Put yourself in the mindset of a cybercriminal for a moment. You’ve been targeting personal computer devices and phones up to now with ransomware making some fast bucks here and there but you want to go after a bigger target on a grander scale. You want a quick but sizable payoff and then move on to the next victim. What type of organization would you target? Ideally it would be:
So what type of organization comes to mind? How about a hospital? Hospitals deal in data of the highest value possible, the value of life or death. Sometimes this data is only relevant for a brief window of time and must be utilized within minutes of its generation. Although hospitals staff are often highly educated and experienced in meeting HIPAA compliancy, they are relatively new to the concept of cyber security. They also deal with plethora of medical computing devices, many of them have no centralized management capabilities to ensure proper patching procedures.
And these are the very reasons why hospitals have been victimized by cyberattacks with greater frequency recently.
Unsure of what to do, the hospital initially contacted the LA police department. Eventually the FBI was brought in and shortly afterwards the hospital paid the attackers a ransom of $17,000 in bitcoin currency. Hospital Chief Executive, Allen Stefanek, told the LA Times, "The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key." For a hospital, paying a ransom can often be a lot cheaper than the risk of substantial payouts in possible lawsuits from patients.
Unfortunately Hollywood Presbyterian Medical Center wasn’t an isolated incident.
To say that ransomware is a growing threat would be an understatement. According to the FBI, agents investigated 2,453 attacks in 2015 that cost targets $24.1 million. But the reason why hospitals find themselves battling malware isn’t always apparent.
According to the Cisco Talos Security Intelligence and Research Group, hospitals are a rich environment for malware because so much of their applications and devices go unpatched.
2) Outsourcing & mismanagement.
In addition, large IT projects are often outsourced and then forgotten about. As a result, malware finds its way into hospital networks even though they may not have been directly targeted. In one example, the heart monitors at one hospital kept rebooting after being infected with the Zotob worm. These vulnerable devices became inoperative.
3) No penetration tests or risk assessment.
Although many of the typical medical devices found in a hospital are operated by Windows, many of them are delivered in a locked down state, preventing the hospital from upgrading or updating them. Many devices come with only default admin accounts that can’t be modified. What’s more, many medical device manufacturers don’t perform penetration testing or risk assessments of their systems.
Fortunately, new FDA guidelines are pushing medical device manufacturers to patch long-neglected software. Many additional steps are needed however because, like so many organizations, hospitals are embracing technology more and more and must learn how to deal with the inherent threats of being a technology driven organization.
Sign-up for email updates...