Targeting healthcare: hackers exploit poor cyber security practices

Healthcare is one of the sectors most heavily targeted by hackers, as the personal data contained within medical records is particularly extensive and, therefore, lucrative.

Cyber security experts have long agreed that one reason explaining the high rate of successful attacks noted in this sphere is that many IT systems are running on old and outdated hardware and software, due both to a serious lack of investment and also because critical medical devices cannot easily be taken offline.

In the UK the WannaCry malware attack in June 2017 brought into sharp focus the failings of the NHS to implement up-to-date cyber security strategies - and software - to protect their networks. The attack forced an estimated 19,000 cancelled operations and appointments, disrupted 34% of NHS England trusts and led to infections at 603 primary care and other NHS organisations, including 595 GP practices. Whether the attack would have been prevented had Windows 10 already been running on the systems is debatable, however, as an unpatched vulnerability was ultimately discovered to have been the cause of the original infection.

Nevertheless, the failure to update systems and software doubtless contributes to the challenges facing the health sector in the UK. Recognising this, the government has recently announced extra funding totalling some £150m to be directed towards enhancing cyber security in the NHS. This will include updating all systems to run on Windows 10. Further, a new NHS Security Operations Centre will be established, allowing the management of threat detection and response to be centralised.

Over in the US, meanwhile, healthcare organisations have been plagued by ransomware attacks. The incidents are typically disclosed several months after they have happened. In April, for example, the Center for Orthopaedic Specialists (COS), based in California, alerted 85,000 current and former patients that it had been attacked in February; the encrypted data included patient names, dates of birth, medical records, and social security numbers.

In a different type of attack, the Decatur County General Hospital in Tennessee notified 24,000 patients after its EMR (Electronic Medical Records) systems were hit with a cryptocurrency mining software. While the primary goal of the attack was to mine for cryptocurrencies, some personal records may also have been exposed in the process.

And CareFirst, the largest health insurer in Maryland, highlighted a typical phishing campaign, when it was reported that nearly 7,000 members may have had their personal data accessed after an employee opened a malicious email.

At the global level and assessing the reasons for the attacks more broadly, it can be seen that some hackers are focusing their efforts specifically on medical devices. Hospitals and other organisations related to healthcare use an increasing variety of IoT devices, whether for monitoring the health of patients, for diagnostic and surgical procedures, or for other purposes such as CCTV or air conditioning systems. Recent research from Trend Micro revealed that at any given time there could be as many as 80,000 exposed devices running in connected hospitals around the globe. Such devices offer tempting targets for hackers who will attempt to exploit flaws either to over-ride systems – perhaps as part of an extortion scam – or in efforts to access patient databases.

There is a general recognition among cyber security experts that such devices are particularly vulnerable to attack because they are both expensive to maintain and replace, and it may not be possible to take them offline for appropriate software updates. Lax security practices may even encompass poor installation practices, such as failing to secure the devices adequately and leaving them functioning with default passwords.

Some hackers/groups focus specifically on medical equipment. The group called @OrangeWorm, for example, has been targeting computers that control MRI and X-ray machines at healthcare organisations around the world since 2015. The backdoor Kwampirs Trojan has been used in all of the attacks, and hospitals have been hit in North America, Europe, the Middle East and Asia.

@Orangeworm has also targeted pharmaceutical companies, leading to a suspicion that the hackers involved may be part of a state-sponsored group, with a remit to steal proprietary information, such as patents and trademarks. The development of new medication and treatments can take many years and involve both high risks and costs: protecting that intellectual property is therefore of paramount importance for pharmaceutical companies.

One other factor facing the healthcare industry concerns the threat of insider data breaches: in many cases these are not the result of malicious attacks, but occur when employees click on malicious attachments (as in the US phishing attack mentioned above), or simply press the wrong button when transferring data across networks.

The major cyber threats affecting the healthcare sector are also of course faced by companies and organisations operating across all other spheres, and this brief scan of the issues involved illustrates the importance of implementing robust cyber security practices. As well as ensuring that software is properly updated and patched in a timely manner, employees should be reminded of the possible dangers that may be awaiting them when opening emails or attachments from unknown or untrusted senders. And finally, a culture of sharing information about vulnerabilities and breaches should be encouraged across all sectors.