Hackers like the low hanging fruit and one industry that is drawing more interest, as a result, is healthcare. It’s no wonder. With hospitals around the world using old equipment and with little of the budgets going to cybersecurity it's almost too easy for hackers to get in.
“We've seen an incredible rise in cybersecurity incidents,” said Sarah Jost, global healthcare industry lead at Blackberry in a recent interview with The SaaS Report. “There are a few things contributing to this but the number one is legacy equipment not cyber secured being used across healthcare.”
Hospitals don't have a choice, they have to use MRIs, pumps and any type of patient monitoring equipment whether secure or not, she said. There’s also the sharing nature of doctors and clinicians that make healthcare players a prime target for the criminals. “Clinicians do the best thing for patients so they will always make a choice to share even in an unsecured way because they are trying to help patients. As IT professionals it's our responsibility to help these clinicians share information in an easy way but in a very secure way,” she noted.
An unintended consequence of using medical devices that aren’t secured is a black market for medical data and information that is being sold on the dark web. That, in turn, is driving increased attention on the part of the hackers since their ultimate goal is usually to make money. “As we create more electronic medical records markets for information spring up everywhere,” said Campbell Murray, technical director, cybersecurity at BlackBerry. She pointed to chest x rays for one example. In order to leave China people are required to produce a chest x-ray that doesn’t have TB or lung disease. People will pay $100 for a clean chest x-ray on the dark web. As the digital medical records get even more detailed it will be a bigger target for the hackers. “As we increase the granularity of the medical record it will lead to insurance fraud and identity theft. The more we grow the size of the medical record the more valuable it becomes,” noted Murray.
To get into hospital networks the scammers are employing a bevy of tactics. Murray pointed to phishing emails, website infiltrations and physical attacks at hospitals as among the main ways bad guys are compromising hospital networks and systems. “Website security is often done poorly and contain certain elements of data that once pulled out can create a wider picture of the patient,” said the Blackberry executive, noting that in some hospitals medical devices such as an x-ray machine aren’t securely connected to the network. If a hacker gets into the radiology equipment it also has access to the data. Murray pointed to WannaCry, the virus that spread last year impacting scores of hospital systems across the globe as one example. The worm went after computers running Microsoft Windows OS but wasn’t updated with the proper security patches. The virus locked up systems, requesting payments in Bitcoin, impacting more than 200,000 computers in 150 countries.
In that case, the patch had been available for three months but with a lack of IT resources on the part of healthcare providers they were slow to respond and were thus vulnerable to the attack. “Every rainbow of malware out there may very well be quietly monitoring medical devices and stealing data,” said Murray. “What the future looks like for healthcare is they are increasingly challenged. They have to solve the need now before it becomes an insurmountable battle.”
