Healthcare systems have a critical place in almost every country around the world, but they're increasingly becoming a lucrative target for hackers. Just last month, the National Health Service fell victim to the WannaCry global ransomware attack, which targeted computers and networks running Windows.
Around 40 hospital trusts in the UK were affected by the attack, with doctors and healthcare professionals unable to access vital computing resources and medical records unless they paid a Bitcoin ransom. As a result, they had to cancel operations and appointments, causing potentially life-threatening scenarios.
In a similar case, a hacker managed to compromise Atlanta-based Emory Healthcare's patient database and delete vital appointment data. They were also able to access patient information such as names, dates of birth, contact information and medical record numbers. Overall, around 80,000 patients were affected by the hack.
The risks are clearly great. Hospitals are also reliant on highly technological medical appliances - from sophisticated scanners to operation equipment - and the ramifications could be life-threatening if a cyber criminal were to compromise them. There's clearly a vital need for effective cyber security procedures.
Systems can't be updated easily
Despite making investment in new technologies, healthcare organisations are often a lucrative target for cyber criminals predominantly because they rely still rely on ageing infrastructure and overstretched budgets. They simply don't have the means to cope when a large scale occurs, and that's a concern to many.
John Bambenek, threat intelligence manager at Fidelis Cybersecurity, says one of the biggest issues here is that healthcare organisations use embedded operating systems that can't easily be patched due to patient safety regulations.
"As proven by the recent spate of hackers targeting the public sector, the healthcare system is far from immune when it comes to cyber attacks. Indeed, it is unfortunately a lucrative target," he says.
"The chief issue in healthcare is that some medical devices have embedded operating systems, largely Windows-based. While the operating systems are updated constantly with new patches, due to medical regulations in patient safety, the devices can't be patched as quickly. There is also a disparity between operating systems that are designed to last only years, compared to devices that have a lifetime of decades. Clearly, the technological and regulatory risks of this situation were never fully considered.
He adds that healthcare professionals are increasingly being exposed to ransomware attacks, where they're expected to pay a financial sum to regain control of critical data. "Most recently, this has materialised in ransomware attacks, where hackers demand bitcoin for control of the data to be passed back to its owner.
There is also the high probability, however, that organisations within the health industry have or will fall victim to other types of attack, such as DDoS or SQL injection attacks, not to mention the number of complementary tactics cyber criminals use; such as phishing and credential re-use," he tells IT Pro.
Legacy technology is dangerous
Paul Calatayud, chief technology officer at FireMon, also takes the view that legacy technology is causing major problems for hospitals. He believes that they need to begin investing in new intelligence tools so they can get a more accurate overview of their systems, even if budgets are tight.
"Hospital networks continue to be an easy target for attackers as these systems were often set up decades ago. To aid IT Security professionals, they need the intelligence tools that give them complete visibility into their security infrastructure and can ensure the right access is given to the right people," he says.
"This starts by employing proper management who can see the whole security infrastructure and make sound security decisions based on this information provided. Deploying proper firewall policy auditing is a quick and easy way to begin to identify these more outdated services. Using Secure File Transfer Protocol (SFTP) tied to active directory would greatly reduce the risks. The WannaCry attack highlighted how fragile hospital security is so you would hope new adequate security and risk management systems are being implemented to reduce the complexity levels within modern day hospital security."
Nik Whitfield, CEO of security intelligence solutions provider Panaseer, advises healthcare operators to invest in up-to-date technology and develop an understanding of cyber security practices.
"Healthcare organisations of all sizes are exposed to the risk of destructive malware. The key for executives is to develop and maintain cyber hygiene to manage their exposure to the impact of attacks. This includes understanding the risks of old IT systems and decisions not to upgrade technology," he says.
"They don't need to become experts in this kind of threat. Just like people don't need to know about every possible disease; we just need to eat well, stay hydrated, wash our hands and so on. Then, most of the time we'll be fine. We don't need to become experts in every disease. Similarly, every healthcare organisation needs to maintain a level of good cyber hygiene: they need to understand what assets they have, keep software up to date, patch regularly, and educate their employees. This can stop the vast majority of attacks."
Lucrative opportunity for hackers
Neil Bramley, B2B client solutions business unit director at Toshiba Northern Europe, says cyber criminals are targeting healthcare organisations because of the amount of personal data available. However, he also argues that mobile-oriented remote working can act as a gateway for hackers. "With significant amounts of highly sensitive Personally Identifiable Information (PII) at the heart of day-to-day operations, healthcare organisations will increasingly find themselves a preferred target of cyber criminals," he says.
"This is only heightened as healthcare professionals, enabled by mobile devices, begin to work on the move for example, visiting patients at their homes or across different clinical settings. While such devices provide mobility and increased productivity, they may also act as a potential gateway for attackers, and organisations must put in place a security infrastructure which ensures patient data remains robustly protected."
More areas at risk than others
Healthcare is a diverse field, and there are people out there who believe that some areas are at more risk than others. Martyn Williams, managing director of industrial software expert COPA-DATA UK, explains that the pharmaceutical sector is vulnerable to cyber attacks due to the fact that it's constantly looking for cheaper ways to produce medicine. The result? A lack of investment in new technology and systems.
"The patent model in the pharmaceutical industry forces manufacturers to seek out the cheapest possible ways to produce medication. This results in a decreasing of investment in new machinery, ingredients, optimisation measures and most importantly, software.
Bitsight, an organisation that measures how vulnerable companies and industries are to cyber-attacks, reported that cyber security attacks on the healthcare and pharmaceutical industries have worsened at a faster rate than other industry sectors," he tells us.
"With the average clean up' time for these sectors following a cyber-attack at just over five days, there is certainly some cause for concern. Similarly, a report by OCISIA, in collaboration with the UK information intelligence experts, BAE Systems Detica, estimated the cost of cybercrime to the UK economy to be around 27 billion annually. The same report named the pharmaceutical and biotech sectors amongst the hardest hit industries.
"In the eyes of a cyber criminal, the pharmaceutical industry provides a treasure trove of valuable information. Organisations within the sector from manufacturers to CROs and CMOs can hold highly sensitive material, from personal patient data to confidential research on drug development and testing. This makes the pharmaceutical industry an attractive target for cyber attacks."
If a healthcare system fails, then there's a chance that lives could be put at risk, and clearly that must be avoided at all costs. However, that's not stopping cyber criminals from compromising crucial medical systems. They see hospitals as easy targets, and this can only change through increased investment in effective cyber security and modern computing systems.
