The Cybersecurity Crisis Facing the Healthcare Industry
Posted July 14, 2017
The increased utilization of electronic health records (EHRs) has provided remarkable benefits to medical professionals and their patients. By having immediate access to a more complete patient picture, medical professionals are better equipped to make informed decisions quickly.
However, the push for widespread adoption of EHRs has resulted in increased security concerns. Millions of healthcare records are stolen each year as cybercriminals target medical groups, hospitals, and insurance providers, which often employ legacy systems. Major cyberattacks on healthcare organizations increased 63 percent in 2016 compared to the previous year.
That number continues to rise as cybercriminals become increasingly aware of the security challenges faced by the healthcare industry, including a lack of budgeting necessary to upgrade systems and security.
Healthcare organizations need to worry about more than just the security of their networks. They must also protect their devices and equipment. Medical devices have become increasingly connected to the Internet, making them susceptible to cyberattacks or “medjacks” (medical device hijacks). Cybercriminals are targeting outdated and unmaintained devices to build backdoors and botnet connections into healthcare network systems. These attacks can often remain undetected within an organization’s network for long periods of time.
Every radiation oncology system, computed tomography (CT) scanner, magnetic resonance imaging (MRI) scanner, ultrasound system, PET system, picture archiving and communication system (PACS), and X-ray system can serve as a point of entry into a hospital’s network. Once inside a hospital’s network, cybercriminals can launch attacks to steal patient credentials, which are 10 times more valuable than credit card data on the dark web. Credit cards can be canceled in minutes rendering them useless, whereas stolen identity credentials can be used for a range of fraudulent activities, such as opening new credit cards, taking out loans, and purchasing insurance, furthering monetary gain.
However, stolen data isn’t the only concern when it comes to patients. Earlier this year, the FDA confirmed that St. Jude’s implantable cardiac devices, which are monitored remotely, can be a gateway for criminals to not only steal patient information, but also to commit malicious activities. Once a cybercriminal gains access to a device used to monitor or control a patient’s heart function, such as a pacemaker or defibrillator, he or she can deplete the battery or administer incorrect pacing or shocks. Cybercriminals can also use the threat of harming patients as leverage in an effort to get organizations to pay hefty ransoms.
Ransomware has become the malware of choice for cybercriminals targeting healthcare organizations, as these organizations often pay ransoms to avoid legal fees and settlements, HIPAA fines, and negative impact on their reputations. However, paying a ransom doesn’t guarantee the safe return of patient data. Furthermore, if patient data is returned to an organization, it’s possible that it has already been compromised, and cybercriminals may continue to target the same organization if it has paid up in the past.
The recent WannaCry ransomware attack, which included health care facilities, demonstrates the impact of cybercrimes in the industry. Medical devices and equipment were affected as the malware spread from computer to computer, seeking out old versions of Windows and systems lacking updates, causing chaos in its wake and putting lives at risk.
Cybercriminals smell blood in the healthcare industry. With legacy systems, multiple points of entry, and heavy repercussions for breached data, healthcare organizations lag far behind other industries in terms of security, and have become easy prey for cybercriminals. It is imperative that healthcare organizations place greater emphasis on combating cyberattacks and allocating more resources to protect themselves and their patients.
What is your healthcare provider doing to fend off future cyberattacks?