In recent years, healthcare organizations have been attacked with more frequency, velocity, and fervor than any other industry. IBM dubbed 2015 “the year of the healthcare breach” in their 2016 Cyber Security Intelligence Index, and if recent headlines are anything to go by 2016 wasn’t much better.
But why are healthcare organizations targeted so consistently? On the surface, gambling sites and financial institutions would seem like better targets, so what is it about healthcare organizations that threat actors find so tempting?
In the end, it all comes down to one factor: Money.
1) Medical records are a goldmine
One question that organizations may be asking themselves is: Why would a threat actor target us?
Broadly speaking, threat actors are motivated by all sorts of things. Revenge, espionage, and activism are just the start.
But with a few notable exceptions, hacktivists are unlikely to target healthcare organizations. Nation states have better things to do than steal medical data. Even the most irate former employee would typically have moral objections to hacking a hospital.
So ultimately, it’s all about money. But, you might wonder, how does a threat actor make money from a healthcare organization?
Simple. Medical records are worth a small fortune to the right buyers.
You see, in our modern and highly connected world, buying and selling goods or information on the black market is easy. Anybody with an Internet connection can do it, and the chances of being caught are surprisingly slim.
Think about it. Medical records contain a lot of information. Information that, in the right (wrong?) hands can be used to create fake IDs that in turn are used to buy and sell drugs, commit fraud, and so on.
As a result, stolen medical records sell for between ten and twenty times as much as stolen credit card information.
2) …and there are LOTS of medical records
Few organizations store as much sensitive information as those in the healthcare industry. Fewer still store all that information in the same place.
In fact, according to the Identify Theft Resource Center’s last annual report, the average number of records stolen in healthcare breaches is 28,564. Yes, you read that correctly.
Combine this volume of data with the staggering value of individual medical records, and you’ll quickly see why healthcare organizations make such attractive targets. For a single successful healthcare breach, a threat actor could make anything from $285,000 to $1.7 million.
3) They’re easily threatened
We’ve written extensively about ransomware, but it plays a particularly concerning role in attacks against healthcare organizations.
As we’ve discussed before, the ramifications of being infected by ransomware are substantial, and even if full backups are available it could take hours or even days to carry out a full recovery. For obvious reasons, healthcare organizations often don’t have this kind of time.
As a result, threat actors have found healthcare organizations to be extremely susceptible to ransom demands. No surprise, then, that a whole string of attacks hit the headlines in 2016.
And those are just the cases we know about.
Click here for our definitive guide to Ransomware:
4) Medical environments are often large and complex
Let’s face it, healthcare organizations are often tremendously large and complicated. Hospitals in particular tend to employee a huge number of staff, and be divided into largely separate departments.
On top of this, many non-technical staff members have access to highly sensitive patient data. Unlike most organizations where this type of access would be reserved for very specific job roles, doctors need easy access to patient records at all times.
But as we already know, people often prove to be the weakest link in any organization’s security. Add heavy workloads, minimal sleep, and a lack of security knowledge into the mix, and it’s really no surprise that healthcare breaches have gone through the roof in recent years.
5) Easy access
When you think about cyber security criminals, most people conjure up images of faceless hackers sitting behind computer screens in the early hours of the morning. What you probably don’t imagine is somebody walking right into your building and stealing or compromising hardware.
For many years, security was far down on the list of priorities for healthcare organizations. Most are designed to promote ease of access, for obvious reasons. Unfortunately, for threat actors, gaining physical access to a target site makes life much easier.
Given all this, it’s perhaps unsurprising that according to Verizon 45 percent of all healthcare security incidents result from lost or stolen assets, such as laptops, tablets, and flash drives.
6) Medical devices are easily compromised
Remember all those headlines about the Mirai ‘botnet of things’? Basically, threat actors worked out that instead of compromising PCs and laptops, they could take control of millions of WiFi enabled cameras, fridges, toasters, and routers instead.
And you know what? The scary thing wasn’t all the massive DDoS campaigns launched against journalists and hosting providers. It was the simplicity of the code used.
When the Mirai source code was released last September, security experts immediately started dissecting it. What did they discover? Over 100,000 IoT devices were enslaved using nothing more than Telnet and a handful of factory default login credentials.
This is a serious problem. There is no requirement for medical hardware manufacturers to include any form of security in their devices. If those devices are network enabled, as many of them are, compromising them could take mere seconds.
7) Old and unsupported software is EVERYWHERE
When software reaches a certain age, providers stop supporting it. That means no more updates and, more importantly, no more security patches. This is true for operating systems, firmware, and standard software suites.
Now, because of the scale of most healthcare organizations, it’s almost inevitable that some unsupported software will be in use. Whether it’s a bespoke diagnostic system from 20 years ago, or the fact that you’re still using Windows XP even though is was last patched in April 2014, this poses a substantial security risk.
Rather alarmingly, NHS Digital estimates that approximately 15 percent of all Windows installations in UK healthcare organizations are Windows XP.
Exploiting old software is very easy, particularly if it’s a widely used software package, so addressing this issue should be a high priority for any healthcare organization.
8) Time to discovery is high
As we’ve already learned from countless Verizon data breach investigation reports, the average time to discover breaches is incredibly high. Although some breaches are detected almost immediately, many more take days, weeks, or even months to identify, and some are never even noticed.
It gets worse. A recent study by Tripwire found that healthcare IT professionals are wildly overconfident in their ability to detect breaches, claiming it would take mere hours despite not having the tools to backup this assertion.
And... it gets even worse! An Advisen survey recently found that not only did many healthcare IT professionals not test their breach response plan, many didn’t even know how.
9) Healthcare security budgets are almost non-existent
With everything else said and done, this is just the icing on the cake. Despite the tremendous and increasing risk of cyber attacks, healthcare organizations on average spend less than 6 percent of total IT budgets on security.
And that’s just the average. In over half of all healthcare organizations, that figure falls to less than 3 percent.
Don’t Wait for the Inevitable
In light of everything we’ve discussed here, it’s hardly surprising that cyber attacks on the healthcare industry are predicted to rise again in 2017. Healthcare organizations are easy to attack, there’s very little chance of being caught, and the payoff for threat actors is huge.
So if you work for a healthcare organization, don’t just sit back and wait for it to happen. The cost of data breaches is tremendous, particularly now that HIPAA regulations are being more aggressively enforced, so enhancing security mechanisms is the only logical route forward. Investing in security awareness training for users should be at the top of the priority list.
By training your employees to take basic security precautions such as scrutinizing new emails closely, or challenging unrecognized personnel in restricted areas, you can dramatically reduce the risk profile of your organization. For more information on how to do this, keep following the blog to see the rest of this series on healthcare IT security.
From February 19-23, PhishLabs will be at HIMSS 17 in Orlando, Florida. If you’d like to meet with us to discuss our 24/7 protection against attacks targeting your employees, systems, and data, please get in touch.