TrapX recently found similar attacks in three separate hospitals' X-ray equipment, blood gas analyzers and other devices.
HiTrust framework addresses healthcare industry
To help healthcare organizations create and maintain a robust security process, the HiTrust Alliance has created a security framework that incorporates best practices and recommendations from NIST, HIPAA, and other regulations and frameworks into one uniform framework.
About 80 percent of hospitals and insurance companies use this framework, said HiTrust CEO Daniel Nutkis.
"There is no question that organizations that are following strong security controls are less likely to have breaches," he added.
The organization also collects breach data, in an attempt to understand how effective each control is.
"We're trying to reduce the costs of cyber insurance for organizations that have good controls in place," he said.
And, after each breach, the organization goes back and reviews the framework and makes changes when necessary.
"We're always adding updates," he said.
For example, the framework has recently focused more on ongoing compliance, he said. "It's not just how well you've implemented the control, but how effectively you're managing it."
For example, monitoring end user behavior is an important part of the process, he said.
"Most of the recent breaches involved an end user problem," he said. "How do we make sure that the end users are engaged in the process?"
Unfortunately, there's only so much that an organization can do.
Mark Ford, the life sciences and health care cyber risk services leader at Deloitte & Touche, recalls a recent case in which a physician took his laptop home and it was stolen from his house.
"He had a lot of patient information on his laptop, and had that laptop encrypted, as he should have," Ford said. "But he put a sticky with the password on the laptop."
All the education and all the tools didn't prevent that breach, Ford said, reminding organization that not only do they need to have processes and procedures in place to prevent breaches, but also plans in place for what to do once they occur.
Sign up for Computerworld eNewsletters.