Hospitals are a 24/7 operation. Attackers are human, and they look for the lowest-risk, highest-reward opportunities. Ransomware is more profitable when lives are at risk. Modern ransomware techniques have proven that it is not only about the data when attacking a hospital. The goal is to paralyze the network to ensure executives pay the ransom to get hospital operations back online. The following factors are contributing to the recent and ongoing surge of ransomware attacks:
HUMAN ERROR AND MISCONFIGURATION
Often the medical staff is fatigued from working long hours, which makes it easier for the staff to be susceptible to weak passwords, phishing emails, and system misconfigurations. The medical staff needs to be trained to identify security threats such as phishing and social engineering tactics. Still, at the same time, it is easier said than done when you have little time on your hands to determine if an email is a phishing email.
PHISHING IS A COMMON GATEWAY TO RANSOMWARE
It only takes one infected email to gain access to the network. Phishing attacks continue to be the top attack type seen by the Pondurance security analysts. In the first quarter of 2021, 33% of attacks detected were phishing attacks.
EHR IS A VALUABLE COMMODITY
Hospitals are leveraging digital technology to digitize medical records, Social Security numbers, payment information, and medical data to improve patient services. EHR enables hospitals to ingest and provide more accurate, up-to-date information to document and forecast the progress of treatments and practices and prevent disease. Attackers see this information as a gold mine for medical identity theft.
LEGACY SYSTEMS AND MEDICAL DEVICES ARE NEARLY IMPOSSIBLE TO HARDEN
The fear of disrupting patient services is often the primary reason healthcare organizations fail to keep their systems up to date. Medical devices could run outdated vendor firmware that represents a more significant threat to the network. Often these devices are not created with security in mind, having weak authentication and, in some cases, hardcoded credentials. In addition, the data transfer firmware is unsecured and unencrypted, resulting in the risk of exposing electronic protected health information (PHI) in patient monitors, MRI machines, VoIP phones, printers, and more.
LIMITED CYBERSECURITY STAFF IS AN EPIDEMIC IN THE FIGHT AGAINST CYBERCRIME
The medical industry is not the only sector that is affected by the lack of cybersecurity talent. Healthcare is struggling to find employees with cybersecurity-related skills, and overall it is expensive to hire and retain cybersecurity professionals. On average, it takes 70% longer to fill cybersecurity positions in the healthcare industry than IT jobs.4
THIRD – PARTY RISKS
Organizations of all sizes have experienced their fair share of cyberattacks due to third-party and vendor risks. The healthcare industry is not any different, and third-party risks are among the most significant vulnerabilities that providers and payers face. In fact, according to a Pondurance study, 42% of enterprise healthcare organizations say third-party and vendor risks are the leading cybersecurity and privacy challenges they face in today’s threat landscape.