Freely subscribe to our NEWSLETTER

Stephen Gates, chief research intelligence analyst at NSFOCUS:
"The remote desktop protocol (RDP) should never be exposed to the Internet. RDP normally uses TCP port 3389. The recommendation is to ensure that this TCP port is always blocked inbound on border firewalls. According to the hacker’s claims, he/she gained initial entry to the healthcare organisations via Windows computers with RDP exposed.
Allowing RDP to be exposed to the Internet is nothing more than bad security, and borderline negligence. Being in security for over a decade, I cannot think of a single case where exposing RDP is a “good idea”.
Windows computers with RDP exposed to the internet can be compromised via brute-force password guessing. However, more often they are compromised due to attackers exploiting vulnerabilities in the protocol itself. For example, doing a simple search for “RDP” on https://cve.mitre.org/find/index.html, returns 168 known vulnerabilities. Likely, there are tens-of-thousands of windows computers with RDP exposed to the Internet; many that have not been patched.
Hackers scan the Internet looking for any device that will respond to a scan on TCP Port 3389. Once hackers find “exposed” computers, exploiting them is often no more difficult than a walk in the park. If my security team left RDP exposed to the Internet, they would no longer be my security team.
RDP is often used by network engineers and technicians to troubleshoot a problem, remotely. For example, if a person is having a problem with their computer, engineers and technicians can remote into the computer in an attempt to “fix” something remotely. The best recommendation when using RDP from outside of the border firewalls is to first connect to the network via a VPN. Once access to the network is gained via a VPN, using RDP in this case is much more secure.
Today, healthcare records are more valuable to hackers than credit card records. Healthcare records contain much more information for hackers to capitalise on. In this case, the hacker looks to have hit the mother lode."

Ryan Wilk, vice president at NuData Security:
"Are you worried? You should be. The number of reported healthcare breaches has been on the rise in recent years. It’s concerning that the healthcare industry accounted for 44% of all cyber breaches and attacks last year, costing the U.S. tens of billions of dollars. Medical records are worth ten times more than credit card numbers on the dark web. It’s more important than ever for the industry to get ahead of their vulnerabilities.
The industry simply isn’t doing enough to protect patient, client, agent, and other user data – from PII, to PHI, even PCI – from known, much less emerging, security threats.
It’s true that users and providers demand easy unfettered online access. These days, that means connecting and sharing data between multiple cloud-based, as well as on-premise, services and with other healthcare service providers (HSPs). Yet doing so creates risk that critical data will fall into the wrong hands either in transit or at the endpoints. This risk is not lost on users, who are still wary about their most intimate of personal information – their health records. The risk is also not lost on the healthcare providers and insurers, as they lose more on fraudulent claims. Even with this growing awareness, a culture of permissibility and sharing can still sometimes preclude basic security practice and practitioners seem unable to close the gap between expectation and reality.
This gap between expectation and security delivery is increasingly alarming as fraudsters are changing their tactics and are far more sophisticated now than even a couple of years ago– we’ve seen a 112% year-over-year increase in attacks – and the industry must seek future-proof solutions to counter these quickly-morphing bad actors.
The problem is the online policy/account registration and authentication process is broken because passwords are just so bad - and hackable. In this context, how can the industry better protect the integrity of the online relationship? It’s great that connected technologies allow us to purchase healthcare and insurance policies online, submit e-prescriptions and healthcare receipts for reimbursement, video conference with our doctors remotely, and much more. But there is often only one thing stopping malicious actors from taking out policies in your name, accessing your most sensitive information, and submitting fraudulent claims — your username/email address and password. Yet we’ve become so accustomed to locking our accounts this way, that consumers rely on the provider to do all the heavy lifting when it comes to security – trusting that they’ve got it covered.
Most medical facilities and insurance companies haven’t yet invested in systems that have insight into consumer behaviour and can predict and prevent unusual activity, unlike many financial institutions, that have been fighting the battle with online criminals since the advent of the Internet. Forward thinking banks and FIs took a more business-to-consumer approach. These banks built their online strategy from the moment of account creation all the way through checkout, and focused on understanding all the facets of how a good customer behaves.
Understanding how users act online - before, during and after they login – provides you with the knowledge that even if a password has been stolen, an account has been taken over or hijacked, or a fake policy is being created, you know the real user and can take measures to protect the account that have no impact on the good users.
Giving your consumers a good experience builds the trust they need to become loyal promoters of your service, and healthcare and insurance providers benefit from a high level of consumer satisfaction, consumer engagement and repeat business.
Data breaches and stolen account information damages your business and your policyholders. By improving trust and simultaneously reducing fraud in a time when businesses must move customer–facing processes online, you can future-proof both customer safety and your online brand – saving money, growing profits and improving trust.
Today’s healthcare and insurance providers operate in a new world. With the demand for online and mobile healthcare services, HSPs and insurers can take advantage of the many benefits of these online applications while simultaneously protecting their financial risk, customer privacy and brand reputation.”

Luther Martin, distinguished technologist at HPE Security - Data Security:
"Encrypting sensitive information is a good way to protect it from misuse by cyber-criminals, but lots of sensitive information still isn’t encrypted. This seems to be particularly common in the healthcare industry. But as the healthcare industry starts to look more seriously at using encryption it will have one advantage that other industries haven’t had. That’s because other industries have recently gone through the process of encrypting the sensitive information. This has created a significant body of knowledge about what works in practice and what doesn’t, both with encryption and related technologies like key management. And by taking advantage of this experience, the healthcare industry can save lots of time and money.

Healthcare fraud is how cyber-criminals monetise the information that they get in data breaches of healthcare organisations. The demand for sensitive healthcare information is so great that the street price of stolen medical records is much greater than the street price of stolen credit card numbers – perhaps as much as 10 times as much.

And even though there are huge amounts of healthcare fraud, there are good reasons why protecting sensitive information hasn’t been taken as seriously as we might like it to be by the healthcare industry. The decision to use any security technology is a trade off between costs and benefits. In the healthcare industry, those costs can actually include the loss of lives, and it’s easy to understand why healthcare organisations might be reluctant to pay that price for additional protection of sensitive information.

But while the healthcare industry has been slow to adopt encryption technologies, organisations involved in processing credit and debit card transactions have spent the past 10 years learning how to protect sensitive payments information. This has not been easy. The Payment Card Industry Data Security Standard (PCI DSS) and its supporting documents have been revised more than once to reflect the lessons learned as organisations have worked to do this. But what seemed impossible or impractical ten years ago is now done on a routine basis.

The amount of healthcare fraud is huge. But by taking advantage of what other industries have learned about how to encrypt sensitive information, the healthcare industry can avoid several years of headaches. And because the people who have worked through the difficulties of complying with the PCI DSS are often very willing to talk about what they learned in this process, there’s no reason for people in the healthcare industry to not take advantage of what their peers in other industries already know.

The regulatory environment is strongly pushing healthcare organisations towards encrypting sensitive healthcare information. But don’t reinvent the wheel when you go to implement this. It’s too painful and too expensive."