Online threats against healthcare organizations are currently one of the biggest cybersecurity issues. A reported 100-million-plus total medical records have been compromised, according to IBM’s 2016 Cyber Security Intelligence Index. How could a hacker profit off of accessing someone’s medical records? Simply put: ransomware.
The use of ransomware shows enough evidence of a hacker being hard-hearted on its own, but healthcare ransomware suggests an entirely different level of depravity. Hospitals that have been struck by ransomware attacks have found themselves unable to access critical patient records, leaving the administration with little choice but to pay the ransom in order to protect their patients.
Of course, medical records contain other bits of information that hackers would certainly be able to find some nefarious use for. Financial details, home addresses, and social security numbers are all often present within these records, handing the cyber criminal a blueprint to steal your identity.
One particular hacker with the handle “TheDarkOverlord” recently put over 650,000 patient records up for sale on the dark web. TheDarkOverlord was able to obtain these records by taking advantage of some vulnerability in a particular implementation method of remote desktop protocols, before accessing the databases containing the medical records. Rather than posting them for sale immediately, TheDarkOverlord offered each of the affected companies information as to the nature of the vulnerability. Naturally, the hacker demanded money for the vulnerability.
It was only when each of the three companies (one located in Farmington, Missouri, one in Georgia, and one somewhere in the Central/Midwest region) refused to pay, that TheDarkOverlord put the databases up for sale on a dark web marketplace. The Georgia haul has apparently already brought the hacker some money; a buyer purchased all of the insurance records for patients covered by BlueCross/BlueShield from the organization located in Georgia. In a markedly ominous statement, TheDarkOverlord had a message to deliver to these companies:
“Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”
Additionally, there have been hacking intrusions into the hospital networks themselves, allowing the hackers to not only steal the medical and financial records hospitals keep on their patients, but also to interfere with the medical devices that sustain many patients. As a result, these attacking criminals are capable of potentially turning off or altering the settings of devices that are being used to keep patients alive, be they full life-support systems or intravenous medication dispensers.
For doctors and hospital administrators, the consequences of these circumstances must be terrifying to consider: after all, they are stuck paying a ransom to avoid facing a malpractice lawsuit.
However, when all of the factors that make healthcare organizations such valuable targets are considered, the lack of preparedness for these attacks that the overwhelming majority of organizations have is astounding. Some of this lack of preparation is almost understandable; after all, hospitals may not have the capability to fully back up all of the data that is produced every day, making it a relatively frightening concept. What’s worse is that 25 percent of those polled have no means of determining whether or not they had been a potential victim of a ransomware attack.
So how can hospital systems (or any industry’s systems, for that matter) be better defended against such attacks? As a high-value target, a healthcare system will almost certainly be targeted eventually. This is especially probable considering that most small businesses will be attacked as well. Therefore, it is in the best interest of any organization to implement a solid plan to defend against these consequences.
Has your IT shown symptoms of security vulnerabilities? To fill your prescription for best practice guidelines, be sure to visit Quikteks’ blog regularly.