One of the most worrying recent cybersecurity statistics is the prevalence of attacks conducted against medical facilities. According to a Cybersecurity Ventures prediction, ransomware attacks against healthcare organizations are expected to increase to an unprecedented level by 2020, reaching four times the figure of 2017.

While cybercrimes are not to be taken lightly in any sphere, in healthcare they are particularly devastating. Losses this sector suffers per one data breach supersede those of other industries: it has been determined that the cost of one patient record being lost to the attackers averages at $408.

At the same time, around 4 million records are usually affected by a single breach. This number, however, can soar much, much higher: in the 2015 attack on Anthem medical insurance company, as many as 80 million records were stolen. This accounts for almost  one-quarter of the US population.

The math here is as simple as it is shocking: even a “small” data breach can lead to billions of dollars being lost.

Most common cyberattacks on healthcare

So how do the hackers attack medical facilities? Even though there are a lot of individual tactics and kinds of malware, most attacks fall in either of the two categories:

Data breaches

A data breach is a cyberattack that happens when a perpetrator gains unauthorized access to the network of a medical facility. This way, they can see and use patient records including their personal health information for nefarious purposes.

It can be done via various means but a lot of them require a human error on the part of a staff member.

Whether it is a spear phishing or fake software scam, data breaches rely on employees not being trained in cybersecurity enough and clicking malicious links, putting too much information about themselves on their social media, or having weak passwords.

A data breach is dangerous because a long time may pass before it’s noticed by the personnel and countermeasures can be undertaken. Every day of the breach not being identified brings additional losses to the facility.

Ransomware attacks

Unlike data breaches, ransomware attacks do not try to be clandestine. On the contrary, they rely on being as visible as possible.

A ransomware attack is essentially an attempt to extort money from a medical center by blocking its access to its patient files. This is done with the help of encryption malware that is often delivered to the targeted system thanks to the same mistakes made by employees.

A recent example of such an attack on a medical facility is the Estes Park Health cyberattack that happened this June. It is telling that even though the health center had paid the perpetrators to unblock its files, it soon found more encrypted data on its servers. The access to it had to be bought from the criminals separately.

Healthcare in the reticle: Why medical facilities are such enticing targets

There are a few reasons for such rapid growth in cyberattacks on healthcare as we have been experiencing for the past few years. Some of them have to do with the nature of this sphere itself while others could be avoided if not for the happy-go-lucky approach to cybersecurity that a few medical facilities take.

1. The abundance of personal information

One of the biggest reasons why cybercriminals target medical centers more frequently is the money to be made. Stealing random people’s medical records may not sound like a very lucrative enterprise but it is, and in more than one way.

First of all, there is a market for personal data. Of course, it is not legal, but so is breaching databases. Everything from landline and mobile phone numbers to credit card information has its price and hackers steal, as was mentioned, millions of records at once.

Retirement communities and nursing homes are among the primary targets for this reason. Since many of their patients have no immediate family and the financial side of their lives has to be handled by the personnel, there is a lot of sensitive data to be stolen from those facilities, including but not limited to credit card credentials.

On the other hand, patients’ personal information can also be used to demand ransom from them as the attackers who commit a data breach know a lot about them: their home addresses, family members, possibly, financial standing, as well as the reasons for visiting the facility. In some cases, mostly ones that involve malaises such as STDs that a person may wish to keep secret from their family and acquaintances, it makes for a perfect opportunity for extortion.

2. The necessity to provide immediate help

Whenever a ransomware attack occurs, there are talks of whether it is morally acceptable or not to comply with the hackers’ demands. It’s unlikely that an unambiguous answer to this problem will ever be found in most industries.

Healthcare is different, however. There is an immediacy in it that is seldom present in other spheres. If the medical staff has no access to an emergency patient’s records, they have no time to wait for a solution that won’t be seen as weak. When human life is at stake, the hospital has a very strong incentive to just give in to the attackers’ demands and pay the ransom as quickly as possible.

Hackers know it and are not ashamed to use it.

3. The lacking cybersecurity

Unfortunately, healthcare is not a sector where cybersecurity is taken as seriously as it should be. According to the Public Health Emergency report, problems stem from cybersecurity being viewed as a reactive thing instead of proactive.

This is why cybersecurity departments of medical facilities, per the same report, are often underfinanced and understaffed, leading them to rely on legacy devices and generally not being capable of preventing a serious problem.

4. The growth of IoT-based medical appliances

The IoT has entered all spheres of our lives, healthcare included. Telehealth and connected medical devices make lives of both doctors and patients so much more convenient that it is beyond doubt that these technologies will continue to spread.

As wondrous as the Internet of Things is, it is another industry with lacking security measures. The inadequacy of smart device security has been pointed out as a “top concern” of 2019 by F-Secure. They often lack safety options that are present in traditional computers and some do not even provide their users with the ability to change the factory password.

In an environment where IoT devices are plentiful, there is also a danger posed by their design. Some of them may come in the form of a box with little to no markings on it that would allow determining what it even is.

Combined with the already less-than-optimal cybersecurity conditions in healthcare, it only adds to the number of ways in which bad actors can breach a system.

Some ways to prevent cyberattacks on healthcare organizations

As was mentioned, many security breaches in the medical sector can be attributed to poor cybersecurity practices exhibited by its workers. Indeed, not even the most advanced antivirus will protect the system if a staff member deliberately turns it off to open a suspicious file they got from an unknown source.

To counter it, it’s necessary to train employees to recognize and avoid threats. While it may be a pricey solution, there is simply no other one. Furthermore, the costs are going to be much higher if such a measure is not taken.

To prevent ransomware attacks, it is sensible to keep all important data backed up on devices that have no connection to the Internet and the organization’s intranet. This way, if an attack happens, patient records and other sensitive data can be easily recovered from this unaffected source. Obviously, such backups must be regularly updated to contain the most recent information readily available to the doctors.

Another cybersecurity concern is related to the IoT. Not just in healthcare but also in all other industries, a more security-oriented approach needs to be taken. Is it possible to achieve that while keeping governmental regulations to a minimum? Time will tell. However, with the growing number of attacks on IoT devices, it is safe to assume that developers will take action at some point.