By Sam Bohnel | Security Consultant at Nettitude
May 2017, the ransomware attack named WannaCry targeted computers running outdated and unpatched Microsoft Windows operating systems. The cyber-attack encrypted user’s files and unsuspecting victims were held at ransom to return their data. It was estimated the attack affected roughly 300,000+ plus computers worldwide.
One of the major victims of WannaCry was the National Health Service hospitals in England and Scotland, with up to 70,000 devices said to be infected by the ransomware cryptoworm. Critical medical devices including MRI scanners, blood storage refrigerators and theatre equipment were affected, resulting in severe disruption to the NHS and an estimated £92 million-pound expense.
WannnCry is just one case study of numerous health organisations becoming victims of cyberattacks. But, just why is the health sector such an enticing target for hackers?
What is the current healthcare attacks landscape?
According to the 2020 Verizon Data Breach Investigation Report (DBIR), data breaches were up 58% on the previous year in the health sector, with a total number of 521 confirmed data breaches occurring. Another intriguing statistic outlined in the report is the type of threat actor conducting these attacks, external (51%) and internal (49%) was almost identical. The healthcare sector also has the highest percentage of internal threat actors.
These statistics indicate that the healthcare sector is being targeted by cyber-attacks at record numbers. There are a variety of contributing factors as to why this is occurring. Below, we will attempt to highlight some of the key reasons as to why.
- Sensitive Patient data
- Outdated technology
- Attack surface / Entry Points
Sensitive Patient data
Healthcare organisations are responsible for processing and storing a vast amount of sensitive medical data on patients. This poses an exciting opportunity for hackers who intend to profit from compromising confidential medical records. Medical records are often sought after on the black market. It was reported in 2017 a high-profile plastic surgery clinic based in London was subject to a data breach where attackers stole terabytes of data. It is understood the surgery had a number of high-profile clients.
The introduction of legislation such as GDPR (General Data Protection Regulation) in recent years has placed more onus on organisations protecting personal data, with the potential risk of large fines being levied, should organisations breach GDPR regulations. This includes organisations processing and storing data within the EU.
In the US, healthcare organisations are under the regulation of HIPPA (Health Insurance Portability and Accountability Act). There is incentive for the health sector to protect patient data although, often, limited resources make this a challenge.
Attack Surface / Entry Points
The adoption of more internet-connected devices in recent years has opened up a larger attack surface in the healthcare sector. Network connected medical devices such as X-RAY machines, heart rate monitors and surgical robotic devices make up the Internet of Things (IoT) medical ecosystem, along with numerous other devices.
The IoT revolution has already begun; it was estimated in a 2019 Gartner report that 30% of all network connected endpoints are IoT devices at an average enterprise. A problem that plagues IoT devices in general is devices are not subject to the same security scrutiny as more traditional devices, typically convenience and expense outweighs the need for security.
An issue with such an abundance of IoT network connected devices is that an attacker can exploit a device and then continue to move laterally within a network to more critical assets.
Education on cybersecurity and healthcare
Education on cyber threats is a large issue, not only affecting the healthcare sector. One of the key threats to the healthcare sector, noted from the Verizon (DBIR), was Crimeware (including ransomware). Phishing is a common technique in which an unsuspecting victim is coerced into providing sensitive information, typically targeted via email or text message from a seemingly reputable source. Whilst phishing is not exclusive to healthcare organisations, a large percentage of ransomware in healthcare is distributed through phishing techniques. Awareness and education on these type of attacks as well as other security best practises will help to establish control over ongoing security threats.
Overall, the healthcare sector has various obstacles to overcome the cybersecurity challenges detailed. The current landscape heading into early 2021 has provided a number of new challenges, not least the health sector being overwhelmed with the coronavirus pandemic. Unfortunately, hackers will identify this as an opportunity to exploit the vulnerable.
The NHS has teamed up with law enforcement and security agencies to warn the public not to fall victim to hackers trying to exploit the vaccine programme. Members of the public have been victims of phishing campaigns asking people to sign up to be vaccinated, requesting people to supply personal details, including bank numbers.
IBM has suspected nation state hacking groups have already targeted the temperature-controlled supply chain known as the cold chain, used to ensure temperature of supplies are correct. It is understood that a global phishing campaign recently launched, targeting the organisation involved in the COVID-19 cold chain distributions.
The healthcare sector has become such an appealing target for cybercrime. New pressures will undoubtedly be presented to health care professionals and IT professionals alike moving forward in 2021. New infrastructure, as well as extreme time pressure, could mean security is left as an afterthought.