A HIMSS expert details what hospitals need to know.
Lee Kim, JD, refuses to sugarcoat it. The Healthcare Information and Management Systems Society (HIMSS) cybersecurity expert said threat actors are “super technical,” and that’s bad for healthcare. “Sometimes the defenses that we have in place are just not enough because people aren’t aware about the dangers at work out there,” she told Healthcare Analytics News™.
Kim detailed the types of attacks hospitals might face, and even the potential motivations behind them. She believes that ransomware, denial-of-service, and website attacks are the 3 most common threats.
While ransomware is often discussed, denial-of-service attacks—which overload and bring down hospital websites and—are also common, Kim said. Unfortunately, many health organizations don’t do enough to secure their web servers. This, she said, is particularly problematic.
“Most healthcare organizations host some kind of patient portal or database with a lot of juicy patient health or financial information, so there’s a ‘value add’ in a bad actor getting access to that,” she said. “Once you break in, you can get access to other computers on the same network and get away with a treasure trove of information, and damage or even delete mass quantities of information.”
Many attacks on health systems are targeted: Hackers don’t just prey on a hospital to get patient data, but to get specific patient data. “At times, they are interested in a certain patient’s information, whether for blackmail or otherwise,” Kim said. “So the attacks are targeted against a specific healthcare organization because they know that John or Jane Doe frequent that institution.”
Targeted attacks often originate in 2 different ways, she said: the “socially engineered” variety that involves phishing emails or phone calls, or through careful probing of weaknesses in an institution’s cyber infrastructure. Ransomware, for instance, can be delicately placed in a chosen target (an example of such a case could be the attack on Erie County Medical Center in 2016, which Kim did not mention, but was detailed by Greycastle's Reg Harnish at a previous conference).
Just as often, however, attacks can wander into a network by chance. Kim pointed out that two headline-grabbing ransomware attacks from the past year, NotPetya and WannaCry, were “industry agnostic” but still devastating to infected hospitals.
Kim said it isn’t always easy to identify an attacker’s motivation. It might be money, blackmail, notoriety, or even ideological reasons. Awareness among hospitals is growing and the healthcare cybersecurity market is “booming,” but many organizations still struggle to defend their networks, she said.
“A lot of healthcare organizations are throwing money at the solutions,” Kim added. “In the case of small physician practices especially, if you don’t have an IT person on staff, your security function isn’t managed at all and it’s kind of like an open door to the attacker.”
Education and threat simulation, she said, are essential for improving a hospital’s defenses.