You may not know it, but hackers are targeting hospitals and they are targeting them more than ever.
Last year cyber attacks went through the roof, with some estimating that hacks on healthcare went up 63%; others put it as high as 320%.
These attacks are also beginning to have a direct impact on patients. This year, for example, public hospitals in the UK had to turn away non life-threatening patients when their systems were paralyzed by a virus.
With U.S. healthcare budget cuts on the agenda, hospitals could potentially be more vulnerable than ever. But why are our hospitals being hacked, how are they hacking them, and why?
Why hack healthcare institutions?
Hackers are targeting the healthcare industry for two reasons. Firstly, it is lucrative, and secondly, it is vulnerable.
‘The healthcare industry’, says Alex Margovsky, Healthcare Security Consultant at Alpharidge, ‘is much easier to get into than a bank. And the value of that information is also the highest.’
In 2012, U.S. healthcare spending reached a landmark $3 trillion and has continued to swell. Thanks to aging populations and the development of emerging markets, Deloitte predicts that the amount spent on global health care will reach $8.7 trillion by 2020, equating to 10.5% as a percentage of GDP.
This has made the healthcare industry a prime target for hackers, as should you be able to hold a healthcare provider for ransom, you can be sure they have money.
The data they hold is also incredibly valuable. Consider the type of information that hospitals hold. Should you get access to it, you can hold lives to ransom, and what is more valuable than life itself? For this reason, a survey of the average prices of confidential data sold on the dark web shows healthcare credentials to be more valuable than credit card information.
Healthcare data is also prime material for blackmail. Should you obtain a list of individuals with serious or stigmatised diseases such as HIV, you can be sure that many will strive to make sure such information never becomes public.
Secondly, hospitals are being targeted as they are highly vulnerable to cyber attacks. Technologically, the healthcare industry lags behind. Unlike banks they are not at the cutting edge of security. Some healthcare organizations aren’t even aware that as of April 11th 2017, Windows Vista is no longer supported by Microsoft, making Windows 7 the oldest operating system you should have installed on your computers.
It is not just their technological backwardness that leaves healthcare providers susceptible to hacks, their operation structure also makes them more insecure. Unlike banks, they do not have the luxury of being able to limit the access points to their data. To maintain their slim profit margins, healthcare providers must work with numerous contractors, have a huge arsenal of machinery from different manufacturers and work with a number of consultancies to ensure their operations are efficient. One hospital may work with as many as 1000s of vendors.
This makes life far easier for hackers. They can target others who have access to sensitive information rather than trying the healthcare provider directly. The provider can make sure its own employees update their passwords every few months, but it can do very little to ensure that its contractors maintain the same level of security.
Hackers usually access information in one of two ways. They can try ‘social hacking’, which means tricking a human into giving over sensitive information or security credentials which in turn allows access to sensitive information. This could happen by tricking either someone who works directly for the provider, or an outside contractor. An unsophisticated example could be, ‘Hi, I am an IT provider for your company, and I need to carry out some maintenance, could you please provide these sensitive details for me’.
The second way is brute force: directly attacking a security system.
Once they access the data, what do they do with it?
In some cases hackers access sensitive data, extract it, and lock it off. They can then sell it back to the company. If the company does not have backups, buying it back is probably the only viable option. The alternative is for them to lose all records of their patients which they will never be able to replace.
Another possibility, is hackers stealing data and selling it to the public. The information may be sold to criminal groups on the dark web who wish to use sensitive information for blackmail or fraud purposes.
Who is hacking healthcare?
In 2016, the largest number of hacks came from China, India, Russia, Korea, and South America (in that order).
Overwhelmingly, these hacks are also not carried out by Hollywood’s stereotypical lone hacker in a dark room, they are carried out by organised criminal organisations. These businesses have sophisticated operations, often systematically targeting large lists of institutions one by one until they get the data they are looking for.
Can they be stopped?
The surge in healthcare hacking has led to the rise of a number of healthcare security experts such as the consultancy, Alpharidge.
‘The number one way that we are handling this issue is by improving identity protection’, says Alex Margovsky, CEO of the consultancy. This usually entails two factor authentication, i.e. using measures such as fingerprint recognition or mobile phone push notifications in combination with a traditional passwords. This is usually very effective according to Margovsky as ‘it is normally standard accounts that are breached’.
Another way to reduce your vulnerability to hacks is using backups. By using backups healthcare providers can ensure that if they are hacked, they are immune to being extorted for the data. They can simply restore this system in as little as 24 hours. ‘Best protection is an insurance policy’, says Margovsky, ‘and there is no better insurance policy than having a copy of the same thing that you want to insure’.
So, although healthcare providers may currently be very vulnerable, it does not have to be that way. By taking some preventative measures they could significantly reduce the likelihood of hacking. ‘By implementing a few, simple and inexpensive security precautions, healthcare providers can implement a robust IT strategy’, says Margovsky.