Cyberattacks on hospitals represent the true security nightmare scenario. It combines privacy risks far more severe than attacks on the largest banks or retailers with life-and-limb risks that rival remote takeovers of nuclear power plants and cars. An attacker could change the type and quantity of a prescribed drug, steal and sell intimate medical details and change test findings, which could trick physicians into prescribing incorrect and deadly drugs.

What major hospital would deprive a world-renowned heart surgeon visiting privileges because she won’t comply with IT’s authentication rules?

Such attacks are no longer hypothetical, with successful penetrations being reported again and again and again. And although the attackers can make quite a bit selling the stolen personal information—identity thieves are a growing market and hospitals need to keep medical history going back many years—they are now opting for demanding ransom from hospital administrators. Some hospitals are paying the ransom, which will guarantee that we'll be seeing a lot more of these attacks.

The problem behind this problem is that hospitals tend to have weaker security than almost any other vertical, especially when the value and danger associated with hospital files and systems is calculated. The oldest security truism is that the level of security needs to be tied into the value (to bad guys) of whatever is being protected. Most hospitals don't even come close.

Why? The medical profession in general is resistant to change, especially for technology. Consider how many medical offices are still resisting and avoiding converting stacks of paper folders into electronic medical records.

But the real problem, to be candid, are doctors. Doctors are the weakest security link. These highly-trained professionals tend to not like authentication, preferring to have a medical assistant fill out prescription orders. If pushed by insurance that the doctor herself must perform such duties, they often share passwords instead of taking on those duties. Not all, but enough to weaken security.

When making rounds in hospitals, the advantages to a physician of carrying one light tablet to access patient medical tests and other records is massive. And many doctors are now doing that because it makes their jobs easier. And it's not merely an advantage for physicians, as it delivers better care for patients, more efficient visits (happy insurance companies) and more patients cared for per hour (happy hospital management).

Tablets make for better patient care but at increased risk.

But that has caused more instances of the tablet—fully logged-in—being absent-mindedly left in a patient's room. As insecure as paper folders with medical records sitting outside a patient's room were, the exposure was limited to one patient. A thief who finds that logged-in tablet will often have full run of the hospital's network, with access only limited by that doctor's privileges.

Another security problem with doctors is that they tend to believe (correctly) that they are immune to punishment. What major hospital would deprive a world-renowned heart surgeon visiting privileges because she won’t comply with IT’s authentication rules?

Regardless of how bad these situations are, the ransom situations are worse. Consider the Kentucky hospital ransom attack linked earlier. Like other attacks, the method involves penetrating the hospital's systems, encrypting as many files as possible and then offering to sell the decryption key to the hospital for as much money as they can extort.

The attack can be done externally, but external attacks can be dealt with by isolating where change/delete commands can be given. Such commands—as opposed to read—should be limited to commands issued within the network, physically inside the hospital. This kind of isolation would allow doctors’ unlimited access to review files remotely, but they would have to wait until they were inside the hospital to update records. It's not ideal, but it's a reasonable compromise for security and patient privacy.

The network also should have had restrictions on how many patient records could be accessed without additional approvals. The fact that these attackers can encrypt entire databases with no explicit approval is frightening and can be dealt with.

Unfortunately, attackers have a way around the internal restrictions. That workaround is to simply trick a hospital employee—or anyone with network access who is physically at the hospital—to open an attachment, such as a Microsoft Word attachment to an e-mail. IT training people to never open attachments unless they were expecting them is fine, but the attacker needs only one in 2,000 people to open the attachment and the attacker is successful.

Attackers are also getting trickier. One recent attempt to con a bank into authorizing a bogus payment leveraged a LinkedIn search so the attacker sent the message so it looked to be coming from the CFO. They only failed because the recipient knew the sender and thought the phrasing sounded suspiciously unlike the CFO. But such tactics are likely to deliver that one attachment opener to penetrate the network.

That Kentucky hospital fought back effectively, opting to not pay the ransom and to instead shut everything down while doing a full restore from backups. Cyberattackers are undoubtedly going to modify their attacks accordingly. For example, they could silently break in and maliciously change various records and then stay silent until multiple rounds of backups have completed. That way, they have infected the backup copies as well. The ransom would then be to get the decryption key as well as a map of where all changes were made in the backups and the current system.

Hospitals need to take security much more seriously, starting with sophisticated software to detect and prevent malware before employees have a chance to make a mistake. And as those hospitals start standardizing on the same few EMR tools, a vulnerability in any one of these third-party tools could mean a mass exploitable hole in hospitals’ systems. So, healthcare institutions also need programs to ensure the software they are buying is secure, and the software they build themselves does not have vulnerabilities.

About Evan Schuman

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for, RetailWeek, Computerworld and eWeek and his byline has appeared in titles ranging from BusinessWeek, VentureBeat and Fortune to The New York Times, USA Today, Reuters, The Philadelphia Inquirer, The Baltimore Sun, The Detroit News and The Atlanta Journal-Constitution. 

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.