The healthcare industry is under attack for a reason. Cybercriminals view it as a place that’s ripe for “big wins,” and the number of large healthcare institutions recently falling victim to data breaches shows they’re having success.
But what exactly makes healthcare such a popular target among today’s cyber-criminal community – how big are cybersecurity risks in the healthcare sector really? In this post, we will take a look at what’s so appealing to malicious hackers about the healthcare industry, including:
- Sensitivity and Value of Health Information
- Control of Medical Devices and Systems
- Healthcare is Vulnerable
Sensitivity and Value of Health Information
Cybercriminals that are able to penetrate healthcare networks gain access to sensitive information through medical records. The value of a stolen record is based on its ability to be replaced. For example, credit cards are easy to replace. It simply involves a phone call to the card issuer and a trip to the bank to get a new one. Patient records and other human data, however, are difficult if not impossible to replace. Electronic Medical Records (EMRs) serve as a one-stop-shop thanks to the availability of full names, social security numbers, addresses, and more.
This information can be used for financial fraud outside the healthcare industry and if the victims’ health insurance information is gathered, criminals can then sell the information for even more money on black markets. In fact, one Medicare number can reportedly sell for nearly $500 on today’s black market – which is up to 10x the amount of a credit card number. Health insurance information can be leveraged for medical fraud, and arms criminals with the information needed to access free medical care, prescriptions, or even the ability to buy expensive medical equipment that can be sold for profit.
Lastly, stolen medical data can go undetected for much longer periods of time than something like a credit card, which is often closed within days of a breach.
Control of Medical Devices and Systems
More internet-connected medical devices and systems are being incorporated into the framework of healthcare than ever before. As a result, cybercriminals are being provided with more avenues of ingress and surfaces to attack than ever before.
Connected devices like drug pumps or pacemakers that are commandeered by cybercriminals could have fatal consequences. However, cybercriminals also try to breach non-life-threatening devices to gain access to systems. Newly introduced connected medical devices are especially vulnerable to threats, as security can oftentimes take a backseat to device performance and convenience across the industry.
Once cybercriminals find their way into networks, they aren’t just using access to steal patient data. In the past years, there have been a number of instances where ransomware was used as a means for quick financial “wins.” With ransomware attacks, cybercriminals seize control of systems and lock them up until the institution pays them currency for returned access. Healthcare institutions are often pressured into paying the sums of money being asked as prolonged downtime can be damaging not only to reputation as in any industry, but more importantly, patient safety. One of the most notorious ransomware attacks of all involved the WannaCry ransomware, which is believed to have struck 34% of all the National Health Service (NHS) trusts in England.
While we strongly oppose paying ransoms, this unique situation creates a more complicated scenario: It depends on the systems that were affected. Law enforcement has come out strong against paying the ransom for fear it will open up a Pandora’s box, but if patients’ health is at risk and the hospital’s business is affected severely, they may not have a choice.
But even if the attackers keep their word and decrypt your data after you pay, there is no guarantee that they will not leave other forms of malware running on the system in order to carry out other crimes, like sending spam emails, launching DDoS attacks, and stealing personal or financial data for use in online fraud and identity theft. This means, the cost of cleaning the organization’s IT environment could easily exceed the ransom that was paid many-fold.
Healthcare is Vulnerable
With so many connected pieces of medical equipment and different types of software being run, it’s a challenge for healthcare organizations to successfully defend against attacks. Inadequate budgets and a lack of skilled security personnel, combined with the hurdles presented by a variety of security needs, are all holding healthcare institutions back. And cybercriminals are aware of these struggles.
As a result, the industry’s vulnerability makes it an easy target for criminals. An attacker targeting a healthcare organization often has the luxury of gathering a little bit of information from one system, and then moving on to their next target without being detected. The number of vulnerable systems in an existing healthcare network makes it simple for them to collect a number of small wins over time that can equate to a big win overall.
And as proven in the last years, a relatively small-scale attack with only a few individual systems infected with ransomware can have a devastating effect – i.e. it can force an entire hospital to revert to a manual system to provide care because the data isn’t available otherwise. Health organizations have to start considering the fact that the integrity of the data and the availability of the data is in many ways more important for the operation than confidentiality.
End of 2018, Michigan-based medical billing company Wolverine Solutions Group (WSG) reported thousands of patients impacted by a ransomware attack. According to WSG, its critical operations were down for over 40 days after the ransomware attack was initially detected. While this is bad enough – work has continued in the months since to identify those individuals whose healthcare clients were affected. The company has mailed out a number of notifications to affected individuals in December, January and February, and says it will send out more this month.
As evidenced by the headline-grabbing data breaches over the past few years at large insurers and healthcare systems, hackers are finding the most lucrative information in patient medical records. As a result, there is more pressure than ever for healthcare organizations to refine their cybersecurity strategies.
Today’s healthcare organizations need to think about ways to speed up and improve their security. Comprehensive cybersecurity solutions that address today’s borderless attack surface make it possible for healthcare institutions to be both secure and high-performing at the same time. An added benefit of making security a primary requirement for every data record and application is faster processing due to increased trust and proven competence.