Health care is one of the most important industries. While other sectors focus on products people want, the medical field provides a service the public actually needs. Sadly, this altruism isn’t rewarded. Hackers are increasingly targeting these institutions with their nefarious plots, and a lot of patients are getting caught in the crossfire.
The problem here is that quite a lot of people don’t understand the threat facing the health care industry right now. News reports of retailers and financial institutions getting hacked have people thinking these are the most targeted sectors, but this just isn’t true. Analysis of 10 years of cyber attack data actually points to health care as being the most hacked industry out there. Trend Micro’s Numaan Huq actually found that over the past decade, medical organizations make up nearly 30 percent of all observed enterprise hacks.
Clearly, hackers have a lot of motivation to go after these kinds of institutions. However, hospitals don’t really come to mind when most people think of an easy buck. Why are hackers going after health care, and what are the implications of this trend for the future of the industry?
The sector has a lot of valuable data
Although a bank may have more money sitting around than a hospital might, hackers aren’t really looking to go after straight cash when they break into a network. To begin, financial organizations generally have quite a lot of security surrounding their accounts, and breaking through these defenses is tough. On top of that, money is traceable, and a hacker would have to launder any amount stolen from a bank.
Information, on the other hand, is a lot harder to track. What’s more, a hacker who sells personal information stolen from a hospital has the ability to simply offload the responsibility of making money off of the data on the black-market customer who ends up buying it. The cyber criminal simply takes his payday and goes back to the shadows, once again separated entirely from the information he’d just stolen.
This is exactly why so many hackers have decided to go after the health care industry. As we’ve discussed before, medical institutions generally hold onto a lot of personally identifiable information, such as credit card details, names and both physical and email addresses. While this puts them on the cyber criminal radar, the real kicker is that these organizations also don’t generally spend a lot of money on cyber security.
A study commissioned by HIMSS Analytics found that roughly 80 percent of health care institutions use less than 6 percent of their budgets on data protection. To put that in perspective, the financial industry generally allocates 12 to 15 percent of its IT expenditure toward security. With such a large treasure trove of information guarded by so little, it just makes sense that hackers would actively target hospitals from a purely logical perspective.
At this point, it’s important to keep in mind who the bad guys are. Although these hacked organizations generally could have done something different, hindsight is 20/20 and everyone should remember not to victim blame. The hacker is always the one who instigated the attack, and any analysis of the security discrepancies on the side of health care institutions is only meant to motivate others to tighten their defenses.
What kinds of hacks are levied against these organizations?
Although hackers use all kinds of techniques to get the personal data they’re after, one of the rising starts in the online criminal underground is ransomware. This is also a topic that we’ve gone into detail about, but a quick summary is that this malware encrypts all the data on a computer or network and forces the victims to pay up if they ever want to access their files again.
Although ransomware’s widespread use is relatively new, it’s devastatingly effective when a hospital falls under a hacker’s crosshairs. This is because the malware completely shuts down the facility’s ability to properly treat patients. Medical professionals need access to digital systems in order to understand patient history and access other records, and ransomware keeps these people from doing their jobs.
What’s more, hackers generally don’t go overboard when demanding ransoms. One Hollywood hospital ended up having to pay $17,000 in bitcoin to an attacker to decrypt its files. A moderately sized hospital can take that kind of financial hit without having to think too hard about it, which is the perfect opportunity for hackers to make a solid profit.
These factors make a perfect storm that’s devastating the health care industry right now. A survey of hospital decision makers conducted by Healthcare IT News and HIMSS Analytics found that around half of the respondents stated they’d been hit by ransomware in the past year. That’s an incredibly high number, and it’s bolstered by the fact that an additional 25 percent had no idea whether or not their organization had run into this particular form of malware.
With so many health care facilities falling victim to ransomware, the question remains as to how these attacks find their way onto the local network. Obviously, there isn’t a single answer to this, but one of the main ways hackers compromise these systems is by tricking workers with phishing campaigns. This involves some kind of enticing email from a unknown account, with a link attached to it. Employees who click this link open their computers up to infection, and if they’re connected to their organization’s network, there’s a good chance the whole hospital might get caught up in the hacker’s attack.
Cyber attack, real consequences
If there’s any upside to cyber attacks against other industries, it’s the fact that no one gets physically hurt. Sure, some money or information may have been stolen, but at the end of the day everyone is safe and sound. This isn’t true of a ransomware infection in a hospital. An extended period of file encryption means that doctors can’t properly treat patients, and that could very well lead to some real-world harm. The CIO of Boston’s Children’s Hospital Daniel Nigrin has similar feeling about a hack levied against his organization in 2014.
“One of the biggest things we took away from our Anonymous attack was that in the past, I had always thought about cybersecurity related to health IT as safeguarding data – but our experience made us understand it is more than that,” said Nigrin. “These cyber attacks can be disruptive to the routine daily operations of a hospital. One can argue these kinds of attacks are even more significant than the breach of data because at the end of the day we are taking care of patients who are sick, and that has to be [our first priority.]”
No deaths have been directly tied to ransomware yet, but with the massive number of organizations having to deal with these infections, a mistake could very easily be made. Certain patients have very specific needs, and a hospital worker that doesn’t have access to digital files could forget about an allergy to a common medicine or food.
What can organizations do to protect themselves?
Although health care organizations sadly have a target painted on their backs these days, there are some steps they can take to mitigate the risks of an attack. First and foremost, the IT department needs to make clear how serious this situation is. Spending less than 6 percent of the IT budget on cyber security simply isn’t enough, especially considering the effectiveness of ransomware security management systems.
Second, employees need to be trained about the dangers that they face. This should absolutely include a section pertaining to phishing and other forms of social engineering. An organization can spend the entirety of its budget on cyber security defenses, and an attacker can still infect the network by getting an employee to click a link.
Finally, medical institutions should absolutely invest in a disaster recovery plan that includes regular data backup. To begin, employees need to know exactly what’s expected of them when systems are down. This allows them to take the exact action the administration needs them to without inciting a panic. Backup is also an essential part of fighting back against ransomware.
The entire scheme relies on the fact that the victim needs their data so bad that they’ll pay for access to it. If the organization has its most vital information in a separate backup system, they can shrug off the ransomware attack and get back to healing people while the IT department sorts out the infection. On top of that, backing up vital information is just a good habit to have, as data can be lost due to anything from hurricanes to human error.
Health care may have a lot of challenges to overcome in the future, but diligent effort and constant vigilance can overcome these hurdles. Despite their malicious intentions, hackers are smart individuals, and those combating these criminals just have to be smarter. Ransomware and other attacks can be kept at bay, or at least their blows can be lessened, if workers are educated about the dangers facing them.