How healthcare vulnerabilities hurt patients and the bottom line
Why is one of the most regulated industries—healthcare—also one of the most vulnerable?
In a recent post, we explored the unique regulations that healthcare organizations face. But despite the strict laws of HIPAA (the Health Insurance Portability and Accountability Act), healthcare vulnerabilities remain rampant, worldwide.
Research shows that organizations across the industry are woefully unprepared for numerous cyberattacks and business continuity threats, including:
- Phishing attacks
- Data loss
- Network breaches
- Malicious software installation
- Password attacks
Each of these disasters can have a direct impact on patient care, not to mention the organization’s bottom line and reputation.
But what makes healthcare so vulnerable in the first place? In this post, we look at the industry’s worst vulnerabilities and what needs to be fixed.
Hospitals are being attacked regularly
On a late Thursday in January, staff at Indiana-based Hancock Health noticed something unusual.
Several of the hospital’s computer systems stopped working. Upon closer inspection, employees found that more than 1,400 files had been renamed to “I’m sorry.”
It was a SamSam ransomware attack. And, before anyone could do anything about it, the infection quickly spread across the hospital’s email system, operating systems and electronic health records. Operations were able to continue, albeit with pen and paper.
Interestingly, the hospital had data backups. But officials decided to pay the ransom anyway—a whopping $50,000 in Bitcoin. Their reasoning was that paying “a small ransom” made more sense than recovering the data, which apparently would have taken “weeks.”
Thankfully, the attackers released the decryption keys to unlock the data, as promised. (Not all ransomware victims are so lucky.)
How is this happening?
In the case of Hancock Health, there were two critical vulnerabilities that led to the attack:
- Hackers initially gained access to hospital systems by using credentials that were likely stolen or compromised from a third-party vendor. Strong, more consistent security measures with the hospital’s vendors could have prevented this access.
- Unlike most ransomware attacks, which originate from phishing emails and other bad links, SamSam specifically targets unpatched servers. That means at least one of the hospital’s machines was unpatched and vulnerable to attack, allowing the infection to spread outward across the network.
These healthcare vulnerabilities are not uncommon, as we address below. Numerous other ransomware attacks have been reported on hospitals across the globe over the last two years.
High-profile attacks include the Hollywood Presbyterian Medical Center in 2016 ($17,000 paid to hackers), the 2017 WannaCry attack, which disrupted at least 16 UK hospitals, and the April 2017 attack on a Buffalo hospital that reportedly cost nearly $10 million for recovery.
The most problematic healthcare vulnerabilities
A 2016 cybersecurity report by SecurityScorecard highlighted some of the most egregious healthcare vulnerabilities. And while some healthcare organizations have made improvements in the wake of WannaCry and other attacks, there’s still a lot of work to be done.
The problem, experts say, is that laws like HIPAA don’t truly regulate how healthcare organizations protect themselves from data loss and other cyberattacks. As a result, more than 75% of the healthcare industry was infected by malware over a one-year period—which includes not just hospitals and doctors’ offices, but also healthcare manufacturers.
Here’s where these companies tend to be most vulnerable:
1) System patching
Healthcare groups simply aren’t patching their operating systems and software as often as they should. Researchers found that 47% of the industry had unpatched vulnerabilities on their networks.
Typically, this is the result of one or more failures: 1) lax policies for applying updates; 2) an overall lack of oversight of the machines and systems being used throughout the organization; and 3) older-yet-essential internal applications running on older operating systems or those that can’t be easily updated.
Regardless of the underlying reasons, healthcare organizations need to be implementing better policies for proactively patching their systems on a regular basis.
2) Social engineering (lack of security training)
Healthcare workers aren’t getting the proper training they need to identify and avoid suspicious emails and websites. And yes, that includes doctors and executives, not just lower-level employees.
The report by SecurityScorecard states: “Security is only as strong as the weakest link, and employees are often the lowest-hanging fruit when it comes to phishing, spear phishing, and other social engineering attacks.”
