Opinion: Bogdan Botezatu, Senior E-threat Analyst at Bitdefender, discusses why a combination of high value data and lax security practices mean hospitals are increasingly targeted.
Medical records are the new currency among cyber-criminals, with black market values set at ten times higher than credit card information. UK hospitals are not exempt from this burgeoning threat, as cyber-criminals are targeting information of value wherever it resides, including within healthcare organisations. UK hospitals carry extremely sensitive medical records, as do their US counterparts, which recently succumbed to a ransomware attack causing significant damage.
On average, users globally are willing to pay up to £400 to decrypt their files following a ransomware attack, compared to $17,000 (£11,792) recently paid by Hollywood Presbyterian Medical Centre in Los Angeles. With a potential 2848 per cent mark up as a result of targeting computers within hospitals, the motivation for hackers to focus on healthcare environments is significant. This offensive against the healthcare industry is a result of not only lax security practices, but also the simplicity and efficaciousness of attacks on the relevant IT systems.
The majority of cyber-attacks are financially motivated. Ransomware packages are now available for purchase on the dark net for a percentage of resulting earnings, removing the upfront cost and enabling ransomware to be utilised by a far broader range of malicious actors. In contrast to traditional ransomware attacks, if a cybercriminal were to gain access to personal medical records, they could then extort the victim for a significant amount of money, create fake IDs, purchase medication, or even file false insurance claims.
Ransomware on the rise – is the NHS sufficiently protected?
Hospitals are a ripe target as they are ill-prepared to protect their networks from sophisticated cyber-attacks. Although these organisations focus on protecting patient data, they simply do not have the resources to properly defend computer systems. Phishing schemes, for example, are notoriously effective as a method of malware propagation, and through social engineering, are difficult to protect against. Bitdefender research found that 44 per cent of ransomware victims in the UK have in fact paid to recover their data, making it one of the most effective forms of malware available today.
Within the NHS, the transition from paper to electronic medical records does indeed have numerous benefits. The downside to digitising so much sensitive information, however, is the risk posed through unsecured or vulnerable systems. This could leave patient records open to unauthorised access, cause violations of new data breach laws, and lead to medical and financial identity theft.
Unauthorised access to hospital networks has multiple consequences and, in this industry, data and financial losses do not present a worst case scenario. PwC has predicted that the market for internet connected healthcare products will rise to $285bn by 2020. Once access to a network is gained, attackers can interfere with medical systems beyond traditional IT. Malicious attackers could potentially mix up blood samples or drugs, disrupt patient monitors or disable vital equipment.
How do you protect medical equipment and patient data?
Hospitals must recognise the seriousness of this threat and implement a comprehensive risk assessment to identify existing vulnerabilities within their systems. With digital records set to become a mainstay within UK hospitals, regular backups will shift from important to vital. Employees must also be instructed on how to avoid social engineering attacks such as phishing schemes, which are the number one infection vector utilised in such attacks.
Hospitals, as with any unsecured IT network, are vulnerable to cyber-attacks ranging from malware to simple hacking. Many medical devices ship without security baked in by the manufacturer, and many more still utilise the original, default, password. Ransomware has affected a rising number of hospitals and outpatient offices, with US-based MedStar recently losing operation within 10 hospitals and more than 200 outpatient offices as a result. With an increase in valuable, digitised, patient records, the risk to reward ratio associated with the targeting of medical centres is steadily shifting towards the latter.