Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Are Hackers Increasingly Targeting the Healthcare Industry? (helpnetsecurity.com)

Posted by EditorDavid on from the hacking-coughs dept.

Slashdot reader Orome1 shares an article by Bitdefender's senior "e-threat analyst," warning about an increasing number of attacks on healthcare providers: In general, the healthcare industry is proving lucrative for cybercriminals because medical data can be used in multiple ways, for example fraud or identity theft. This personal data often contains information regarding a patient's medical history, which could be used in targeted spear-phishing attacks...and hackers are able to access this data via network-connected medical devices, now standard in high-tech hospitals. This is opening up new possibilities for attackers to breach a hospital or a pharmaceutical company's perimeter defenses.

If a device is connected to the internet and left vulnerable to attack, an attacker could remotely connect to it and use it as gateways for attacking network security... The majority of healthcare organizations have often been shown to fail basic security practices, such as disabling concurrent login to multiple devices, enforcing strong authentication and even isolating critical devices and medical data storing servers from a direct internet connection.
The article suggests the possibility of attackers tampering with the equipment that dispenses prescription medications, in which case "it is likely that future cyber-attacks could lead to the loss of human life."

15 of 111 comments (clear)

  1. of course by turkeydance · · Score: 5, Insightful

    that's where the money is today.

    1. Re:of course by Fire_Wraith · · Score: 5, Insightful

      It's a combination of three things, most of which have been touched on in various posts by others here:

      1: There's a lot of money in it.
      2: The healthcare industry can't afford downtime or failures, so they pay up quickly.
      3: Insurance covers a lot of it.
      4: Generally poor security practices make it easier, on top of all that (typical of an industry that hasn't been targeted a lot in the past, their security is focused on other things, to the extent they have it).

      So in summary, it's a relatively large/easy target, with lots of money, that can't afford downtime. The only surprising thing is that it took this long to become a target.

    2. Re:of course by Fire_Wraith · · Score: 2

      And by three, I mean four.

      You know what they say - there are only two hard things in computer science: cache invalidation, naming things, and off by one errors. ;)

    3. Re:of course by NotQuiteReal · · Score: 2

      Nobody expects the Spanish Inquisition!

      --
      This issue is a bit more complicated than you think.
  2. Seems pretty cut and dried, if you ask me by mark-t · · Score: 2

    Because it's been shown that they will pay.. From a fiduciary standpoint, it is probably has the highest profit-to-effort ratio.

    --
    File under 'M' for 'Manic ranting'
  3. easy one by PopeRatzo · · Score: 2

    Why Are Hackers Increasingly Targeting the Healthcare Industry?

    Because they're horrible human beings. Real shitstains who would throw a puppy off a bridge for a quarter. Many are probably bedwetters. All sociopaths. May they die horrible deaths and then be forgotten.

    --
    You are welcome on my lawn.
  4. Re:Because the people in charge are idiots by Shadow99_1 · · Score: 2

    It's also because they hire like 1 or 2 guys to handle the entire IT department for a hospital including associated doctor's offices. I applied at one and it was 2 guys to cover both the main campus and 12 satellite locations... How can 2 guys possibly deal with every issue that pops up in a given day and work on security and make sure ever hole is patched? Worse from what I saw the IT head was at the shim of the other department heads as to what software and services they needed to offer.

    --
    we are all invisible unless we choose otherwise
  5. I think this is about a third of it by s.petry · · Score: 3, Insightful

    Two things missing from your summary. First, the health care industry now has to hold massive amounts of data on you, and has to make it available to the Government. This is the price of government mandated and controlled insurance. All of this data makes it simple to steal your identity, which ties into our second item.

    Second item: Profit. In addition to using your prescription coverage for codeine, big ticket items are being charged to people because identity theft is so easy. Within the last month or so,. two people hit with tens of thousands of dollars in co-pay for major surgery, and another was hit with fees from a transplant. All of which were done to other people. A bit of investigation determined that the people bought insurance on the black market for their procedures. The better the insurance being stolen, the higher price it retrieves. Shame on the US for using a SSN for nearly everything.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:I think this is about a third of it by Anonymous Coward · · Score: 2, Informative

      The healthcare industry has *always* held massive amounts of data on you. Of all the sweeping changes made by ACA, this is not one of them.

    2. Re:I think this is about a third of it by tomhath · · Score: 2

      Of all the sweeping changes made by ACA, this is not one of them

      He didn't say ACA. Much of it was mandated by HIPAA, but it's really due to malpractice lawsuits. A healthcare provider needs to document everything and keep it essentially forever, including billing information in case they get charged with fraud.

  6. Re:I think I've seen this already. by Rei · · Score: 2

    If prescription dispensing can be practically hacked, the possibilities are disturbing. Because they not only could kill people; they'd also know who they were killing, and could target specific people. Even high profile ones.

    --
    Did he just go crazy and fall asleep?
  7. Re:This is what we want by JaredOfEuropa · · Score: 2

    I'm not against electronic medical records, though I do see the potential security issues. But it's not hackers I am most worried about, it's medical staff with legitimate access, who have no business nosing around my records but do so anyway. It happens a lot more than you'd think, not too long ago there was a big stink here about policemen going through all manner of records they had no business peeking into. Bored cops reading up on celebrities, or checking records on their ex or recent date. And in case of medical data there is a solution for that: any time someone pulls my data, I am notified (by email or whatever): who requested my data, what is their function and who is their employer, and what is their stated purpose of the request. Exactly this kind of audit trail was proposed for our new centralised medical records database, and guess who opposed it? That's right: the medical insurance companies (who should not get access to any of that data unless by explicit permission)

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
  8. You ever try to tell a DOCTOR to do anything ? by Crashmarik · · Score: 2

    Good luck getting them to comply with security policy or keeping any policy in place that one objects to.

  9. Health care people just don't care by Sarusa · · Score: 3, Informative

    I've worked a bit with the health industry (not as a career, thank god, that would be soul crushing), and outside of government health care has the worst IT and worst security I've ever seen. Because they just don't care unless it impacts their bottom line.

    All those health apps that doctors and nurses uses, and all those devices? Yeah, they have terrible security because the hospitals don't make it a priority and they just don't care either. Class C medical devices that are PCs running windows XP with active USB ports? You bet.

    Your online records? Those are handled by outsourced people running cobbled together Ruby scripts that take 30 hours to process 24 hours worth of data in plaintext csv (I use that because I've seen it)- they certainly don't care about security. Your insurance company? They certainly don't give a damn whether you live or die as long as they're raking in the cash.

    All they care about is preserving the appearance of not violating HIPAA because that might cause them some grief.

  10. Re:I think I've seen this already. by geekmux · · Score: 2

    If prescription dispensing can be practically hacked, the possibilities are disturbing. Because they not only could kill people; they'd also know who they were killing, and could target specific people. Even high profile ones.

    You bring a strong point here. I wonder if anyone will wake up to security concerns when cyber-attack turns into cyber-murder?

    Even more of a disturbing thought; what happens when a life insurance company hires someone to "accidentally" send an overdose of medication to make a patient look like they've committed suicide to avoid a payout? (sadly, greed knows no bounds)

    If these aren't enough reasons to take the damn hardware offline, I don't know what is. The answer certainly isn't cutting back on hospital staff to the point where all of this automation is necessary, but this is certainly a catch-22 with the way liability is being painted these days.