As the recent global panic surrounding the “Wuhan Coronavirus” demonstrates, health is everyone’s top priority, and anything that endangers it has to be considered a grave threat. But recent events have shown that the biggest challenge facing our healthcare systems is not a biological virus but a computerized one. Numerous hospitals, clinics and healthcare facilities like care centers and even dental clinics have suffered from cyber attacks in the last few years, forcing them to shut down, postpone treatments or manage operations with pen and paper. The recent wave of attacks against healthcare facilities started with the wannacry infection of 2017, but even though there haven’t been any single cyber attacks of this magnitude since then, we’ve witnessed a steady rise in the number of incidents and their severity since that watershed moment.
It is estimated that data breaches cost the US healthcare industry $4 billion in 2019. In a survey, a staggering 93% of responders from healthcare organizations said that they had experienced a data breach in the past three years.
In the UK, things are no different. Another survey found that 67% of healthcare organizations had suffered a cyber security incident in the last 12 months, and nearly half of the incidents occurred as a result of malware. Cyber attacks have also hit hospitals and healthcare facilities in the EU, APAC and Australia, making this a truly global epidemic.
How can this uptick in cyber attacks on healthcare providers be explained? Let’s take a look at the threats and challenges the industry is facing.
Hospitals are a rare breed of IT-heavy environments with very little ability to impose the necessary security controls. As such, they suffer from all the “ailments” of modern organizations when it comes to cyber: phishing, ransomware attacks, data theft and even fraud. But unlike a regular enterprise, hospitals suffer from insufficient security resources, abundant legacy systems, multiple operational and IT networks, often without proper segmentation, and to top it off, a shortage of dedicated security personnel.
Given the challenging nature of securing healthcare organisations, it’s vital to have a clear idea of where threats can come from. The security threats to this sector can be divided into two distinct classes: general threats and focused threats.
General threats such as ransomware, credential theft, and malware infection do not target the healthcare sector specifically, but as explained above, the nature of the environment makes healthcare organizations extremely susceptible to indiscriminate attacks. As we’ve seen over the last 12 to 18 months in the US, the increase in cheap, ransomware-as-a-service products has made it possible for a whole new class of low-level, unskilled threat actors to try their hand at criminal enterprise.
Targeted threats are much more menacing. These can include data theft of specific medical information as well as tampering with medical devices.
In attacks targeting the Singapore health system, a total of 1.5 million SingHealth patients’ non-medical personal data were stolen, while 160,000 of those had their dispensed medicines’ records taken too, including personal data belonging to the nation’s prime minister Lee Hsien Loong.
Attacks against medical devices have proven to be possible and potentially lethal. Last year, the U.S. Food and Drug Administration (FDA) issued a warning about two security flaws affecting dozens of implantable cardioverter defibrillators, and very recently the EU has issued guidelines for medical device cybersecurity, showing that regulators around the world are taking this threat seriously.
However, unlike “traditional” threats, mitigating the risk to medical devices is almost exclusively up to the device manufacturers, and in some cases can require replacing an older machine for a newer one. That might be an unrealistic expectation given that some medical equipment – think, MRI machines – is so expensive that hospital administrators will prefer to “take their chances” and continue to operate vulnerable machines instead of replacing them with newer, costlier models.
A study published by researchers at Vanderbilt and the University of Central Florida found higher mortality rates for heart attacks at hospitals that had been affected by cyber attacks. At these hospitals, it took 2.7 minutes longer to give patients an ECG in the years following a data breach.
This is likely due to a dual impact: a psychological one arising from doctors and nurses losing trust in their digital equipment, and a procedural one resulting from medical staff having to adapt to new IT procedures aimed at reducing cyber risk.
Nations and individuals spend a fortune on healthcare, and these costs are growing every year. With an aging population, reduced efficiency of treatments such as antibiotics, addition of new diseases and the public outcry over cuts to budgets, it is not surprising that healthcare facilities operate on a tight and diminishing budget.
Adopting new cybersecurity solutions within this budget may be challenging, but it is a necessity. Given that this is the case, healthcare operators should ask themselves what would be the cost of being the victim of a cyberattack? For instance, Erie County Medical Center suffered an intrusion that brought down the hospital’s computer system and cost almost $10 million, a hefty sum for a single attack that far outweighs the costs of a security solution that could have prevented it. It is advisable to analyze how such attacks manifest and invest in preventing or neutralizing these attack vectors. As attacks that cripple healthcare and other facilities involve malware on or intrusion of physical devices, securing endpoints is where most of the security budget should be spent.
With vast amounts of personally identifiable information (PII) of the most sensitive kind, a lack of security expertise, insufficient budget and a large attack surface, it is hardly any wonder that healthcare organizations are firmly in the sights of cyber criminals. The answer to these challenges lies in protecting every endpoint that can be protected and having visibility into everything else. SentinelOne’s unique, single agent solution offers both advanced protection and full visibility in one easy-to-use product. If you would like to find out more about how SentinelOne can help secure your organization, contact us or request a free demo.