Criminals focused on getting a financial return from cybercrime have identified a particularly attractive target: the healthcare industry. The industry has a set of characteristics that make it ideal for all kinds of cyber attacks, including:
- Preventing access to IT systems immediately triggers life-and-death consequences for patients under care, ensuring that a resolution becomes of critical urgency for the healthcare provider. If a doctor or nurse cannot read a patient's electronic health record to review critical health information, for example, a patient could be given a life-threatening prescription or the wrong procedure, leading to significant legal liability.
- Stealing healthcare records is a lucrative business because of the inclusion of most of the personal, medical, and financial information a criminal requires for identity theft, medical fraud, financial misdemeanors, tax fraud, and insurance fraud, among others. In short, it’s the ultimate cheat sheet, and given that most of the core identifiable information can't be changed (such as a person's date of birth and Social Security number), it offers value for years to come.
- Crippling IT systems is comparatively easier than in other leading industries because of systematic underinvestment in IT security within the healthcare industry, along with difficult-to-update medical devices that continue to run outdated and vulnerable operating systems.
- An industry-wide lack of trained cyber security professionals, since much of the recent focus within the healthcare industry has been on implementing electronic health records systems (EHRs) under externally-imposed tight deadlines. With many IT professionals in the sector focused on new and emergent EHRs, there are new vulnerabilities and weaknesses to exploit.
- Well-known cases in which healthcare providers have paid the ransom to reverse a ransomware infection because of a lack of backup capabilities, process failures, and the general urgency to get back to business as quickly as possible (since lives are at risk). Getting a reputation as a soft target is not a good thing.
- Interestingly, healthcare “is the only industry where employees are the predominant threat actors in breaches.[i]"
The healthcare industry finds itself under cyber attack from many vectors, including ransomware, malware and targeted attacks. While these attacks specifically cause direct harm to IT systems, it's the flow-on effects that have the industry reeling.
Cyber attacks are able to:
- Undermine the ability of a healthcare provider to function. In the WannaCry ransomware attack in mid-May 2017, for example, hospitals across the United Kingdom had to divert incoming patients onboard ambulances to other hospitals, cancel surgeries that were within minutes of starting, and revert to tedious manual processes for critical care situations. Even basic processes like admitting a patient and printing a wrist band were compromised. The survey conducted for this white paper found that one in ten organizations surveyed were impacted by WannaCry.
- Encrypt the electronic health records system at an institution, preventing access to core health data on patients currently under care. Healthcare professionals must return to paper-based processes for critical care situations, a work-style for which digitally native doctors and nurses may have never been trained.
- Exploit vulnerabilities in state-of-the-art medical devices that operate on outdated operating systems, such as CT scanners and MRI devices. This prevents their use for day-to-day diagnostic and analysis tasks, causing immediate consequences for patients under care, and costing enormous amounts in lost revenue per day.
- Prevent the use of standard everyday communication tools, such as phone systems and email, making it difficult for doctors, nurses, and all other healthcare professionals to deliver patient care.
- Exfiltrate valuable patient data for sale on the black market, triggering data breach notification requirements for healthcare providers, thus opening themselves up for regulatory fines, reputational damage, and class action suits.
The key infection vectors for the healthcare industry are:
- Email attachments that masquerade as standard business documents, but carry or point to a malicious payload that introduces malware or holds the user's computer and connected devices for ransom.
- Web links that are disguised to look like a trusted site but point to a false and malicious destination. Link-shortening services are particularly dangerous because it is so easy for a convenient short link to hide a malicious destination.
- Drive-by-downloads from malicious web sites that exploit known vulnerabilities in out-of-date applications and unpatched operating systems.
- Advertisements on web sites and within applications that have been compromised, and carry a malicious payload. Since the user is visiting a known and trusted web site, the likelihood of being deceived by the malicious ad is higher.
- Free downloads of normally expensive software that have been changed to include malicious components, or that merely masquerade as expensive software. The malicious payload can install a persistent threat that records keystrokes, exfiltrates data, or holds the computer for ransom.
- USB drives that have become accidentally or intentionally infected with malware or ransomware. Plugging in the drive to share files with a colleague also introduces a malware or ransomware threat.
The good news is that protecting healthcare data during the previous 12 months has become a “higher” or “significantly higher” priority for 47 percent of the organizations surveyed for this white paper.
ABOUT THIS WHITE PAPER
This white paper is sponsored by Mimecast. Information about the company is provided at the end of this paper.