Hospital IT Security: Keeping Your Patient and Data Safe

Hospitals consistently upgrade their equipment to provide the best healthcare services for their patients. Unfortunately, the same does not seem to apply to their IT infrastructure, as they remain to be vulnerable to cyber security threats.

Hospitals continue to be a frequent target for cyberattacks, with hackers stealing valuable information such as medical records, social security numbers, and contact information of patients.

The Cyber Threat Landscape in the Health Industry

From originally targeting retailers, hackers have also grown interest in targeting hospitals and health care facilities to steal valuable information.

According to Ponemon Institute, the cyber attacks against hospitals doubled in the past five years, with the average data breach costing a hospital $2.1 million.

In 2015 alone, almost 100 million medical records were accessed by hackers as they targeted US health insurance firms Anthem and Premera Blue Cross respectively. The drastic rise of cyberattacks against hospitals and health care facilities are estimated to be costing the health care system an average of $6 billion a year. Most of these attacks were found to be criminal in nature.

Another security report by Independent Security Evaluators (ISE) suggests that hospitals’ efforts in protecting patient health “do not address intelligent cyber threats.”

Most of the hospitals’ IT security undermine the sophistication of intelligent cyberattacks, thus leaving them vulnerable and unprepared.

Hackers typically use stolen information from medical records to apply for loans or identity theft to seek out free medical insurance under the guise of the victim’s name.

The Usual Suspects

Attacks may come from a number of people all at once, especially when you’re facing an intelligent cyber attack, and might prove to be difficult to trace immediately. However, it is important to note of the suspects who might impose a threat on the health care security system.

Who May Want to Attack

These are the usual suspects for cyber security threats in hospitals:

• Cyber criminals — These people commit cyberattacks to breach data, which they either sell stolen information or use them for fraud.
• Industry competitors and foreign intelligence services — These people may use valuable information to do corporate sabotage and gain economic advantage.
• Hackers — Hackers typically find joy in simply interfering with other people’s computer systems.
• Hacktivists — These are hackers that tamper websites with their ideology or for a political cause.
• Employees — Employees are the closest people with direct access to your computer system. They may interfere with your web servers, either by accident or deliberate intention.

Why Hospitals Are Susceptible to Cyber Threats

According to a security report by ISE, hospitals and health care facilities remain to be vulnerable to cybersecurity threats due to the poor IT infrastructure. While the health care system is generally aware of the existing threats to its security, its current legacy system is not prepared for advanced threats.

Other findings from the investigation suggest that aside from theft of medical records that could be used for fraud or identity theft, cyber criminals could also cause serious harm or death to patients through the manipulation of medical devices, which could be accessed and controlled through hospital servers.

In the study, the researchers used a bypass attack to gain control of a patient monitor. They tampered the monitor by having it emit false alarms and letting it display wrong vital signs. This particular attack, if done in real life, can cause serious injury or death to the patient.

The study led the formulation of a Patient Health Attack Model, a framework that visualizes potential cyber attacks that primarily affect the health of the patient. The primary attacks include medical records, work orders, medicine, surgery, and blood transfusion and organ transplant, among many others.

For example, cyber attacks that alter medical records can cause unsusceptible nurses to admit the wrong medicine dosage to the patient.

Ted Harrington, researcher at ISE, blames the lack of funding and training of hospitals for the healthcare’s vulnerability to cyber security threats. “We found egregious business shortcomings in every hospital, including insufficient funding, insufficient staffing, insufficient training, lack of policy, lack of network awareness, and many more. These vulnerabilities are a result of systemic business failures,” he said in an interview with The Register.

The Resurgence of Ransomware

Ransomware is the latest threat to the cyber security of healthcare systems. It has been around for a while now, but it is only recently that ransomware has found itself seeping through the IT security of hospitals and other healthcare facilities.

Ransomware is a malware that locks your computer to prevent you from accessing valuable data. Hackers usually spread the malware through phishing attacks or downloadable links.

Once the malware has reached your computer, the hacker encrypts your files which can only be accessed through a private key that only the intruder possess. The victims will only discover that they’ve been infected once they realize that they cannot access the server.

The malware leaves a file in the server named ‘decrypt.html’ or decrypt.txt’, which contains instructions how the victims can pay to gain back access to their computer.

Hospitals and health care facilities have become the latest target for this malware due to their vulnerability. Medical records are of dire importance. Without access to the patient information such as their drug history, test results, and surgery directives, doctors cannot properly proceed in administering health care.

Significant delays can cause adverse effects, which makes hospitals more likely to pay for the ransom compared to other business entities. The ransom is usually paid in Bitcoin, a type of digital currency that requires the use of encryption methods to verify fund transfers.

Last February 2016, the Hollywood Presbyterian Medical Center in Los Angeles got infected with a ransomware named Locky. The officials had to pay a ransom worth of $17,000 before they were able to retrieve access to their computers.

In 2014, the hackers behind the CryptoLocker strain extorted $27 million from business entities whose data they took hostage.

How to Reduce Cyber Attacks

To reduce cyber attacks, hospitals and health care facilities should look into placing security controls to protect themselves from cyber security threats.

Essential Cyber Tools

Here are some of the essential cyber tools that hospitals could use:

• Boundary firewalls and internet gateways
• Malware Protection — create malware defense
• Patch management
• Whitelisting and execution control
• Secure configuration
• Password policies
• User access controls

How Hospitals Can Protect Themselves

When they get infected with malware, the safest protocol that hospitals should do is to shut down their network operations to prevent the infection from spreading further. Just like a human disease, malware infection spreads fast, and if you do not act on it immediately, your entire network system might completely get infected — causing greater damage than what you probably think.

Victims of malware-infected systems should disconnect from their respective networks and turn off their Wi-Fi and Bluetooth to prevent the malware from spreading further. The malware could also lock USB sticks and external hard drives, hence, should disconnect them from the infected computer as well.

Training employees about security awareness would also help as ransomware is commonly transferred to network systems through phishing and sketchy links. By training doctors, nurses, and other hospital staff to be click-savvy, hospitals can decrease their risk from being a target of this crime.

Whitelisting computers will also help to prevent ransomware. Whitelisting involves taking note of all the legitimate applications that run on the computer and blocking any unauthorized use on the network.

Another way to avoid installation of malicious content is through configuring mail servers. Restriction of permission in mail servers and dividing them into smaller groups can prevent the fast widespread of a malware infection. In case one server gets infected, the other existing servers can immediately disconnect and save their respective files from getting locked.

Like any other business entity, hospitals will remain to be a common target for cyber security threats as long as stronger security tools are not in place. While increasing everyone’s awareness about cyber attacks will help, an upgrade in the IT infrastructure and training of IT professionals is what will truly help the healthcare system to enhance their security.

Hospitals administer healthcare to protect their patients from further harm. They, too, must be protected at all costs from cybercrimes that could not only cost them a fortune but ultimately, cost lives.