A report issued in August 2022 by the United States Health Sector Cybersecurity Coordination Center confirms a troubling trend that cyberattacks in healthcare are on the rise. Published by the American Hospital Association, the analysis indicates that the growth of convenient Internet of Things (IoT) devices and applications inadvertently creates cybersecurity gaps throughout the healthcare industry. There are a reported 7 billion IoT devices and applications connected online, and that number is expected to balloon to more than 27 billion by 2025, putting healthcare IT at heightened risk.
The Health Sector Cybersecurity Coordination Center report states, “There is an increase in security concerns that exist with this technology along with the many organizations that operate them such as healthcare, finance, manufacturing, logistics, and retail. Its architecture typically consists of wireless networks and several components to exchange data. While IoT projects can differ, the main architectural layers have remained consistent.”
With the growing acceptance and use of IoT technology, especially in healthcare to monitor patent vitals such as blood pressure and heart rate, there’s obviously greater risk for cybersecurity threats. According to the August report, “Adding IoT to an organization can increase the attack surface on which an organization can be vulnerable if the network isn’t sectioned off into secure zones.”
The healthcare industry ranks among the Top 5 most attacked business sectors year-over-year. That’s largely because hackers have successfully stolen Protected Health Care Information (PHI) assets and garnered the highest profits. According to the 2021 Cost of a Data Breach Report by the Ponemon Institute, cybercriminals targeting healthcare averaged upwards of $9.23 million per breach in 2021. The figure outpaced all other industries and increased by a stunning 29.5 percent from 2020.
Even a cursory look at the historical escalation of cyberattacks in healthcare proves the need for improved defenses. Let’s take a look at 10 examples from over the years that lead up to the concern of the IoT threat:
1. First Ransomware Attack on Public Health Sector: PC Cyborg “AIDS Trojan” (1989)
Although ransomware attacks garnered mainstream attention during the 21st Century, the first attack occurred before most people had access to the internet. Joseph Popp Ph.D., an AIDS researcher, initiated the first ransomware attack in 1989 by tainting 20,000 floppy discs sent to fellow researchers in over 90 countries. The discs included a health questionnaire designed to assess a person’s likelihood of contracting HIV.
This first ransomware message read, “These program mechanisms will adversely affect other program applications on microcomputers. You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement: your conscience may haunt you for the rest of your life; you will owe compensation and possible damages to PC Cyborg Corporation; and your microcomputer will stop functioning normally.”
Taking the questionnaire effectively downloaded the malware, which remained dormant. Once the computer was powered up 90 times, a message demanded a $189 payment sent to a Panama Post Office Box.
Floppy discs were the most effective vehicle to spread computer viruses and ransomware attacks. In some regards, their proliferation is akin to the IoT devices and apps that share information today. The PC users of yesteryear who downloaded malware typically skipped the basic cybersecurity measure of running a virus scan on the floppy disc.
2. Boston Children’s Hospital (2014)
In what can best be described as an act of self-righteous retribution, a Somerville, Massachusetts, man launched a Distributed Denial of Service (DDoS) attack on the Boston Children’s Hospital in 2014. Eventually apprehended and prosecuted, he was reportedly given a 10-year prison sentence and ordered to pay $443,000 in restitution.
A DDoS attack overruns a server with traffic, effectively bogging it down. Typically leveled by people with a grudge against a healthcare outfit, so-called “hacktivists,” and industry competitors, an organization struggles to access platforms and complete online tasks.
The symptoms of a DDoS attack can mirror high-traffic times when servers slow. Given sluggish devices are often the norm, you may not recognize the telltale signs of cyberattacks in healthcare networks. A risk assessment, such as a server health check, can highlight healthcare IT vulnerabilities, giving decision-makers an opportunity to harden their defenses. Coupled with DDoS monitoring, a healthcare IT expert can greatly reduce the chances of an attack overwhelming your servers.
3. Anthem Health Insurance (2015)
It may come as something of a surprise, but Anthem Health Insurance reportedly doled out more than $115 million, including $16 million to the Department of Health and Human Services, after an employee failed to identify a spear phishing email that allowed a Chinese national to steal upwards of 78.8 million personal identity records.
The initial breach occurred as early as March 2014 and Anthem didn’t discover the malicious files in its system for months. On February 2, 2015, Anthem established the number of personal identity records stolen at 37.5 million, but quickly revised the figure to 78.8 million. The U.S. Department of Justice called the culprits “an extremely sophisticated hacking group.”
But truth be told, the massive violation of PHI records and identity theft was likely preventable. Office workers who send and receive emails or visit platforms require cybersecurity awareness training. Had Anthem better invested in this cybersecurity necessity, that unsuspecting employee may have otherwise deleted the phishing scheme email.
4. Hollywood Presbyterian Medical Center (2016)
The Hollywood Presbyterian Medical Center was coerced into making a $17,000 ransomware payment to hackers who seized control over its healthcare IT system. Cyberthieves initially demanded upwards of $3.6 million in bitcoin while CT scans, lab work, pharmaceutical, documentation, and all computer-related services were frozen for more than one week.
Although the Los Angeles hospital officials declined to release detailed information about the hackers’ methods, the 434-bed facility is synced with wide-reaching technologies, devices, and applications considered part of the IoT. Regardless of whether the seemingly sophisticated attack was preventable, it’s abundantly clear the facility did not have a sufficient cybersecurity incident response plan. Unless healthcare organizations are prepared to overcome such attacks, they remain at the mercy of the cybercriminals’ cryptocurrency demands.
