[BreachExchange] Why are hospitals such a major target for hackers?

Fri Apr 20 20:25:05 EDT 2018

https://www.ifsecglobal.com/hospitals-major-target-hackers/

Bank heists and double-agent spy movies were the go-to thrillers for
Hollywood in times gone by.

The general public could relate to these events, based on true events or at
least plausible fiction.

Yet as the advent of the internet and the ‘digital era’ clawed its way into
mainstream consciousness, the film industry reflected this new age with a
number of cyber hacking films. Skyfall and Snowden are great examples of
corporate and governmental cyber hacking making its way onto film.

How WannaCry ripped through the NHS

It’s easy to see, though, why the story of cyber attacks on healthcare
institutions have yet to make it to the silver screen. But while they don’t
quite have the same mass appeal as a cyber hack on a government, they are
crippling in a different way.

You only need to look at the WannaCry ransomware attack on the NHS last
year to see how devastating these incidents can be.

The attack led to disruption in over a third (34%) of trusts in England,
with thousands of appointments and operations cancelled. It was the biggest
ever cyber-attack on the NHS (although not directed solely at the
organisation) but curiously, no ransom was paid.

In the wake of the attacks, the NHS published a review, Lessons Learned,
which featured 22 recommendations for strengthening the organisation’s
cybersecurity protections. However, the plans have yet to be put in place
or scheduled by the Department of Health, a Public Accounts Committee
report just found.

It wasn’t the first time hospital trusts were hit though; two of the trusts
infected by WannaCry had been infected by previous cyber attacks and Goole
NHS Foundation Trust had been subject to a ransomware attack in October
2016, leading to the cancellation of 2,800 appointments.

A US hospital had to pay $55,000 to hackers after being subjected to a
ransomware attack

The UK is not alone, of course: a US hospital earlier this year had to pay
$55,000 to hackers after being subjected to a separate ransomware attack.

So why is it that hospitals are targeted in this way?

Selling off data

One of the main reasons is the value placed on patient data. This kind of
information on any individual can be hugely valuable on the black market or
potentially even sold back to the hospital.

Threat actors can monetise that data through blackmail. And hospitals will
need to pay for this data or risk getting fined, particularly when you take
into account the impending GDPR.

Now, not only is a hospital’s reputation at stake, but there’s a huge
financial bill if companies notify that data is lost and they haven’t
reported where it was stored or located in the first place.

Away from GDPR, though, hackers are still able to cause significant damage
to not just the trust, surgery or hospital, but to the individuals who
entrust their data to that establishment.

Building up a profile

Last October, a cosmetic surgery in London – used by celebrities – was
hacked by a group known as the Dark Overlord. The hackers stole pictures
and other sensitive information of celebrities and royals in what was a
monumental breach for an industry so steeped in security and privacy.

Stolen information like this will often contain contact details including
name, address, phone number and potentially even financial records.

Even without an immediate financial incentive, threat actors can build up a
profile of the person they are trying to defraud using this sensitive
information. And it’s easy to see why clinics with high-worth individuals
are particularly appealing in this regard.

How healthcare establishments can beat the hackers

Of course, it’s not just celebrities that are most vulnerable, but everyday
patients whose records are under threat whenever a hack occurs. The NHS,
facing budget cuts and a renewed call for a change in “mindset” required to
prioritise meeting the threat of future attacks, is under scrutiny to
prevent further hacks occurring.

The NHS needs a multi-layered approach to cybersecurity

The NHS – and indeed any other healthcare trust or organisation to manage
these risks – needs a multi-layered approach to cybersecurity.

Making sure the computers are running the latest patch, ensuring investment
in security doesn’t fall by the wayside but also looking more economically
at their cybersecurity strategies are all important first steps.

For smaller, more local trusts, resources are limited, so intelligent
spending is a good way to ensure that costs can be balanced with a solid
cybersecurity approach. Healthcare organisations also need to ensure they
are reviewing all their cyber-supplier contracts so they’re not massively
overpaying for their defence systems.

A trusted specialist security provider is nearly always the best bet in
this instance, as it’s more cost-effective and allows hospitals to tailor
the best security solution for their organisation.

The next attack on our healthcare systems doesn’t have to be around the
corner. A smart, sensible approach to cybersecurity that stops hackers at
the porch door must be a priority.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180420/d76623c9/attachment.html>