Slashdot Mirror
Why Are Hackers Increasingly Targeting the Healthcare Industry? (helpnetsecurity.com)
Slashdot reader Orome1 shares an article by Bitdefender's senior "e-threat analyst," warning about an increasing number of attacks on healthcare providers:
In general, the healthcare industry is proving lucrative for cybercriminals because medical data can be used in multiple ways, for example fraud or identity theft. This personal data often contains information regarding a patient's medical history, which could be used in targeted spear-phishing attacks...and hackers are able to access this data via network-connected medical devices, now standard in high-tech hospitals. This is opening up new possibilities for attackers to breach a hospital or a pharmaceutical company's perimeter defenses.
If a device is connected to the internet and left vulnerable to attack, an attacker could remotely connect to it and use it as gateways for attacking network security... The majority of healthcare organizations have often been shown to fail basic security practices, such as disabling concurrent login to multiple devices, enforcing strong authentication and even isolating critical devices and medical data storing servers from a direct internet connection.
The article suggests the possibility of attackers tampering with the equipment that dispenses prescription medications, in which case "it is likely that future cyber-attacks could lead to the loss of human life."
If a device is connected to the internet and left vulnerable to attack, an attacker could remotely connect to it and use it as gateways for attacking network security... The majority of healthcare organizations have often been shown to fail basic security practices, such as disabling concurrent login to multiple devices, enforcing strong authentication and even isolating critical devices and medical data storing servers from a direct internet connection.
The article suggests the possibility of attackers tampering with the equipment that dispenses prescription medications, in which case "it is likely that future cyber-attacks could lead to the loss of human life."
I've worked a bit with the health industry (not as a career, thank god, that would be soul crushing), and outside of government health care has the worst IT and worst security I've ever seen. Because they just don't care unless it impacts their bottom line.
All those health apps that doctors and nurses uses, and all those devices? Yeah, they have terrible security because the hospitals don't make it a priority and they just don't care either. Class C medical devices that are PCs running windows XP with active USB ports? You bet.
Your online records? Those are handled by outsourced people running cobbled together Ruby scripts that take 30 hours to process 24 hours worth of data in plaintext csv (I use that because I've seen it)- they certainly don't care about security. Your insurance company? They certainly don't give a damn whether you live or die as long as they're raking in the cash.
All they care about is preserving the appearance of not violating HIPAA because that might cause them some grief.
The healthcare industry has *always* held massive amounts of data on you. Of all the sweeping changes made by ACA, this is not one of them.