How outdated medical systems leave patient records at risk

When people first think about the most common victims of cyber attacks, their minds automatically shift to the big money targets, like banks and retail. Yet, one other victimised industry suffers numerous attacks, with the potential to cause devastating and even traumatic consequences - the healthcare sector. Whilst not the most lucrative target in terms of immediate financial gain, the healthcare sector holds stores upon stores of sensitive medical data which can be used in attacks to commit fraud, or as perfect leverage for blackmail.  

Incidents such as the Vastaamo Psychotherapy Centre breach, demonstrate the severe impact an attack can have on individuals. And it doesn’t stop there. Criminals will use any weakness, large or small, to their advantage – COVID-19 being the most recent. Last year, more than one in four UK cyber attacks were related to COVID-19, and the attack on the COVID vaccine supply chain is just one example. 

Threat actors will use a variety of different methods to profit from medical data, including phishing, malware, ransomware and password spraying. Regardless of the method used, cyber criminals will target healthcare institutions as they know it is not as well protected as high-end businesses or enterprises.  

Outdated operating systems

Given that most medical systems are publicly funded, the world’s health data is often stored in old legacy technology, running on outdated operating software. Attackers have always had easy access to these systems and are exploiting them more often. The need to protect some of our most private and sensitive data is more urgent than ever.

These outdated operating systems are leaving sensitive data out in the open and extremely vulnerable to attack. With many of these technologies no longer manufactured or supported, the necessary system upgrades are unlikely to be available, which would offer more protection from cyber threats. From X-rays and MRI scans to detailed patient-doctor communications, the volume and variety of data on file leaves patients vulnerable to blackmail should the records fall into the wrong hands. 

Institutions and patients are vulnerable 

The bulk of attacks targeting the healthcare sector are ransom Trojans. Using this method, attackers aim to shut down certain operations, before then demanding a ransom to reverse the disruption. Unlike most other industries, disruptions in healthcare can put human lives and health at risk, and criminals know this. Considering the severity of this threat, and the fact that healthcare providers are unable to sustain operational downtimes, it is no surprise that some would feel obligated to pay the ransom. However, this is strongly discouraged as there is no guarantee that attackers would stand down and not repeat the threat at a later date. 

There have been several ransom Trojan attacks during the pandemic, including Ryuk, orchestrated by the Russia-based Wizard Spider advanced persistent threat (APT) group. Dozens of hospitals and healthcare institutions have been impacted by Ryuk during the pandemic, where COVID-19 has pushed hospitals and healthcare organisations and staff to their limits.  

Yes, attackers are opportunistically motivated by money and have been going after these institutions for a long time. However, they are changing tact and moving their focus to individuals instead – something which could become a financially profitable trend in 2021 and beyond.

Other attacks that target patients themselves are just as, if not more, devastating. The Vastaamo attack, for example, shocked the industry and everyone involved. Over one weekend in October 2020, thousands of patients inundated victim support services having received emails demanding €200 in bitcoin to prevent contents of their sessions with therapists being made public. This appalling act against vulnerable individuals shows the extent to which criminals will go for financial gain. 

The cost of an attack

The average cost of a healthcare data breach is £5.27 million, which is one of the most expensive data breaches across all sectors. These costs include remediation following the attack, getting services back online and putting in place measures to prevent a similar attack happening again. In addition to this, organisations may need to pay large fines to regulators if they have failed to implement the required level of security. The GDPR has a maximum fine of £18 million, or four percent of income, whichever is greater. For medical institutions, these figures are enormous and could leave them on the brink of collapse. 

Moving forwards 

To future-proof the industry and give it the best fighting chance against these attackers, the healthcare sector must assess its current processes and systems and evaluate the cost of investment versus the cost of an attack. Investing in modern and updated technologies may mean splashing out the cash now, but it will help keep costs down long-term. 

There are a number of protective software solutions that can also add that extra layer of security. Endpoint detection and response solutions use real-time behavioural, reputational and big data analysis with machine learning to automatically place detections into a broader context. This includes monitoring risk levels, affected host importance, and the prevailing threat landscape. In addition, there are different vulnerability management solutions which can expose vulnerabilities from unauthorised shadow IT and drastically reduce an attack surface, as well as prevent attacks through software misconfigurations in services, operating systems and network devices. These solutions can help identify missing security patches and outdated software through system scans, and thereby advise on which areas of security require the most immediate attention. 

Hospitals and healthcare organisations help the most vulnerable individuals, making them key targets for criminals wanting to exploit weaknesses. It’s abhorrent but it’s a fact. As a result, it is important they continue to invest in the most up-to-date technology and software to ensure that all patient data is kept safe. The industry will need to remain strong, for both its own future, as well as for the future of its patients.