On Monday May 15, roughly a fifth of all health care facilities in the U.K. suffered a massive ransomware attack, which forced doctors and nurses to administer care without the technology many have come to rely on. In some cases, patients have turned away as facilities scrambled to regain control of their devices. As yet, it is unknown whether the attack will have lasting effects either on medical technology or on untreated patients but at least security professionals the world over learned an important lesson: The health care industry needs protecting.
Why the Health Care Industry Is a Major Target
To the naïve, it seems that hospitals should be relatively safe from cyber attack. For one, they are institutions that benefit everyone, including prospective attackers, so making their machines unworkable or forcing them to shut their doors seems illogical. For another, it doesn’t seem that hospitals should have the resources cyber-thieves might want; criminals can’t traffic drugs and tools through the web, and information about broken legs and burst appendixes seems useless.
In truth, hospitals and other health care facilities are incredibly data-rich, and every bit of personal data can fetch an astonishingly high price on the right markets. In addition to in-depth patient histories which can sell for 10 times the price of credit card numbers healthcare centers retain personal data like phone numbers, addresses, financial information, and government ID numbers like social security numbers.
Furthermore, hospitals are remarkably easy targets. A hospital tends to be an enormous operation, with large networks of computers and machines; thus, updating is an arduous affair. Many health care organizations choose to continue providing services rather than update their devices, which introduces vulnerabilities and risk to their cyber security systems. Compounding this issue is the open physical access most health care facilities maintain, which gives hackers better access to wireless networks and even wired machines.
Finally, hospitals are excellent targets for malware attacks and, particularly, ransomware attacks because its administrators can quickly become desperate to have their systems back online. In the few weeks, it has ravaged machines and systems around the world, the ransomware that crashed so many U.K. health care centers in early May earned over $80,000. Considering how many devices it infiltrated, that number is low but it proves that many users are willing to pay to regain their data. Health care professionals are even more eager to reinstate operations as usual, so malicious hackers target health care facilities to take advantage of patients’ pressing care.
Why Existing Practices Aren’t Enough
Most hospitals have physicians and nurses, janitorial staff and lab workers, absurd amounts of administrators but few have anyone working full time on IT. In many health care facilities, no full-time worker is dedicated to monitoring the myriad digital threats now emerging and safeguarding hospital systems from possible attack. As a result, by necessity, hospital cyber security has become reactionary instead of protective; with no security professional building safety into hospital systems, health care centers can only add security after an incident occurs and reveals a vulnerability.
Additionally, existing regulations fail to address glaring weaknesses in hospital security. Though many countries enact laws about patient privacy HIPAA in the U.S. most are embarrassingly outdated and generally fail to protect the bulk of electronic patient files. Either lawmakers must work to modernize compliance rules or hospitals must take the initiative to exceed existing standards and protect confidentiality without updated regulation.
Why Health Care Cybersecurity Must Act Now
Experts believed that 2015 was the year of the healthcare breach, but in 2016, attacks on health care institutions increased by more than 63 percent. Now, 2017 has already seen the biggest malware attack record, and the bulk of the damage was done to hospitals and health care facilities. Cyber criminals are gaining skills faster than hospitals are reacting to attacks, and soon, centers lacking the best cyber security will succumb to rampant data breaches and system shutdowns. The fewer large health organizations that adopt smart and safe cyber practices, the more malicious hackers will be attracted to these monumental sources of data, and the worse patients and health care workers will have it.
The sooner the health care industry stops merely reacting and starts proactively protecting its data and thereby its patients the sooner criminals will move on to easier and less universally destructive prey. Therefore, security professionals and health care institutions must begin taking health-related cyber security more seriously.