In its “2017 Fourth Annual Data Breach Industry Forecast”, Experian predicts that organizations in the healthcare industry will be the prime targets for cyber attacks this year – continuing a trend established over the past two years with several low and high-profile ransomware assaults on hospitals and other healthcare institutions which netted the perpetrators significant gains in both finances and notoriety through reputational damage.
Healthcare Cyber Attacks are an issue of growing concern to the patients, staff, administrators, and stakeholders of healthcare institutions across the globe.
Update: In early May 2017, over 200,000 victims in over 150 nations were affected during widespread attacks involving a strain of ransomware variously dubbed WannaCry, WCry, or WannaCrypt. Prominent among them were numerous healthcare organizations of the UK’s National Health Service or NHS – in a scenario disturbingly similar to those predicted in recent assessments of the enterprise security landscape.
Healthcare Cyber Attacks – Escalating Campaigns
March 2016 saw the MedStar chain of hospitals in the USA become another statistic in an escalating campaign of cyber-attacks on the healthcare sector, after hackers infected its systems with a virus that crippled MedStar’s IT infrastructure.
The MedStar chain – which operates ten hospitals in the District of Columbia and Baltimore region (including one at Georgetown University), and attended to over 4.5 million patient visits in 2015 – was forced to shut down its entire IT system and resort to keeping records on paper. Even email access was denied to MedStar’s approximately 35,000 employees, who were also unable to pull up any digital records on their patients.
Other incidents in 2016 saw providers in the healthcare sector falling victim to ransomware assault. The Hollywood Presbyterian Medical Center in California was forced to part with about 40 bitcoins (equivalent to around $17,000) to regain access to an electronic health records system that had been encrypted in such an attack. Less than a week later, a similar assault hit another pair of hospitals in Southern California.
And these were just the high-profile cases which were actually reported. There are several reasons contributing to the attractiveness of the healthcare sector as a target for cyber-criminal activity, and the subsequent rise in incidents that’s prompted the conclusions of the Experian report.
Healthcare Cyber Attacks – Lucrative Gains From PMI
An IBM report cited in the Experian research suggests that over 100 million healthcare records were compromised in the last year alone. A large proportion of these will have contained personal medical information or PMI – which is a valued commodity on the so-called “Dark Web”, and the wider black market.
Hospitals Provide A Vulnerable Target
The IT networks of hospitals and other health facilities are notoriously vulnerable to attack. Cost-cutting measures have left many institutions relying on legacy hardware, software, or operating systems with unpatched vulnerabilities ripe for exploitation. The same condition often also applies to the firmware and on-board operating systems of endpoints and medical devices.
Fraud and EHR
Electronic health records (EHR) systems typically contain within their databases comprehensive personal and medical histories of individual patients which, if extracted and reconstructed could give hackers and cyber-criminal networks access to fully rounded personal profiles – ideal as the basis for impersonation and fraud schemes, or for direct sale to third parties in identity theft transactions.
Healthcare Cyber Attacks – Easy Pickings from Ransomware
Drawing upon their history of recent successes, distributors of ransomware are also likely to step up their activities in the healthcare sector during this year. With so much of the success of healthcare institutions hinging on the level of trust, they enjoy with patients and the wider public, high-profile shaming at the hands of ransomware perpetrators is something that many facilities would rather avoid, by simply paying up quietly to have their vital systems and equipment restored.
For the medical facility, paying a ransom with the minimum of fuss and publicity avoids damage to their reputation which could have a far greater financial impact. For the cyber-criminals, it’s easy money – and a chance to do it all again, with another victim. Cyber-security is the biggest loser in all of this.
The Physical Threat from Compromised Devices
Though the emphasis in attacks on the healthcare sector to date has been on monetary gain and an increase in leverage over institutions eager to protect their images and reputations, the possibility of actual physical assault in the form of digital sabotage on critical pieces of medical equipment very much exists.
As recently as 2012, a professional “white hat” hacker named Barnaby Jack (working in consultation with the security firm McAfee) was able to demonstrate the susceptibility to the hacking of certain insulin pumps manufactured by Medtronic. With the appropriate methodology, a cyber-attacker could remotely disable the security protections on these pumps from yards away, then go on to flood a diabetic’s bloodstream with fatal doses of insulin.
Similar concerns have been raised about the vulnerability to exploitation of other devices using unsecured wireless network technology, unpatched legacy operating systems and software, such as defibrillators, brain stimulators, and the wireless transmitters used to give instructions to pacemakers.
The Importance of Localized and Network Security in Preventing Healthcare Cyber Attacks
Such concerns have prompted efforts by device vendors and component suppliers to develop ways of improving security and patient safety, and inspired the researchers of several academic projects to come up with innovative and reliable methods of safeguarding vulnerable medical devices. Much of the work has been in the field of wireless transmission (a necessity, given the small size and/or implantation required of many devices), with an eye to shielding protected hardware from unauthorized signals.
At the larger scale, comprehensive endpoint and network security are the prescription for health facilities and healthcare networks, where for too long cyber-security has been considered more of an expensive luxury than a vital need – and one which has often been implemented in a “bolt on” fashion, rather than as an integral part of facility and process design.
The Need for Security Awareness and Best Practices
As with enterprise cyber-security, there’s a need to compensate for the considerable vulnerabilities introduced by the human element – be that a lack of security awareness, or an ignorance of best practices and due diligence with regard to threats such as phishing or social engineering. As several of the recorded ransomware incidents have proved, all it takes is a single email recipient opening the wrong attachment to lead to the effective shutdown of an entire hospital.
Share this Post