Why Mainframe Security Risks Are Largely Unrecognized

In the past year, cybercriminals have made the healthcare industry a top target for sophisticated ransomware attacks, often exploiting known but unpatched vulnerabilities to gain access to clinical information.

The implications of those reported but unresolved vulnerabilities are scary, considering the wealth of patient data hospitals manage, as well as the potential life-and-death situations involved. But, what about the vulnerabilities that aren’t even on the radar of hospital IT departments?

Most modern hospitals depend on multiple electronic systems and connected IoT devices to operate around the clock. The largest hospitals also rely on mainframes to safeguard some of their mission-critical financial and billing data. The security of hospital systems isn’t always up to sufficiently high standards. And, while mainframes are arguably the most securable platform, they still aren’t impenetrable. Mainframes have weaknesses, like code-based vulnerabilities that, if exploited, could endanger the entire enterprise.

Essentially, code-based vulnerabilities are areas of flawed code that allow a program to bypass the security controls put in place by the operating system and the organization. There’s a huge amount of risk involved with operating system-level vulnerabilities. If a hacker were to exploit a single trap door vulnerability, they would have access to all of the data, applications and users on the entire mainframe.

In a hospital setting, that means access to everything ranging from patients’ personal information, to doctor’s orders, to insurance coverage, and so on. Hospitals manage a wealth of sensitive information about their patients, like SSNs, addresses, contact information and more, that is considered to be protected heath information (PHI).

If a bad actor gains access to the enterprise through the mainframe, they would have the potential to cripple many of the hospital’s most important functions. For example, many medical devices today are peer-to-peer or wirelessly attached to the clinical information system. Imagine if a hacker infiltrates the system, or even takes the mainframe down—those medical devices and the corresponding medicine could no longer be accurately managed and administered.

Part of the challenge when it comes to managing mainframe security is that many IT professionals working on mainframes are unaware of these code-based vulnerabilities. On top of that, hospital IT departments right now are spread thin monitoring all the various systems. A recent survey of nearly 2,500 healthcare security experts revealed that 96 percent believe that bad actors are outpacing the defenses of their medical enterprises.

Although IT managers may be technically savvy, there are simply not enough of them to track all of the risks and ensure their mainframes are always up, running and protected. The good news is that these vulnerabilities are patchable. Of course, vulnerabilities have to be discovered first before they can be patched. It’s time for hospitals to invest in the people and practices that will better guard their IT systems and patient data.

Information Management:

You Might Also Read:

Healthcare Cyber-Attacks Still Going Up

« Organizations Hit With North Korea-Linked Ryuk Ransomware
Training Young Hackers To Stop Cybercrime »

Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

eBook: Practical Guide to Security in the AWS Cloud

eBook: Practical Guide to Security in the AWS Cloud

AWS Marketplace would like to present you with a digital copy of the new book, Practical Guide to Security in the AWS Cloud, by the SANS Institute.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Cylance Smart Antivirus

Cylance Smart Antivirus

An antivirus that works smarter, not harder, from BlackBerry. Lightweight, non-intrusive protection powered by artificial intelligence. BUY NOW - LIMITED DISCOUNT OFFER.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Cyber Security Service Supplier Directory

Cyber Security Service Supplier Directory

Free Access: Cyber Security Service Supplier Directory listing 5,000+ specialist service providers.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

PCI Security Standards Council

PCI Security Standards Council

PCI Security Standards Council is a global body formed to develop and assist with the understanding of security standards for payment account security.

Italian Association of Critical Infrastructure Experts (AIIC)

Italian Association of Critical Infrastructure Experts (AIIC)

AIIC acts as a focal point in Italy for expertise on the protection of Critical Infrastructure including ICT networks and cybersecurity.

United Security Providers

United Security Providers

United Security Providers is a leading specialist in information security, protecting IT infrastructures and applications for companies with high demands on security.

Industrial Networking Solutions (INS)

Industrial Networking Solutions (INS)

INS Services specializes in designing, deploying and providing on-going support for critical OT (Operational Technology) and IIoT (Industrial Internet of Things) networks.

Finnish Accreditation Service (FINAS)

Finnish Accreditation Service (FINAS)

FINAS is the national accreditation body for Finland. The directory of members provides details of organisations offering certification services for ISO 27001.

Extreme Protocol Solutions (EPS)

Extreme Protocol Solutions (EPS)

Extreme Protocol Solutions is an industry leading Data Sanitization Software, Hardware and Onsite Service Provider.

M12

M12

M12 (formerly Microsoft Ventures) is the corporate venture capital subsidiary of Microsoft.

oneclick

oneclick

oneclick is a central access and distribution platform in the cloud, enabling the management of the entire technology stack for application provisioning.