Q&A: Why health care remains a target to cyberattacks like WannaCry
Earlier this year, hackers executed a worldwide ransomware attack that has impacted more than 100 countries and infected tens of thousands of computers. More than 30 hospitals, doctors’ offices and ambulance companies across the United Kingdom’s National Health Service were affected by the cyberattack. Doctors and nurses were unable to access patients’ records and patients had to be turned away from treatment on occasion.
Just this week, Henry Ford Health System reported a data breach that may include information for nearly 20,000 patients. While it is unclear the impact of the information affected in this most recent attack, it is a reminder of the important role cybersecurity plays in medicine.
The ransomware exploited a vulnerability in outdated versions of Microsoft Windows allowing hackers to target corporations that do not automatically update their systems. WannaCry locks users out of their computers and demands payment – particularly in electronic currency like bitcoin – from victims hoping to regain control of their data.
Healio spoke with Zuly Gonzalez, co-founder and CEO of Light Point Security, to discuss why health care institutions are becoming targets for hackers and what information cyberattacks are targeting. The Baltimore-based cybersecurity company developed the concept of “remote browser isolation” to prevent ransomware and other web-based malware from infecting an organization. Prior to co-founding Light Point Security, Zuly spent more than a decade serving the nation as a cybersecurity expert at the National Security Agency. Zuly is a frequent speaker at technical and cybersecurity forums, and has written for, and been cited in national and international technology publications. Zuly also serves on the board of the Maryland Cybersecurity Council.
Question: Why are health care systems, hospitals and private practices becoming increasingly targeted in online extortion attempts?
Answer: Because health care systems are easy targets and their data is so valuable. Historically, the health care industry has greatly under-invested in security. Their main priority is compliance, which is not the same thing as security. Generally speaking, health care organizations have weak security defenses, especially when compared to other industries including retail and manufacturing, and the bad guys know this. This makes health care organizations a bigger target, because the bad guys have a greater chance of success.
Also, health care organizations are known to pay the ransom because their priority is getting their networks back up as quickly as possible. This causes cyber criminals to target health care organizations. Successfully infecting an organization with ransomware is only the first step. If the organization doesn’t pay the ransom, the cyber criminals get nothing out of it, so they’re more likely to target those institutions they believe will pay up.
Q: What makes a health care system, hospital or private practice a target?
A: In addition to their weak security defenses, data stolen from health care organizations is extremely valuable. It is 10 times more valuable on the black market than credit card data, because it is a very complete data set and it is data that can’t easily be changed. It goes beyond date of birth and social security number. Patient information also includes name, address, financial information, credit card information, medical history and prescriptions. The most valuable information is the information that is hard or impossible to change, like your social security number. Information that can be easily changed, like credit card numbers and passwords, is less valuable because it has a shorter life span.
Q: Other than trying to gain access to personal information, could hackers try and render hospital services useless by shutting down servers as well as medical equipment to make it harder to treat patients and increase extortion amounts to turn these devices back on?
A: Yes, definitely. This happened to MedStar Health – a Maryland-based health care system – when they were infected with ransomware last year. It was reported that when the ransomware took down their network, they were unable to provide radiation treatment to cancer patients for days. Not being able to provide cancer treatment is a huge deal. But if ransomware takes down the network in the emergency room where people are showing up with critical injuries and every second is precious, the stakes are even higher. Sadly, it could result in loss of life.
Q: Do health care institutions lag in the adoption of new technology and, therefore, security? If so, why is that the case?
A: Yes. The reason for that is that a health care organization's priority is delivering quality care. Everything else takes a back seat to that. Budgets and resources are prioritized accordingly, so IT and security budgets are too small to properly protect the organization. The irony is that IT and security do impact patient care. If the network is down due to a ransomware attack, then the organization is unable to provide quality care to patients. It's an issue of missing the bigger picture because of being too focused on what's immediately in front of them.
Q: What types of products being offered by cybersecurity companies are not helpful or may even be counterproductive?
A: I'm skeptical about security awareness training. Humans are the weakest link in any organization, so the concept of training your employees to identify malicious emails and links sounds great on the surface. And from what I’ve seen these programs usually are successful in reducing the number of phishing emails employees click on. My issue is that it only takes one employee to click on one malicious link to take down the entire network. So even if the security awareness training is successful in reducing the number of phishing emails employees click on to a mere 1%, I see it as an ineffective use of an organization's security budget because the end result is the same whether the organization has 1% of employees clicking on malicious links or 60% of employees doing so – the network will be compromised. – by Ryan McDonald
For more information:
Zuly Gonzalez can be reached at email@example.com.