The current state of healthcare security is not looking too good. For criminal hackers, the risk is low, the security is lax, and the reward is high. So why wouldn’t they make hospitals their prime target? Hospitals and other medical facilities have made themselves an easy victim for hackers to infiltrate their network and steal information, affecting thousands (if not millions) of employees and patients.
To understand why this is happening, you have to get inside the mind of a hacker. They use a variety of methods to arrive at their desired goal, whether that goal is stolen money or information. Here are 3 ways that hackers are attacking hospitals:
Using ransomware to lock up information
More hospitals and healthcare facilities store their patient data in the form of electronic health records than ever before. Unfortunately, they don’t always employ the correct security measures when taking this route. They don’t have a firewall, they don’t have antivirus, and they don’t keep operating systems up to date, to name a few security blunders. Hackers can easily install malware or ransomware on a hospital’s system.
With ransomware, a criminal will infect a computer with a virus that renders files encrypted and inaccessible by the hospital staff. Hackers are banking on the fact that this information is extremely valuable to the hospital, so valuable that staff members can’t do their jobs without it. Hackers will demand that the hospital pays a certain sum of money in order to get their data back.
Just last month, Hollywood Presbyterian Medical Center’s data was held for ransom by hackers. The hospital was forced to go back to pen and paper until they were able to pay the ransom. Some patients even had to be diverted to other hospitals. The investigation into this hack is still ongoing but the amount of money that the hackers demanded was reported to be 9,000 bitcoin - that’s about $3.6 million.
Stealing medical information in order to sell it on the internet
The private health information of patients has become valuable on the Dark Web in recent years. While stolen credit card credentials cost $1-$3 on the Dark Web, a medical record can go for $60, making them highly valuable to criminals. If they glean a thousand medical records from one hospital hack, that’s $60,000. Not too bad. Once the information is in the hands of its final buyer, they will use it to steal a person’s medical identity so they can seek treatment and surgeries without paying for it. The treatment is then billed to the real person.
Hackers can steal medical information in a variety of ways. One of the most popular is through a relatively simple phishing scam. This happens when a hacker sends an email to a hospital staff member while pretending to be someone trustworthy, like the CEO of the hospital, for example. The email asks the staff member for various bits of information such as passwords, account numbers, and patient data. Unknowingly, the staff member will send that information to a hacker while thinking they are sending it to their boss. The hacker can then use that information to further infiltrate the network, access electronic health records and ultimately steal patient data.
Hackers can also simply email a staff member with an attachment. When the attachment gets downloaded it will install malware on that computer. Some malware can log keystrokes so that hackers learn passwords to databases.
Hacking of medical devices
Perhaps the most terrifying, it is possible for medical devices such as pacemakers, defibrillators, or insulin pumps to be hacked. Though a hack of this kind has yet to be recorded, it has been proved by security researchers to be possible, especially when security has not kept pace with new technology. Many medical devices are connected wirelessly to networks so that doctors can provide medical assistance remotely. However, if anything is connected to a network, it can also be hacked, unfortunately. A malicious hacker could set an insulin pump, for example, to deliver a much larger dose of insulin than needed, possibly causing death. Though this has never happened in the wild, the likelihood of it is growing.
Humans are the factor behind these vulnerabilities
Any insecurity in a hospital’s network can usually be traced back to human error. It might have been because an unknowing employee gave out a password. It might have been because they took a laptop home and someone stole it. Or it might have been because the hospital’s decision makers couldn’t find space in the IT budget to update their operating systems from Windows XP or their server from Windows Server 2003.
Maybe they decided that a high quality hardware firewall wasn’t worth it or that they didn’t really need antivirus on every system. In general, every major hack of a medical facility can be traced back to simple technology solutions that humans failed to implement.
That’s why we recommend a three step approach to ensuring that your hospital has the best security.
1. Create a strong, secure network using only the highest quality hardware and up to date software.
2. Test the network for vulnerabilities.
3. Maintain and monitor the network 24/7.
Keeping patient information in the right hands is the responsibility of the healthcare provider. By following the steps above, you are headed in the right direction.