5. British NHS Systems (2017)
Despite telltale signs the British National Health Service computer systems and software were grossly outdated, officials failed to take preventative measures. According to the New York Times, nurses lost the ability to print the name tags for newborn babies. The media outlet published this shocking example of how the cybersecurity breach impacted everyday people.
“My head is pounding and they say they can’t see me. They said their computers weren’t working. You don’t expect this in a big city like London,” George Popescu, a 23-year-old hotel cook with a head injury, reportedly stated.
Reports indicated that the British NHS continued to use outdated programs that were vulnerable to cyberattacks. Defunct and unpatched programs allow hackers to employ a tactic commonly known as a “zero-day attack.” The term refers to when a program times out or has a flaw that requires patching. The British NHS was reportedly using outdated Windows XP, long after security updates had been discontinued, and its Microsoft contract had expired for two years. Had the British NHS taken a more proactive IT approach with maintaining their contract and updating their software, there could have been a better outcome.
Companies in every business sector are vulnerable to zero-day attacks when using software that has expired or hasn’t been updated properly. The failure to take a proactive cybersecurity approach to cure this fundamental cyber hygiene issue continues to provide cybercriminals a doorway into sensitive data such as PHI records.
6. Medical Image Leak (2019)
A ProPublica report demonstrated that more than 4 million medical images were leaked due to unsecured Picture Archiving and Communication Systems (PACS). While the phenomenon was global in nature, the US healthcare IT systems reportedly lagged behind other countries in securing the cybersecurity gap.
These PACS servers were considered a critical element of the healthcare communication infrastructure. They helped share patient information consistent with growing IoT convenience. Unfortunately, hackers appear able to intercept data, integrate malicious codes, and exploit vulnerabilities throughout the digital imaging network.
Perhaps the greatest vulnerability stems from the willingness of administrative workers to share login credentials to expedite care. Once hackers ascertain a legitimate username and password, they can patiently siphon off information indefinitely. That’s precisely how the SolarWinds hack occurred in 2020 that affected 33,000 customers, including the Department of Homeland Security and the Treasury Department.
7. Hammersmith Medicines Research (2020)
When Hammersmith Medicines Research refused to pay a ransomware demand, cyber thugs posted thousands of PHI records online. The hacker group, called Maze, was not necessarily interested in retribution and reportedly went on to publish the names of other companies that would rather file for bankruptcy than suffer extortion.
Hammersmith Medicines Research possessed a viable incident response plan and was reportedly able to brush aside the criminals. The hackers, in response, positioned themselves as do-gooder hacktivists pushing back on a successful healthcare enterprise.
The ransomware group said, “We want to show that the system is unreliable. The cybersecurity is weak. The people who should care about the security of information are unreliable. We want to show that nobody cares about the users.”
The incident highlights one of the primary reasons organizations fail after a data breach. Clients, customers, and other businesses in the network view operations such as Hammersmith as too risky.
8. NEC Networks/CaptureRx (2021)
CaptureRX agreed to a reported $4.75 million settlement in connection with a class-action lawsuit related to the 2021 data breach. The third-party IoT pharmacy system is used to oversee inventory, facilitate transitions, and other functions.
Unfortunately, the vulnerable system allowed hackers to pilfer off the sensitive PHI records of 1.9 to 2.4 million people. The system was reportedly breached when unauthorized personnel were able to reach across the platform. The incident supports a strong case for healthcare organizations to implement “zero-trust” protocols that restrict informational access to users.
The strategy limits access to only what each user requires to perform their duties. In the event a hacker learns their username and password, the hacker’s access can be contained.
9. St. Joseph’s/Candler Health System, Inc. (2021)
When the St. Joseph’s/Candler (SJ/C) hospital system in Savannah, Georgia, suffered a ransomware attack, staff were prepared to use emergency protocols. Employees went to hard copy record keeping, preventing hackers from stopping the care of ailing community members.
Although the well-prepared organization was able to proceed with surgeries and other procedures, more than 1 million records may have been exposed. St. Joseph’s/Candler reportedly offered individuals identity protection services to impacted people. Identity protection monitoring is an effective early warning service that can prevent losses.
10. Shields Healthcare Group (2022)
An unauthorized user reportedly penetrated the Shields Healthcare Group in March 2022 and remained undetected for approximately two weeks. Upwards of 2 million PHI records were compromised across 40 locations.
Hackers typically sell patient information on the dark web, where other criminals leverage it for misuse. Some create “fake patient” profiles, and scammers without health insurance utilize it. When fake health information becomes intertwined with someone’s digital records, lives are jeopardized.
Contact us today to learn about the benefits of working with a trusted cybersecurity partner.
Healthcare Organizations Benefit from Working with a Trusted Cybersecurity Partner
The new threats of IoT technology to the healthcare sector, along with the examples of cyberattacks that may have been prevented with a more proactive cybersecurity approach, are reminders of the importance of working with IT experts that understand your business and compliance requirements.
Machado’s experienced team stays a step ahead of the latest threats that may impact your business. If you’re concerned about the status of your IT network, let’s talk about how you can better protect your business or organization.