By Leigh-Anne Galloway, cyber security resilience lead, Positive Technologies.
It has become clear in the last few years that when it comes to cybercrime, hackers are not fussy about which organization or sector they focus on – if there’s profit to be made, anyone is a potential target.
However, there are of course institutions which will always be of particular desirability to cybercriminals. Financial institutions, banks and retail are among the most targeted because the goal of most cyberattacks is financial gain, and organizations in these industries are the most lucrative targets for cybercriminals. The healthcare sector is also heavily targeted because of the personal data it holds. This data may be stolen and used for different purposes, including fraud. As a consequence, the focus on healthcare institutions by hackers has ramped up in recent years.
This increased attention on the health sector is due to hackers seeing it as an inexhaustible source of money. On multiple occasions, media reports have described leaks of data from medical centers, followed by a ransom demand sent to clinic management and patients.
There are a number of other ways criminals can monetize attacks on healthcare equipment and applications. These include threatening patient health by altering stored information; using stolen data to fraudulently obtain access to medical care or controlled medications; leveraging personal information on patients and their family members; and sabotaging websites and/or infrastructure on behalf of unscrupulous competitors. Attacking healthcare institutions also allows criminals to resell stolen data to third parties such as insurance companies, healthcare providers, banks, and others, who can use this valuable information for a number of purposes (such as advertising, research, or even discrimination based on pre-existing conditions).
One such specific way that criminals can carry out attacks is by exploiting advancements in health technology and equipment in recent years. We’ve seen an increasing number of medical devices such as pacemakers, drug pumps (like insulin infusion devices), implantable defibrillators, and other devices implementing wireless connectivity for doctors to control and fine-tune their work and update firmware. This makes these devices potentially incredibly dangerous for patients. A criminal could research and reverse communication protocols and exploit vulnerabilities in a simple piece of software used in those tiny devices, for example changing the heart rate controlled by pacemakers, injecting incorrect doses of drugs or even making them show the wrong data — leading doctors to the wrong conclusions and causing them to make mistakes in their treatment.
Because of the numerous ways in which stolen healthcare data can be used by hackers, and as cybercrime software is getting cheaper and more accessible, it’s very likely that hackers will continue to zero in on the healthcare sector in 2019. This is especially probable as security in the area is not increasing at the rate at which criminals are creating new exploits. Modifications of ransomware appear every day due to the development of ransomware-as-a-service but implementation of new technologies to combat ransomware do not. Alarmingly, the criminal profile has changed, and even low-qualified hackers striving for easy profit now conduct ransomware attacks. There’s therefore an increasing likelihood that we will see health services grind to a halt as they’re held to ransom, as happened to the UK health service with WannaCry.
Many times, healthcare providers have a false sense of security because of their trust in public clouds and medical software and equipment vendors. The only way to make vendors invest more in security is if the hospitals and healthcare organizations make information security a priority and ask vendors what they’ve done to secure their products. In the coming years, cybersecurity in treatment will be as important for patient’s health as the chemical safety of drugs.