managed to avoid the white hot spot lot of this year's Black Hat conference, but that doesn't mean that the vulnerabilities aren't real ‒ and likely much larger than what's reported through the industry's HIPAA breach report. That could well turn out to be the tip of the proverbial iceberg when it comes to healthcare data theft. HIPAA 'compliance' after all is not 'data security.'


With an eye toward those 'internet-of-things' devices, the final word of caution was delivered to the Black Hat audience by Dan Geer during his opening (and insightful) keynote.


I have long preferred to hire security people who are, more than anything else, sadder but wiser. There are no people sadder but wiser about the scale and scope of the attack surface you get when you connect everything to everything and give up your prior ability to do without. Until such people are available, I will busy myself with reducing my dependence on, and thus my risk exposure to, the digital world even though that will be mistaken for curmudgeonly nostalgia.Dan Geer ‒ Chief Information Security Officer of In‒Q‒Tel (technology investment arm of the CIA) during Black Hat 2014 Opening Keynote


Comments

Post a Comment

Popular posts from this blog

5 Reasons iPhone 6 Won't Be Popular

Image
The majority of users are waiting for the next smartphone from Apple - iPhone 6 – this year. Unfortunately, the hype around iPhone began to gradually subside with each passing year after the 4th model launched. Therefore, it is possible that the sixth iPhone model of  will not be nearly as popular as it was in the beginning. Global audience perceived iPhone 4S and iPhone 5 much cooler than its early models New iPhones will not cause that “wow”-effect, which was in the beginning, when Steve Jobs' presentations caused a delight and admiration of every new Apple gadget. Some leaked photos of iPhone 5S prototype show that it does not differ from its predecessor at all. Therefore, all hopes for something radically new in design and features are laid on iPhone 6. And if Apple is no longer holds its standards, that seem to be a little bit old-fashioned already, it is unlikely that iPhone 6 will be interesting for people next year. 5 main reasons can be found to think like
Read more

Eset nod32 ativirus 6 free usernames and passwords

Image
                              Hi friends,after little long time I'm going to write again about eset nod 32 antivirus.As I told in previous post if you are user on windows 8 Eset nod 32 is the best antivirus for your personal computer.the latest product eset nod 32 antivirus 6 has special features with 100% really working.Not need to purchase full version from buying it.Download the eset nod 32 trial version and activate your est antivirus from below updated usernames and passwords. Firstly I would like to tell something about est nod32 antivirus 6. The latest product having: Eset smarter scan  Scan while downloading something Anti-Theft Idle-state scanning Clean and safe E-mail Removable media security system tools         Download Eset nod32 antivirus 6 Trial version Here     After downloading Eset nod32 Antivirus activate it using below usernames and passwords. Username: EAV-30326836                                       Password: ccka4dvsuv Expire: 16-10-2013 Username:EAV-79084
Read more

Apple's self

USA TODAY Apple's self-driving car racing toward reality, report saysUSA TODAYSAN FRANCISCO - Apple's self-driving car effort, code-named Project Titan , is more reality than rumor, according to documents obtained by the British newspaper The Guardian. Engineers working for the Cupertino-based tech hardware giant met in May with ...Apple Is Getting Closer to a Self-Driving CarTIMEApple is reportedly looking at places to test its self-driving carThe VergeApple eyes former naval base in California to test 'Project Titan' self ...Apple InsiderThe Independent -Business Insider -Cult of Macall 10 news articles »
Read more