Hackers Calling Fair Game on Healthcare Institutions

The year 2019 saw big consumer brands get hacked: from Facebook to Capital One, every day people were urged to double-check their bank accounts and credit card statements to ensure their information had not been stolen. The prime target: all of your personal data. The year 2020 was a completely different animal, and the new hunting ground for cybercriminals has become the pandemic’s new ground zero – health care.

It is understandable why health care is an irresistible target for nation-state hacking organizations or rogue criminals, whose motivations revolve around finances and intellectual property. For one, healthcare information is particularly valuable – from IP to patient data, there is a lot of information out there that can be sold. According to a Trustwave report, a healthcare data record may be valued at up to $250 per record on the dark web, compared to $5.40 for the next-highest-value record – a payment card.

Not to mention, ransomware has been the attack of choice this year, and healthcare organizations cannot take the chance of losing invaluable patient information, or worse – allowing data to be manipulated. If that does happen, the effects are dire, especially if that data can mean life and death; chemotherapy dosage or allergies, for example. Looking forward, this could get a whole lot worse if the validity of patient data comes into question – and providers, doctors, and nurses may not even ultimately trust their own digital notes.

The trickle-down effect of ransomware has had tragic consequences already. Earlier this year, a German patient died while being diverted to another hospital when the first hospital where she sought care was crippled by a ransomware attack. This should be enough to convince healthcare leaders to reinforce their security infrastructure and leverage basic foundational elements like network segmentation, endpoint detection and response (EDR) and two-factor authentication (2FA). However, as hospitals are already strapped for resources with tightening budgets, what should be done and what is actually feasible are often at odds.

It is not a stretch to say that we haven’t reached the peak of ransomware attacks. The FBI released a ransomware advisory in October about an imminent threat, and put healthcare institutions on high alert. As an industry, we’ve crossed the Rubicon here – nefarious actors have decided it is acceptable to target a region, a large health system, or even multiple health systems, all at once. Although this initial campaign is now largely being blocked by security tools – because we understand the infrastructure that the hacker is using – at some point, another group will pivot to a different infrastructure, and we will be back to square one.

As long as there are no consequences for the bad guys, and victims, however reluctantly, continue to pay ransoms, the attacks will not slow. Recent research found only 44% of healthcare organizations have conformed to national cybersecurity protocols, with some scores trending backward since 2017. That’s a scary thought, given that cybercriminals are becoming more sophisticated and healthcare institutions are already lagging behind other industries on security posture. These latest ransomware attacks should give IT security professionals the opportunity to rethink all things IT and security and focus on one priority – reducing risk.

It is imperative for healthcare institutions, from hospitals to large-scale pharmaceutical companies, to secure IT networks and invest in security infrastructure. However, the question some security leaders are grappling with is, what it will take to motivate healthcare leaders to prioritize security, especially if specific organizations have had no problems in the past with cybersecurity breaches? Part of the issue may involve the fact that trust and security are linked, and trust is at stake when nation-state attackers carry out a ransomware attack.

Much of what we have dealt with during the COVID-19 pandemic is what we have watched play out on the national stage recently – the struggle to figure out what is truth versus fiction. This has only been exacerbated by the onslaught of disinformation around pandemic response, the presidential election and the threat of hackers disrupting national security. When cybercriminals carry out a ransomware attack, they can not only encrypt data, but also commit extortion by manipulating medical data. The issue then becomes deciphering what is real and what is fake. Once that trust in medical data is compromised – trust that most people have, with good reason, blindly believed in their entire lives – it is game over for unprepared healthcare organizations who have unsecured data.

Another scenario to keep in mind is this: what if a hacker manipulates the health care supply chain and disrupts vaccine distribution? As the world waits for a viable COVID-19 vaccine, nation-states are likely gearing up for another few months of prime hacking opportunity. Any interference in vaccine distribution would be devastating for both patients and health care organizations, which are trying to simultaneously contain the virus and keep people safe.

If there is a lesson to be learned this year, it’s to remember that there is no longer a question of if, but when, a cyberattack will happen. It is time to rethink security and reduce risk in health care. Organizations haven’t fully grasped the fact that these systems are a major factor in how care is delivered. It’s not about security or IT operating in silos anymore. The primary issue now becomes trust in health care. Once that trust is broken, care becomes much more difficult for both the provider and the patient. Security is a chief component of the patient care puzzle, and those who figure this out sooner, rather than later, will be successful at maintaining the safety and integrity of their health care organizations – as well as everyone’s personal data.

Featured eBook
Next-Generation Cybersecurity

Next-Generation Cybersecurity

Cyberattacks are always evolving. Cybercriminals continue to discover and exploit new attack vectors and manage to stay one step ahead of cybersecurity. That’s in part because our cybersecurity systems aren’t keeping up: Many organizations continue to rely on legacy systems that were effective for the type of attacks we saw five or 10 years ago … Read More