Why are hospitals such a target for hackers?
Bank heists and double agent spy movies were historically the go-to thrillers for Hollywood in times gone by. The general public could relate to these events, set against a backdrop of reality or at least plausibility.
Yet as the advent of the internet and the ‘digital era’ clawed its way firmly into mainstream consciousness, the film industry reflected this new age with a barrage of cyber hacking films – Skyfall and Snowden are great examples of corporate and governmental cyber hacking making its way into film.
How WannaCry ripped through the NHS
It’s easy to see, though, why cyber attacks on healthcare institutions are often left on the cutting room floor. While they don’t quite have the same mass appeal as a cyber hack on a government, they are crippling in a different way. You only need to look at the WannaCry ransomware attack last year on the NHS to see how devastating these incidents can be.
The attack led to disruption in over a third (34%) of trusts in England, with thousands of appointments and operations cancelled. It was the biggest cyber attack on the NHS ever (although not directed solely at the organisation) but curiously, no ransom was paid.
It wasn’t the first time hospital trusts were hit though; two of the trusts infected by WannaCry had been infected by previous cyber attacks and Goole NHS Foundation Trust, as another example, had been subject to a ransomware attack in October 2016, leading to the cancellation of 2,800 appointments.
So why is it that hospitals are targeted in this way?
Selling off the data
One of the main reasons is the value placed on patient data. This kind of information on any individual can be hugely valuable on the black market or potentially even sold back to the hospital; threat actors can monetise that data through blackmail. And hospitals will need to pay for this data or risk getting fined, particularly when you take into account the impending GDPR.
Now, not only is a hospital’s reputation at stake, but there’s a huge financial bill on the back of this if companies notify that data is lost and they haven’t reported where it was stored or located in the first place.
Away from GDPR, though, hackers are still able to cause significant damage to not just the trust, surgery or hospital, but the individuals who entrust their data to that establishment.
Building up a profile
Last October, a cosmetic surgery in London – used by celebrities – was hacked by a group known as the Dark Overlord. The hackers stole pictures and other sensitive information of celebrities and royals in what was a monumental breach for an industry so steeped in security and privacy.
Stolen information like this will often contain contact details including name, address, phone number and potentially even financial records. Even without an immediate financial incentive, threat actors can build up a profile of the person they are trying to defraud using this sensitive information. And it’s easy to see why clinics with high-worth individuals are particularly appealing in this regard.
How healthcare establishments can beat the hackers
Of course, it’s not just celebrities that are most vulnerable, but everyday patients whose records are under threat whenever a hack occurs. The NHS, facing budget cuts and a renewed call for a change in “mindset” required to prioritise meeting the threat of future attacks, is under scrutiny to prevent further hacks occurring.
The NHS – and indeed any other healthcare trust or organisation to manage these risks – they need a multi-layered approach to cyber security. Making sure the computers are running the latest patch, ensuring investment in security doesn’t fall by the wayside but also looking more economically at their cyber security strategies are all important first steps.
For smaller, more local trusts, resources are limited, so intelligent spending is a good way to ensure that costs can be balanced with a solid cyber security approach. Healthcare organisations also need to ensure they are reviewing all their cyber supplier contracts so they’re not massively overpaying for their defence systems.
A trusted specialist security provider is nearly always the best bet in this instance, as it’s more cost-effective and allows hospitals to tailor the best security solution for their organisation. The next attack on our healthcare systems doesn’t have to be around the corner. A smart, sensible approach to cyber security that stops hackers at the porch door must be a priority.
This article was written by David Navin, Smoothwall's Corporate & Healthcare Security Specialist, and previously published on IFSEC Global.