The prediction that healthcare data would be aggressively targeted by ransomware attacks in 2017 has proven to be true.
The malicious WannaCry ransomware attack spread to over 150 countries and impacted over 300,000 devices in May. The world experienced another massive cyber-attack in June, Petya, which forced one hospital to rebuild all their hard drives as they were unable to access data and they needed to provide clean access to their electronic medical record (EMR).
Cybersecurity risks don’t stop with ransom attacks or traditional IT devices. A malicious actor could make their way into a pacemaker or insulin pump, potentially causing a lot more damage to a patient than an attack on a computer or server. The impact of an attack on connected medical devices and IoT pose a real patient safety risk. According to one poll, twenty-three percent of healthcare organizations stated that lax security on devices is their biggest concern which ranked second only to mobile device hacking which twenty-nine percent cited as their highest priority for 2017. Overall, fifty-eight percent of healthcare organizations ranked Internet of Things (IoT) device security, which includes connected medical devices, a high priority for 2017.
Most hospitals have hundreds to thousands of medical devices in use providing a variety of functions. Furthermore, healthcare IT environments have shifted from a homogenous makeup consisting of primarily a single OS, monolithic structure, reactive security approach and signature-based security tools/technologies to a more heterogeneous makeup with a variety of operating systems, different types of devices (including IoT devices), cloud-based applications and services and behavioral-based security tools/technologies. This causes medical IT networks to be complicated and potentially the most vulnerable access point in a medical facility’s infrastructure.
Why is healthcare data under attack?
More and more healthcare providers are digitized thanks to the 2009 HITECH Act and the speedy transition to electronic medical records (EMR). Most hospital IT departments’ have been focused on implementing EMRs without making advancements in their security program potentially putting patient data at risk. For a hacker, healthcare data is a gold mine of personal information that may be used for many fraudulent purposes, providing medical insurance numbers, credit card numbers, home addresses and other personal information. In fact, every year since 2009, healthcare provider entities have represented the largest percentage of reported breaches and that percentage has grown every year since 2014.
For connected medical devices, it’s very alarming that a 2015 report* by Raytheon & Websense suggests that “up to seventy-five percent of hospital network traffic goes unmonitored by security solutions out of fear that improperly configured security measures or alarming false positives could dramatically increase the risk to patient health or well-being.” Even if that number is on the smaller side, like twenty-five percent, the industry’s security technologies would be missing a considerable amount of data. Are we capturing the necessary data to gain the insight of where our medical devices are and more importantly – what behavior are they demonstrating? Is it normal?
Who owns the problem?