Cybersecurity (or lack thereof) in the health care industry isn’t a new concern going into 2018. It wasn’t a new concern going into 2017, either. However, with the rise of IoT devices used for medical care and the lucrative nature of ransomware attacks, will health care security reach a tipping point in the coming months?
A new report from eSentire examined the state of cybersecurity in the health care industry and the news wasn’t good. The report found that the health care industry has a weak security posture overall and this is escalating risks at a time when threats are getting more sophisticated. There is also a surprising lack of security awareness in the health care industry, especially when you consider a cyber attack could result in life or death situations. As the report stated:
The healthcare industry’s poor security posture makes it susceptible to the most basic opportunistic attacks. The value of patient records and the critical role medical facilities play in national stability make healthcare an attractive target for both financially-motivated and politically-motivated attacks. Delivery of ransomware through phishing is a common attack vector experienced by healthcare providers, in addition to Point-of-Sale attacks and exploitation of vulnerabilities on exposed services.
This falls in line with some of the health care security related predictions I’ve seen. For example, the researchers at Kaspersky Lab foresee the role IoT will play in future attacks, stating in a release that attacks breaching private networks to target medical equipment and data with the aim of extortion, malicious disruption or worse could rise as the volume of specialized medical equipment connected to computer networks continues to grow.
Larry Cashdollar, senior engineer, Security Intelligence Response Team with Akamai, told me in an email comment that he believes attackers will continue to target databases, specifically medical and financial records. Health records are highly valued on the black market because they are saturated with PII. He, too, questioned the security of the devices in the industry, saying that because medical devices are hard to update and often run on older operating system versions, they’ll add another layer of risk.
I think John Germain, CISO at Duck Creek Technologies, summed up cybersecurity in 2018 quite nicely with this comment to me:
Healthcare has become a high-value target as technology in this industry is widely disparate, but is being connected over networks that are still catching up from a security perspective.
So, while the outlook for cybersecurity in health care isn’t great for next year, I think it is the year that the industry has to step up and make real changes. It can’t be ignored anymore.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba