My Hospital Caught a Virus | How Healthcare Is Sick With Cyber

As the recent global panic surrounding the “Wuhan Coronavirus” demonstrates, health is everyone’s top priority, and anything that endangers it has to be considered a grave threat. But recent events have shown that the biggest challenge facing our healthcare systems is not a biological virus but a computerized one. Numerous hospitals, clinics and healthcare facilities like care centers and even dental clinics have suffered from cyber attacks in the last few years, forcing them to shut down, postpone treatments or manage operations with pen and paper. The recent wave of attacks against healthcare facilities started with the wannacry infection of 2017, but even though there haven’t been any single cyber attacks of this magnitude since then, we’ve witnessed a steady rise in the number of incidents and their severity since that watershed moment.

image of healthcare

Cyber Attacks on Healthcare: A Global Epidemic

It is estimated that data breaches cost the US healthcare industry $4 billion in 2019. In a survey, a staggering 93% of responders from healthcare organizations said that they had experienced a data breach in the past three years.

In the UK, things are no different. Another survey found that 67% of healthcare organizations had suffered a cyber security incident in the last 12 months, and nearly half of the incidents occurred as a result of malware. Cyber attacks have also hit hospitals and healthcare facilities in the EU, APAC and Australia, making this a truly global epidemic.

 

How can this uptick in cyber attacks on healthcare providers be explained? Let’s take a look at the threats and challenges the industry is facing.

Cyber Challenges to Healthcare in 2020

Hospitals are a rare breed of IT-heavy environments with very little ability to impose the necessary security controls. As such, they suffer from all the “ailments” of modern organizations when it comes to cyber: phishing, ransomware attacks, data theft and even fraud. But unlike a regular enterprise, hospitals suffer from insufficient security resources, abundant legacy systems, multiple operational and IT networks, often without proper segmentation, and to top it off, a shortage of dedicated security personnel.

Hospitals are Complex Environments

One of the major security challenges in hospitals is the complexity of the environment. This alone makes security much harder than in the ordinary enterprise. A hospital can contain a number of IT networks, operational networks, connected medical equipment, legacy IT and OT systems such as HVAC systems and other industrial machinery such as generators. Many of these systems are old and have not been patched for years. Others are legacy systems, and it is anybody’s guess just how many security flaws they suffer from. Then there’s the medical equipment: very sensitive, expensive and mission critical. All these factors make it hard to deploy standard security solutions to secure then environment.

‘Service First’ Is an Obstacle to Security

A modern hospital treats thousands of patients every day and is now required to be able to provide digital services in addition to physical ones. This means that stringent cybersecurity measures are difficult to employ since anything that is considered a nuisance will detract from the “customer experience” and cause patients to complain that their welfare is not top priority. Staff are geared toward providing the best medical care for patients, and are much less security-minded than employees in other sectors.   

A Lack of Security Expertise Is Common

A survey conducted two years ago found that 84% of hospitals were operating without a dedicated security executive. In one respect, that’s because the healthcare industry suffers from the same challenges as all the rest when it comes to recruiting security personnel, who are hard to find and expensive to hire and retain. But the situation is comparatively worse for healthcare than other sectors facing the same challenges. 

Healthcare organizations typically have lower budgets for security than other types of organizations, which makes it difficult for them to compete in terms of attractive salaries and remuneration packages given the small pool of talent available. In addition, the wide range and specialist nature of medical devices used in healthcare make it even more difficult to find staff with the requisite skills. A candidate with only Windows security background is not going to be sufficient. 

With a shortage of staff and a lack of the requisite expertise, the attack surface in healthcare is growing over time, as more unmanaged, unpatched devices with unknown flaws continue to appear on the network.

Heavy Regulation Is a Boon…and a Bane

The healthcare industry is heavily regulated. This is positive because it forces institutes to take patients’ privacy seriously. However, it also means that shifting from older, more vulnerable infrastructure to a modern, secured cloud environment is challenging.   

In one survey, over half of the participants said they had 50 or more data sources that needed to be inventoried and assessed for sensitive data content.

According to the study, the sheer quantity, variety, and velocity of data being consumed by healthcare organizations exceeds the capacity of the access and monitoring tools available to them, meaning it’s impossible to fully secure the personal data crisscrossing their networks.

The Security Threats Facing Healthcare

Given the challenging nature of securing healthcare organisations, it’s vital to have a clear idea of where threats can come from. The security threats to this sector can be divided into two distinct classes: general threats and focused threats.

General threats such as ransomware, credential theft, and malware infection do not target the healthcare sector specifically, but as explained above, the nature of the environment makes healthcare organizations extremely susceptible to indiscriminate attacks. As we’ve seen over the last 12 to 18 months in the US, the increase in cheap, ransomware-as-a-service products has made it possible for a whole new class of low-level, unskilled threat actors to try their hand at criminal enterprise.

 

Targeted threats are much more menacing. These can include data theft of specific medical information as well as tampering with medical devices. 

In attacks targeting the Singapore health system, a total of 1.5 million SingHealth patients’ non-medical personal data were stolen, while 160,000 of those had their dispensed medicines’ records taken too, including personal data belonging to the nation’s prime minister Lee Hsien Loong

Attacks against medical devices have proven to be possible and potentially lethal. Last year, the U.S. Food and Drug Administration (FDA) issued a warning about two security flaws affecting dozens of implantable cardioverter defibrillators, and very recently the EU has issued guidelines for medical device cybersecurity, showing that regulators around the world are taking this threat seriously. 

However, unlike “traditional” threats, mitigating the risk to medical devices is almost exclusively up to the device manufacturers, and in some cases can require replacing an older machine for a newer one. That might be an unrealistic expectation given that some medical equipment – think, MRI machines – is so expensive that hospital administrators will prefer to “take their chances” and continue to operate vulnerable machines instead of replacing them with newer, costlier models.

Problems Persist After Security Breaches

A study published by researchers at Vanderbilt and the University of Central Florida found higher mortality rates for heart attacks at hospitals that had been affected by cyber attacks. At these hospitals, it took 2.7 minutes longer to give patients an ECG in the years following a data breach.

This is likely due to a dual impact: a psychological one arising from doctors and nurses losing trust in their digital equipment, and a procedural one resulting from medical staff having to adapt to new IT procedures aimed at reducing cyber risk.

And What About the Financial Cost?

Nations and individuals spend a fortune on healthcare, and these costs are growing every year. With an aging population, reduced efficiency of treatments such as antibiotics, addition of new diseases and the public outcry over cuts to budgets, it is not surprising that healthcare facilities operate on a tight and diminishing budget.

Adopting new cybersecurity solutions within this budget may be challenging, but it is a necessity. Given that this is the case, healthcare operators should ask themselves what would be the cost of being the victim of a cyberattack? For instance, Erie County Medical Center suffered an intrusion that brought down the hospital’s computer system and cost almost $10 million, a hefty sum for a single attack that far outweighs the costs of a security solution that could have prevented it. It is advisable to analyze how such attacks manifest and invest in preventing or neutralizing these attack vectors. As attacks that cripple healthcare and other facilities involve malware on or intrusion of physical devices, securing endpoints is where most of the security budget should be spent.

Conclusion

With vast amounts of personally identifiable information (PII) of the most sensitive kind, a lack of security expertise, insufficient budget and a large attack surface, it is hardly any wonder that healthcare organizations are firmly in the sights of cyber criminals. The answer to these challenges lies in protecting every endpoint that can be protected and having visibility into everything else. SentinelOne’s unique, single agent solution offers both advanced protection and full visibility in one easy-to-use product. If you would like to find out more about how SentinelOne can help secure your organization, contact us or request a free demo.