Every year, the number of exposed medical records doubles.
IT companies now believe that it’s not a matter of if a cyber attack will happen but when.
The healthcare industry is a large part of the US economy and it’s starting to slowly embrace technology. But both of these places a massive target on the industry’s back.
Hackers are hungry to find and exploit technological weaknesses to make a quick buck. They're getting smarter and healthcare organizations make the perfect victim.
Table of Contents
There's a Ton of Data and It's Valuable
A call from your credit card company about suspicious account activity isn't fun. You’ll have to cancel your credit card, talk to the company’s support team for hours, and may not get your money back. Chances are that it’s not the end of the world, it’s more of an inconvenience.
But how was your information stolen in the first place?
Maybe a data breach happened that exposed your credit card number, it landed on the black market, and someone purchased it via blockchain. Purchasing credit card numbers on the dark web is like buying from a vending machine, they’re cheap.
Vendors on the dark web bundle credit card numbers with extra Personal Identifiable Information (PII) to make more money. In other words, purchasing a credit card number without a CVV may only cost around $5 but one that includes bank information is more expensive. Credit card numbers cost between $5 - $110 depending on the amount of bundled information they come with.
Credit card information is replaceable and security advancements continue to make it harder for hackers to use it, making purchasing inexpensive. Patient medical records are a different story.
Medical records that contain the most amount of information, denoted as “fullz” on the dark web, can cost up to $1,000 if they contain the most amount of information possible. Medical records are big-ticket items for hackers.
On average, it takes healthcare companies 197 days to identify a breach and another 69 days to contain it. That gives purchasers almost a year to do whatever they want with the most sensitive data on the market.
Some hackers will buy whatever medical information they can find on the dark web. Cynerio found 140 million records on the dark web with Social Security numbers. Out of all those records, 43% included a death date and cost $2.00 each.
Why would anyone buy records from someone pronounced dead?
The ideal victims of fraud are those that can’t file complaints or find illegal activity. Purchasers buy these records with the intent to obtain medical supplies, book appointments, receive prescription drugs.
Prehistoric Medical Technology Systems
Every electronic instrument used in a hospital contains a CPU. Everything from MRI machines to the smallest oxygenators may contain an exploitable vulnerability. This is especially true if they’re no longer supported by the original manufacturer.
Most IT experts recommend replacing and updating technology infrastructures every 10 years. But according to HITInfastructure.com, the healthcare industry has missed two of these cycles.
There are two sides to that fact. On the one hand, it’s great for medical vendors seeking to sell their sleek, new equipment to doctor’s offices. On the other hand, it's bad because it means the industry that has the most valuable data is also the most vulnerable to an attack.
The industry is at a crossroads when it comes to updating their technology. Most health leaders know that outdated equipment is vulnerable to an attack but they haven’t acted on it.
According to HealTech Magazine, most healthcare organizations believe that they’ll experience an attack on their outdated equipment within the next year. Even so, only 15 percent of them are taking steps toward cyberattack prevention.
IoT Increases Access Points
Hospitals who’ve updated their systems still face threats. We’re at an exciting point with medical technology. Smart systems can communicate with each other, and analytics has never been more accurate.
Security for these devices isn’t always embedded, it’s offered as an add-on feature. Without purchasing these bundled features, there’s an increased chance for human error.
Instead of purchasing the security add-ons, hospitals and practices could utilize network segmentation, a best practice for IoT devices. Network segmentation holds true to its name, the practice involves breaking networks into segments. Defined user types have limited access.
A study by Forescout found that healthcare companies deploy less than 50% of their medical devices across 10 or fewer virtual local access networks (VLANs). That statistic proves that the majority of hospitals have poor segmentation implementation.
Some hospitals allow out-of-network professionals working on-site to use their own devices. The industry calls this practice “bring your own device” (BYOD) and it’s becoming more common. According to a 2017 Spõk study, 71% of hospitals allow some form of BYOD use for clinicians.
Although convenient, there are a lot of risks involved with bringing un-encrypted devices into an industry where there’s so much sensitive information at stake. Adding thousands of personal devices with IoT equipment makes it easy for hackers. Even the smallest USB drive could place thousands of medical records at stake.
Training Doesn't Happen as Often as it Should
Beyond the outdated cybersecurity equipment and software lies your employees.
Investing in cybersecurity from an equipment and software standpoint is one thing, but it all comes down to your employees. Everything in healthcare has an unavoidable human factor, that’s why training is so important. According to Verizon’s 2018 Data Breach Investigations Report, 71% of all cybersecurity incidents happen due to employee involvement.
But oftentimes training is an afterthought in healthcare. Kaspersky found that almost one in three healthcare workers never received cybersecurity training of any kind. Hackers know this vulnerability and try to exploit it every day.
When an uninformed, disgruntled worker receives a malicious message, they may play along.
Accenture surveyed 912 healthcare employees across North America and found that one in every five is okay with selling confidential data. For as little as $500 they’re willing to sell login credentials, install tracking software, and even download data to USBs. Almost one in four answered that they know someone who’s sold their information.
This is easy money for hackers. If an employee gives their login credentials for a database that contains 1,000 records, the hacker makes 99.95% profit.
After realizing that threat, you can’t go around interrogating your staff. You’d end up breeding a toxic environment and your employees would quit. Instead, you have to encourage a cybersecurity environment.
If Successful, They'll Get Paid Fast
Imagine going to the hospital to receive an MRI after waiting six weeks for your appointment only to have it indefinitely rescheduled. Or hospitals turning away emergency vehicles filled with patients who need immediate medical attention. That’s a life or death scenario where time is critical. But both of those examples happened in the UK during the 2017 WannaCry attack.
WannaCry was a ransomware attack on a massive scale that, from the hacker's point of view, was successful. It’s been two years since the attack locked its first computer but over there’s been over 300 payments totaling more than $100,000. There’s still an active Twitter account that automatically tweets about blockchain payments referencing the attack.
Healthcare companies operate on an unrivaled sense of urgency compared to other industries. Sure a few seconds on Wall Street could cost public companies millions. But that same amount of time costs lives to hospitals, a priceless asset.
Malicious attackers realize how invaluable time is for hospitals. But they assume healthcare organizations are more willing to pay them to reverse the attack so they can go back to treating their patients.
However, according to Recorded Future, 61% of healthcare ransomware victims did not pay their attackers. The same blog post states that the data isn’t entirely clear but this assumption may not hold up as more data presents itself.
Conclusion
It may seem like there’s no hope for healthcare organizations in their cybersecurity efforts. But here’s the most important takeaway of this entire blog piece, a security environment is a living, breathing ecosystem.
Like anything, it requires consistency and practice. As I mentioned at the beginning, experiencing a cybersecurity attack will happen. By understanding that you’re already taking the right steps towards better security.
Healthcare is a great industry to work within, there’s a lot of opportunity for growth and you help lives every day. Embrace all of the responsibilities.