Why Mainframe Security Risks Are Largely Unrecognized

Uploaded on 2018-09-07 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Health & Welfare, TECHNOLOGY--Resilience

In the past year, cybercriminals have made the healthcare industry a top target for sophisticated ransomware attacks, often exploiting known but unpatched vulnerabilities to gain access to clinical information.

The implications of those reported but unresolved vulnerabilities are scary, considering the wealth of patient data hospitals manage, as well as the potential life-and-death situations involved. But, what about the vulnerabilities that aren’t even on the radar of hospital IT departments?

Most modern hospitals depend on multiple electronic systems and connected IoT devices to operate around the clock. The largest hospitals also rely on mainframes to safeguard some of their mission-critical financial and billing data. The security of hospital systems isn’t always up to sufficiently high standards. And, while mainframes are arguably the most securable platform, they still aren’t impenetrable. Mainframes have weaknesses, like code-based vulnerabilities that, if exploited, could endanger the entire enterprise.

Essentially, code-based vulnerabilities are areas of flawed code that allow a program to bypass the security controls put in place by the operating system and the organization. There’s a huge amount of risk involved with operating system-level vulnerabilities. If a hacker were to exploit a single trap door vulnerability, they would have access to all of the data, applications and users on the entire mainframe.

In a hospital setting, that means access to everything ranging from patients’ personal information, to doctor’s orders, to insurance coverage, and so on. Hospitals manage a wealth of sensitive information about their patients, like SSNs, addresses, contact information and more, that is considered to be protected heath information (PHI).

If a bad actor gains access to the enterprise through the mainframe, they would have the potential to cripple many of the hospital’s most important functions. For example, many medical devices today are peer-to-peer or wirelessly attached to the clinical information system. Imagine if a hacker infiltrates the system, or even takes the mainframe down—those medical devices and the corresponding medicine could no longer be accurately managed and administered.

Part of the challenge when it comes to managing mainframe security is that many IT professionals working on mainframes are unaware of these code-based vulnerabilities. On top of that, hospital IT departments right now are spread thin monitoring all the various systems. A recent survey of nearly 2,500 healthcare security experts revealed that 96 percent believe that bad actors are outpacing the defenses of their medical enterprises.

Although IT managers may be technically savvy, there are simply not enough of them to track all of the risks and ensure their mainframes are always up, running and protected. The good news is that these vulnerabilities are patchable. Of course, vulnerabilities have to be discovered first before they can be patched. It’s time for hospitals to invest in the people and practices that will better guard their IT systems and patient data.

Information Management:

You Might Also Read:

Healthcare Cyber-Attacks Still Going Up

« Organizations Hit With North Korea-Linked Ryuk Ransomware
Training Young Hackers To Stop Cybercrime »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Frazer-Nash Consultancy

Frazer-Nash Consultancy

Frazer-Nash is a leading engineering, systems and technology company. Areas of expertise include information security and cyber security.

Tresorit

Tresorit

Tresorit helps teams to collaborate securely and easily by protecting their data with end-to-end encryption.

ARC Advisory Group

ARC Advisory Group

ARC is a leading technology research and advisory firm with expertise in both information technologies (IT) and operational technologies (OT)

Radiflow

Radiflow

Radiflow is a leading provider of cyber security solutions for critical infrastructure networks (i.e. SCADA), such as power utilities, oil & gas, water and others.

Waratek

Waratek

Waratek is a pioneer in the next generation of application security solutions known as Runtime Application Self-Protection or RASP.

RunSafe Security

RunSafe Security

RunSafe Security is the pioneer of a patented cyberhardening transformation process designed to disrupt attackers and protect vulnerable embedded systems and devices.

Templar Executives

Templar Executives

Templar Executives is a leading, expert and dynamic Cyber Security company trusted by Governments and multi-national organisations to deliver business transformation.

Digital Identification & Authentication Council of Canada (DIACC)

Digital Identification & Authentication Council of Canada (DIACC)

DIACC is a non-profit coalition of public and private sector leaders committed to developing a Canadian framework for digital identification and authentication.

Krista Software

Krista Software

Krista is an intelligent automation platform that combines iPaaS and Conversational AI to automate complete business processes across your teams and apps.

Cylab - Carnegie Mellon University

Cylab - Carnegie Mellon University

Carnegie Mellon University CyLab is the University's security and privacy research institute.

Cybernatics

Cybernatics

Cybernatics is inspired by bringing together best-in-class innovations around Cybersecurity and Analytics. We offer tailored enterprise solutions to safeguard your organisations best interests.

Cypago

Cypago

Cypago provides a powerful yet easy-to-use Compliance Orchestration Platform to automate the compliance process end-to-end.

Allure Security

Allure Security

Allure Security AI-driven brand protection scans more of the online world for faster, more accurate detection & removal of spoof websites, social media & mobile apps -- before customers fall victim.

Lakera

Lakera

Lakera empowers developers and organizations to build GenAI applications without worrying about AI security risks.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

ClamAV

ClamAV

ClamAV is an open-source (GPL) anti-virus engine used in a variety of situations, including email and web scanning, and endpoint security.