Hospitals are scary places. Besides the obvious health implications, highly valuable data is flowing between patient and health care professionals, between those professionals, to and from insurance companies and even between machines. The scary part is that it appears to be haphazardly protected.
Ars Technica looks at the disturbing trend of ransomware attacks on health care facilities. The approach – audacious hackers encrypting vital databases and only providing the decryption key after a random is paid – seems to be getting worse. MedStar lost some systems in its Baltimore hospitals and a new strain of ransomware code apparently aimed at hospitals has been detected by Cisco Talos Research. Things are not going well elsewhere, either:
March has not been a good month for hospital IT. Last week, staff at Methodist Hospital in Henderson, Kentucky paid a ransom to restore the hospital's systems, reportedly of $17,000—though sources familiar with the episode say the hospital paid much more. And in California, two hospitals operated by Prime Healthcare Management, Inc. were forced to shut down systems. The Prime ransomware attack also caused disruptions of service at several other hospitals and at affiliate care providers as shared systems were taken offline.
Ransomware, as frightening as it is, is only part of the overall set of security problems facing health care. Another is that providers’ devices are not secure. Becker’s Health IT & CIO Review reported on a collection of statistics provided by Skycure, a security firm. Among them was the fact that 80 percent of physicians use mobile devices in their daily practices. Of these, only 56 percent present minimal or low risk. The rest are non-marginally insecure: 41 percent are associated with medium risk and 2 percent with high risk.
Earlier this year, Kaspersky highlighted researcher Sergey Lozhkin’s presentation at its Security Analyst Summit, in which he described how he hacked an unnamed hospital. His penetration testing proved that the center held in one respect: Lozhkin was not able to get into the system remotely. But he visited and found that the Wi-Fi at the hospital was open and he could simply do what he wanted. The report is quite sobering.
The good news is that the right people are paying attention. On January 15, the U.S. Federal Drug Administration released draft guidance for medical device manufacturers related to cyber security. It includes an acknowledgement up front that no silver bullet exists:
While manufacturers can incorporate controls in the design of a product to help prevent these risks, it is essential that manufacturers also consider improvements during maintenance of devices, as the evolving nature of cyber threats means risks may arise throughout a device’s entire lifecycle.
The back and forth between crackers and those on the other side will go on forever. The willingness of crackers to attack hospitals is disappointing and frightening. It is, however, a fact of life with which the industry must aggressively deal on a daily basis.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.