A new report has shown the cyber-security of the healthcare industry to be alarmingly poor. The report, called Securing Hospitals, notes that medical security skews heavily towards the protection of patient data at the cost of looking out for other advanced threats.
The report notes, “the efforts that do aim to protect patient health do not address intelligent cyber-threats. Defending patient health and patient records is not one-in-the-same, and placing the focus on records harshly ignores the patient health aspect. So long as this is the mission of the industry, it is unlikely that patients' health will be adequately protected in the healthcare ecosystem.”
Independent Security Evaluators (ISE) carried out the investigation, bringing together an investigation into the cyber-security of 12 health care facilities, two health care data facilities, two medical device manufacturers, two web applications and others systems on these networks.
While the industry is aware of the array of threats that confront it, it underestimates its sophistication and motivation. Currently in place in the healthcare industry are tired legacy systems, and measures that deal with blanket attacks that want to steal patient records. This leaves healthcare bodies, unprepared for the advanced threats marshalled against them.
The problems were manifold. If researchers did find security policies, they were often ineffective. Some hospitals suffered from a lack of funding or staffing not to mention a lack of training in cyber-security issues. On the technical side, network architecture was often insecure and was often hampered by an inability patch software and poor access controls.
Furthermore, healthcare bodies are in something of a rare position in terms of cyber-security in the sense that people can walk into a hospital and access the equipment, able to 'physically hack' the equipment before potentially exploiting it remotely.
So why have we not yet seen a VTech or TalkTalk scale breach on a hospital? Ted Harrington, executive partner at ISE, told SCMagazineUK.com that “we are not sure why there hasn't been a publicly disclosed, large scale attack yet. What our research shows is that it is very possible. Our hope is that this research can help the industry proactively try to head off a large scale compromise in the future.”
Tony Dyhouse, a cyber-security veteran has his own ideas. He told SC, that unlike retail breaches, healthcare provides a different kind of information which need to be exploited in a different way, “there's also a chance that even some hackers have some morals, and to go after a commercial entity is different from a service to a population or something that is so personally individual.”
According to Dyhouse, Healthcare is so far behind other sectors because “it focuses on the implementation of technology to save time and finances, and to enable operational efficiency, without understanding the threats fully. Just like some other industries – putting functionality and commercial aspects above testing and security.”
The health sector has long been a target for criminals and the ire of the industry for not paying enough respect to cyber-security. A series of Freedom Of Information (FOI) requests by Accellion showed that the NHS' lack of cyber-security awareness was ‘alarming'.
At the recent Kaspersky Lab Security Analyst Summit, security researcher Sergey Lozhkin said just how easy it was to hack a Moscow hospital and how one could find thousands of internet connected medical devices via simple Shodan searches. Perhaps the most worrying recent example was the case of the Hollywood Presbyterian Medical Center being infected with ransomware by predatory hackers, resulting in a payout of over £12,000 after being thrown offline for almost two weeks.
Ben Johnson, co-founder and chief security strategist at Carbon Black told SC that “the health sector is at risk from the same type of hacker as any other industry – but it's usually a softer and more lucrative target. To start with, the value of stolen health data is 10 times the value of a stolen credit-card number. Unlike a credit card, which easily can be cancelled and reissued, medical records contain Social Security numbers, medical conditions and contact information for other family members. Criminals can use medical information to file false claims, acquire prescription medications or even blackmail consumers.”