Black Hat 2017: Key Cybersecurity Vulnerabilities for Healthcare Systems

Karen Epper Hoffman

The culmination of several factors has made the healthcare industry a perfect target for cybercriminals. Understanding those factors, experts say, is critical to creating a more secure industry moving forward.

The culmination of several factors has made the healthcare industry a perfect target for cybercriminals. Understanding those factors, experts say, is critical to creating a more secure industry moving forward.

Cybersecurity experts provided background and clarity on the factors that have led to cyber vulnerability, and the state of healthcare cybersecurity at the recent Black Hat conference in Las Vegas. Healthcare organizations including hospitals, have a couple of key things that so-called “black hat,” or bad-guy, hackers want: valuable information and money, experts explained.

Ransomware has been a large and growing cybercrime scheme for more than two years, according to information security insiders at Black Hat. And healthcare organizations, including hospitals, are in the crosshairs of many of these malicious attacks. This is due in part, experts say, to how hospitals went about moving to paperless workflows. By rapidly digitizing their data to enhance accessibility, many healthcare organizations overlooked securing their new digital records as they transitioned to paperless processes and systems.

Also, with patients’ lives sometimes hanging in the balance, hospital and medical providers often pay less attention to information security in the name of fast, accurate care and responsiveness. Understandable as these priorities may be, they are creating a perfect storm for malicious hacking groups to use phishing emails or exploit other system vulnerabilities to wedge into the healthcare company’s networks and take over their data stores. And the beauty of the scam for the hackers is that they do not even need to steal this illegally accessed information, or resell it, at greater risk to themselves from law enforcement—they simply demand a ransom be paid by the victim organization, usually in untraceable Bitcoin.

Related: Black Hat 2017: Hacking Healthcare Devices, Stopping Hearts and ‘Jacking Brains’

The desire on the part of organized cybercriminals and talented script-kiddies alike to make money with their online attacks is driving them to steal, or exfiltrate, sensitive patient data (including Social Security numbers, addresses, insurance information, family and health background) or organizational data, which they can later sell on the dark web. Cyber-criminals are also using their digital skills to infiltrate health organization networks and lock down or encrypt the organization’s own files and information, with the threat that if the organization does not pay a “ransom” the criminals will destroy the data — creating tremendous potential patient risk, regulatory exposure, and damage to the organization’s reputation if they fail to comply.

Case in point: Last February, Hollywood Presbyterian Medical Center in California made headlines throughout the country when it became public that the hospital had been the latest to fall prey to ransomware attackers, who demanded $17,000 in the alternative online currency in order to regain access to their locked-down systems and encrypted data. Other hospitals and healthcare companies across the United States have seen similar attacks and had their information and systems ransomed, but many never make their attacks public.

A report on the growth of ransomware from the Institute for Critical Infrastructure Technology [ICIT] predicted that 2016 would see a big leap in ransomware attacks because of the ease of attack (technically and logistically speaking) and the high financial upside, as compared to risks, for the attackers. Healthcare companies are typically more motivated than other industry sectors to pay the money and retrieve their access because of the potential danger to human life if patients get sick or die while their networks are hung up and inaccessible, experts say.

Related

Hospitals Were Collateral Damage in Colossal Cyber Attack

Massive International Ransomware Attack Hits Merck, Pennsylvania Hospital

Should Healthcare Systems Be Concerned About Hidden Cobra