All it takes is one bad email attachment being opened or a bad link being clicked for ransomware to spread across the network. The problem is that phishing emails can be very deceptive. Somebody who opens medical billing records all day might not notice anything unusual about a phishing email containing an attachment labeled generically as “Invoice.” But with the right training, this same employee may have been able to spot the red flags and flag it for suspected spam.
Healthcare is among the worst industries for being vulnerable to social engineering attacks. To combat this problem, facilities need to begin devoting more resources to cybersecurity training and awareness for all employees, on an ongoing basis.
3) Password exposure
The healthcare industry is notorious for weak passwords. And again, this usually stems from lax computing policies across the organization.
Hackers don’t need to be geniuses to figure out the cadence for email addresses at a healthcare facility. If a hacker finds a single email address posted online that looks like [email protected], then they can deduce that all other addresses are probably formatted the same way. Then, all they need to do is scrape the staff names from a public directory and they’ve got hundreds of email addresses to attempt to break into.
Hackers have a number of tools at their disposal to do this. With brute-force software, for example, hackers can try logging into an account (or several accounts) with thousands of password guesses in a matter of minutes. If someone has a weak password, it will be quickly compromised. Often it only takes one compromised account to sow the seeds of a sprawling cyberattack.
Requiring stronger passwords within healthcare organizations is essential, but it’s only one of many possible defenses. Even brute-force attacks, for example, can be partially stopped with software that identifies such attacks and temporarily shuts down accounts that are being attacked.
4) Device vulnerabilities
Hospitals and other healthcare facilities are increasingly connected: with state-of-the-art medical devices, equipment and IoT devices—all connected to the local network and/or the Internet.
Unfortunately, this poses a great risk for network security. As facilities race to install the latest, greatest medical equipment, they are also inadvertently exposing the organization to cyberattacks. New equipment is being added with little regard to security concerns. And even if there’s pushback from IT (in an attempt to make sure the devices are secure), stakeholders may not view it seriously.
So, what happens? These connected devices are quietly compromised and used as a pathway to compromising the network itself.
Implementing new medical technologies will always be important. But if network security is not maintained, that new equipment could end up compromising the whole organization.
Each of the vulnerabilities listed so far makes healthcare organizations particularly susceptible to ransomware.
Healthcare ranks as one of the worst industries for fending off ransomware attacks. And alarmingly, 96% of attacks in the industry were targeted at medical treatment centers, according to SecurityScorecard. This means hackers are intentionally going after facilities like hospitals in an attempt to hurt patients.
Researchers also found that the healthcare industry ranked fifth in the number of actual data breaches. One widely reported attack on an oncology center affected 2.2 million patient records.
Large-scale attacks like WannaCry have been a wakeup call to the industry, but reports show there’s still a lot of room for improvement.
6) Data backup flaws
When a ransomware attack occurs, usually the single best solution is recovering the data from the most recent backup. But if the backup solution isn’t adequate, big problems can ensue.
Consider, for example, a backup system that takes days or weeks to fully recover all the missing data. As we’ve seen from real-world events, this has a devastating impact on patient services and on recovery costs.
Or, what if the backup device doesn’t backup data frequently enough to be useful after a ransomware attack? What if the data is too old?
What if the backup fails during recovery? What if the data is gone for good?
These are common issues facing healthcare organizations, and many don’t realize the vulnerabilities are so severe until it’s too late to do anything about it.
Why it all matters
HIPAA or no HIPAA, healthcare providers have an obligation to defend their networks against ransomware, data breaches and other disruptive events.
As we’ve seen, a ransomware attack alone can have actual life-threatening consequences for patients when critical data is lost (especially when it involves missing patient records in an intensive-care setting).
A lack of network defense or a lax approach to business continuity amounts to a blatant disregard for the patients these companies serve. It’s also a disregard for the health and reputation of the business itself.
Hackers are clearly aware of the vulnerabilities in this industry and of the willingness of providers to pay big ransom amounts. So until more efforts are made to maximizing security across the healthcare sector, these threats will surely continue.
Learn more about disaster recovery for healthcare
Take the first step to implementing a dependable business continuity solution that can protect against ransomware and other data threats. Request a free demo of advanced data protection technology from Datto, or contact our disaster recovery experts at Invenio IT: (646) 395-1170 or [email protected].