Cybersecurity In Healthcare: Why You Should Be Worried

Technology has completely changed the practice of modern medicine. From telehealth to electronic patient/health records, innovation is abundant in clinical medicine. However, as with any form of technology and the movement of information to virtual or cloud systems, there are vulnerabilities. Healthcare cybersecurity is critical, given the expansive amount of personal and sensitive information that is often contained in patient health records.

According to the latest report from IBM and the Ponemon Institute, it states that for the 10th year in a row, healthcare organizations have had the highest costs associated with a data breach. This year IBM claims on average that a healthcare breach costs an organization $7.1M, up a hair from last year's cost ($6.45M).
According to a CBS report, medical records can sell for up to $1,000 each on the dark web, while social security numbers and credit cards sell for $1 and up to $110 respectively. Why? Because healthcare records often contain a lot of personally identifiable information (PII) in one neat package. Additionally, it can take months for a healthcare data breach to be discovered, enabling cybercriminals to extract much more valuable data. To make matters worse, healthcare organizations have more than data loss to worry about. When the National Health Service (NHS) suffered a ransomware attack in 2017, it led to disruption at hospitals across the UK. Thousands of patient appointments and operations had to be canceled or transferred to other clinics.
Ransomware attacks against hospitals have been ramping up in recent years, including attacks that impacted more than 700 healthcare providers in 2019 alone, according to one report. Hospitals are attractive targets because they can't afford downtime and are therefore more likely to pay. On Sept. 10th The Duesseldorf University Clinic in Germany was hit by a ransomware which forced staffers to direct emergency patients elsewhere. The cyberattack crippled the entire IT network of the hospital and as a result, a woman seeking emergency treatment for a life-threatening condition DIED after she had to be taken to another city for treatment, due to the fact that the digital services were all compromised with malware. The incident marks the first-ever reported human death indirectly caused by a ransomware attack.
The Australian government has issued a security alert urging local health sector organizations to check their cyber-security defenses, and especially their controls for detecting and stopping ransomware attacks. The Australian Cyber Security Center said it "observed increased targeting activity against the Australian Health sector by actors using the SDBBot Remote Access Tool (RAT)." While the ACSC has not provided any details about what the "targeting activity" means, the SDBBot RAT has been almost exclusively distributed by a cybercrime group known as TA505. The group relies on massive email spam campaigns to target companies and infect workstations with malware. Once installed, the malicious actors will use the SDBBot to move laterally within the network and exfiltrate data.

In a research conducted by ISE in 2016 titled "Securing Hospitals" identified the most likely adversaries faced by healthcare facilities. It states that not health sectors face the same threats. "For instance, a small healthcare facility in an unpopulated area may not be concerned with nation state or terrorist threats, while a metropolitan area hospital could be" The table below, extracted from ISE's report, summarizes the different profiles of attackers and their likely targets.
Hospitals sometimes simply have a lack of resources with which to maintain an adequate level of full-time cybersecurity staffing. The wide range of patient care devices that now have internet connective capabilities also presents a unique challenge in terms of keeping up with patches and vulnerabilities. In some cases, very expensive pieces of equipment may not be patchable but are also too critical to be taken out of service until the hospital can source a replacement. One vector by which hospitals are exploited is one that is common to every type of business: email phishing. And as with any other type of organization, the primary defense is in raising awareness at the individual employee level via regular notices and training. Strong password policies and the implementation of multi-factor authentication help in this area as well.

The other major vector has been created by the push to have connected and "smart" devices distributed throughout hospitals in recent years, each of which creates a new potential point of attack for intruders looking to penetrate the network. Even an attack that aims to use a particular subset of equipment for a botnet attack or as a cryptocurrency miner could have devastating effects similar to the tragedy seen at the German hospital if the equipment slows down or crashes at the wrong moment.

Cybersecurity has become a strategic issue for healthcare facilities. Branded as easy targets with obsolete defenses and poor IS and IT organization, hackers don't hesitate to attack them in order to get any profit they can: paralyzing the systems using ransomware, hacking into hospitals' databases and selling patients' information to the highest bidder, threatening to release private information, cutting off their power supply, etc. These are only a few examples of the numerous cyber-attack types healthcare facilities would have to deal with.

Hospitals need to move forward together to make the industry less attractive to cybercriminals. Although compliance is essential, it does not equal security and hospitals should set their target level of cybersecurity beyond the requirements of just compliance. Knowing your vulnerability and the way in which the attackers could exploit them are one of the greatest insights you can get in improving your security program.