Analecta Cyber Company Blog: Hospital hacks expose security weaknesses

2016-04-29

Hospital hacks expose security weaknesses

After several hospitals were targeted in the US, specifically in California, Kentucky, and Maryland, it seems that hospitals everywhere are facing a new form of cyber attack known as the crypto-ransomware. This new approach has been executed by hackers as an alternative to their usual way of stealing patient data. This type of attack locks down computer systems in hospital networks and demands bitcoins as a form of ransom. Once they pay the ransom, hackers are supposed to unlock the computers compromised during the attack. The ransom will also give the hospital employees access to their own computers.
Several hospitals were targeted in just a couple of months and the FBI appears to have no current solution at the moment to mitigate such attacks.

Other industries generally implement an IT security in their computer networks. This has been the norm over decades of cyber security. Unlike these industries, the medical sector has not been into cyber security before the government implemented laws on patients’ protected health information (PHI). This is one of the major reasons why hackers are targeting the hospitals and medical facilities - they are very easy to target.

Statistics presented by the Office of National Coordinator for Health Information Technology shows that in 2008, only 9.4% of hospitals utilized a basic electronic record system, but in 2014, a major increase took place and 96.9% of these hospitals were now utilizing certified electronic record systems. This indicates that over a short period of time, these hospitals need to cope up and adopt organizational readiness with this new system.

Security part of mission

The hospitals' primary mission was to provide medical care. That's why, generally, they weren't focused on data protection. Additionally, because of the laws on PHI implemented by the government, medical facilities were forced to implement IT security protocols. On the other hand, they only view this as a government mandate and not as an important part of their medical responsibilities. Health organizations do not make IT security as their major concern. They do not allocate necessary funds and resources in ensuring the security of their systems. This had lead their computer network to be weak and vulnerable to cyber attacks, which primarily resulted in privacy breaches.

The other reason why hospitals were targeted by hackers more often than any other industries is that, they are willing to pay the ransom demanded by the attackers as soon as possible. Patients’ lives cannot be harmed, especially as a result of a ransomware attack.

They will pay ransom just to immediately gain access to their computer network. They need to - because patient treatment should not be stopped, or else it could lead to serious harm.

These new types of attacks still remain a major threat to patient safety. And hospitals should therefore take the cyber security as one of the most important aspects of their medical care responsibilities to their patients.