Healthcare Hackers: The juice is worth the squeeze
The healthcare industry is no stranger to the constant struggle of cybersecurity. A struggle which costs it an estimated $5.6 billion each year, making it the most attacked industry globally. With Bitcoin allowing attackers to stay anonymous and healthcare organizations waiting with a bullseye on their buildings – it’s time to get prepared.
The nature of healthcare across the globe means inevitably they deal with sensitive information, and where there is valuable data, hackers are never far away. Data recorded by IBM showed that in 2015, 100 million healthcare records were compromised, from more than 8,000 devices in over 100 countries.These numbers are jarring, highlighting the vulnerability of the healthcare industry and why it is a prime target for attacks: the data they have is so valuable and frequently their security protocols are so lax.
The Hospitals Under Siege:
8 out of 10 healthcare institutions were hit with 2 or more data breaches in 2015, almost half had more than 5. Overall, there is a lack of qualified IT security across the board and budgets for qualified staff remain small. Often, organizations don’t deem customer data as their highest priority and are behind the times with IT security, which can snowball until disasters strike.
Health records are ideal for hackers, remaining valid and exploitable documents for years while containing valuable information like social security and credit card numbers. Hackers can make more money from electronic health records (EHRs) than they can from credit card data alone. The information is simply too good and the financial rewards so high. Because healthcare institutions don’t have the same security protocol as banks, there have been cases where fake insurance credentials have been used to undergo costly surgeries and the fraud only noticed months later.
The Top 10 Security Issue for Healthcare Institutions:
- Employee Negligence: Although cyber attacks are the leading cause of data breaches in healthcare, security issues caused by negligent employees are often the easiest means of infections for attackers. Proper education is also the best method for defending against or stopping attacks on your business. Aberdeen group found that proper employee education can reduce the risk of cyber-attacks from 70% to 45%.
- Limited Spending on cyber security: while financial institutions, banking, and governmental organizations spend between 12 – 15 % of their IT budget on security programs. Healthcare, on the other hand, spends significantly less than this with Symantec estimating they spend as little as 6%.
- Weak Passwords: Health chiefs, in the NHS (UK), found that one in four official user accounts that allowed access to sensitive information was not adequately protected. Inactive accounts from departed staff members were still active on systems, as were unchanged or weak passwords which leave the whole network vulnerable.
- Ransomware: This year’s security buzzword that wreaked havoc across many industries including Healthcare. Ransomware invariably demands payment be paid in bitcoins. Some hospitals have openly admitted paying out cyber criminals, including Hollywood Presbyterian Medical Centre and MedStar Health. The NHS was also attacked by WannaCry, shutting down computers up and down the UK.
- BYOD (Bring your own device) is on the increase in the healthcare industry with as many as 81% of healthcare providers allowing doctors and nurses to bring their own mobile devices and laptops to work. The cyber security risk in this is two-fold: 1. Portable devices can easily be lost or stolen, often with sensitive data on their drives. Secondly, if people are using the device for personal and work use they can bring malware and viruses from outside the network, inside.
- Phishing Attacks: a common attack simply lurking in your inbox. Hospital staff should be careful to engage with third parties they aren’t 100% sure are authentic and all requests from a customer should be verified. As with any good internet hygiene never give passwords or usernames over the web – banks will never ask you to type in your password from links in email or social networks.
- Cloud Threats: the healthcare industry has been historically resistant to technological change. Mainly due to storage and data privacy concerns, they have been particularly slow to adopt cloud-based data storage solutions. Resistance will only last so long, however, as cloud adoption will become inevitable – it is important when the transition is made, the roadmap is laid out and strong encryption and security measures are taken.
- Encryption Blind Spots: Encryption is a great tool for transferring data, especially between onsite and off-site applications. However, hackers have managed to find a way to hide inside encrypted data and encryption makes it more difficult for analytics to recognize and monitor breaches. For this reason hospitals should run a layer of security that monitors encrypted traffic so there are no blind spots in their network.
- Viruses: A Trojan horse sitting silently in your network hoovering in data and spreading it on the dark web. What could be worse? For this reason alone, you need up-to-date, top-class antivirus protections that is monitoring you around the clock.
- Business e-mail compromise: a little publicized but large problem with email security. Hackers simply monitor interactions between parties or impersonate senior executives in a company and redirect or funnel invoices to different bank accounts. The BEC scam continues to grow and evolve since 2015 the identified losses from BEC are estimated to be over $3 Billion.
If you are looking to improve your office or hospital security, speak to Aware today.
Digital Marketing Manager at Aware Group: Working his way through the world of technology and Thailand as best as he can. Happy to contribute to other tech publications.