The Healthcare Industry Currently Faces A Growing Cyber Security Crisis
Hospitals are where you go to get healthy, but they are increasingly becoming playgrounds for hackers, owing to weak cyber security measures. A couple of weeks ago, networks of the Hollywood Presbyterian Medical Center, a California-based hospital, were held hostage, reportedly to the tune of 9,000 bitcoin or over $3.6 million.
This isn’t a unique problem. In fact, a Forrester report from late last year predicted that such occurrences would begin happening with increasing regularity. A 2015 blog post writes that the research firm predicted that “2016 will be the year we see ransomware for a medical device or wearable.”
Image 1: Main building of the Hollywood Presbyterian Medical Center
What happened in California isn’t exactly that, but it’s very close and similarly destructive. In this case, hackers gained access to the hospital’s network and locked the employees out via ransomware. This made it impossible for any employees to access the network until the attackers gave the okay. Anyone can fall prey to ransomware by seemingly innocuous tasks like simply downloading an assuming attachment.
But, as predicted by Forrester and highlighted by this saga, healthcare institutions are way behind the cyber security curve. Ethical hackers have proven over the last few years how easy it is to get into a health care network and wreak havoc. One team was in fact able to gain access inside an entire hospital’s network which, writes Kaspersky Lab, gave them “access to pretty much everything inside, including a number of devices for data storage and analysis.” This happened because network infrastructure was not properly set up.
In short, the healthcare industry is beginning to show signs that it’s not properly protected from digital attacks. And the repercussions are myriad: patients lose their privacy, health care businesses lose their data, and institutions are held hostage.
Healthcare Companies Need To Enforce Strict Cyber Security Controls
This will hopefully catalyze an industry-wide wakeup call. Healthcare companies deal with terabytes of personal and private information, and our data shows a great need for cyber security improvement.
For instance, according to our numbers,
- 26.5% of all healthcare companies in the last thirty days had some sort of malware infection reported.
- Some of the bigger healthcare companies, in fact, saw more than 200 infections in their system in that period.
- Beyond malware, over 10% of these companies had email credentials showing on marketing lists, meaning it’s likely an employee will fall prey to a phishing attack.
Undoubtedly all companies wish to keep their data secure, but our findings show some real industry-wide pitfalls. We also looked at individual hospitals, and found similarly poor results.
In only a few minutes of searching, we were able to see a few compliance issues at a hospital in a major city.
Image 2: ISO questionnaire showing compliance issues using the SecurityScorecard Platform
Continuous Monitoring as First Line of Defense
In a perfect world, these issues wouldn’t exist. But the next best thing any business can do is check regularly for when problems do arise. The only way to handle the constant barrage of cyber security needs is to always be on the ball. The numbers show a need for greater cyber security awareness in the healthcare space. All of the problems we found were potential ways hackers could capitalize on poor security practices. Our platform allows customers to plainly see what sort of issues arise, making it possible for a fast response.
In the cyber security space there’s no panacea. But with the right tools, problems can be alleviated in a swift manner. The only way to be ahead of the curve is to integrate solutions that look from the outside in.
Over the next many years we are sure to see more examples of healthcare digital attacks. It’s surely giving a wakeup call to numerous industries that handle private data. At the same time, it’s important to make sure all your bases are covered. Don’t fall prey to the hacked hospital and be forced to pay hackers. Instead, adopt a security-first culture and keep an eye on your scorecard.