Imagine you're being prepped for surgery when suddenly everything stops. What's happening?
Your hospital may have been hit by a cyberattack. A new report finds health care organizations are a favorite target for hackers. The attacks range from making phony doctor credentials to creating life-and-death situations.
Find out how health care organizations are changing their cybersecurity systems and vigilance to protect patients.
Cyberattacks on health care organizations are on the rise
A frightening 84% of health care organizations say they have witnessed an increase in cyberattacks over the past year, according to a survey by security company Carbon Black.
For cyberattackers, the allure of health care organizations is the sheer amount of data that can be found, and not just on patients, but also doctors and insurance companies. This data being sold on the dark web mostly ranges from forgeries to health insurance login information, according to Carbon Black.
But one particular offering is quite worrisome: documents needed to pose as a medical doctor. For $500, a person can buy malpractice insurance documents, medical diplomas, board recommendations, medical doctor licenses and DEA licenses.
Another type of attack is called fileless. No data is taken. The attackers just want to see it all burn.
"Destructive attacks are tailored to specific targets, cause system outages and destroy data in ways designed to paralyze an organization’s operations," according to the report. "These attackers aren’t just committing simple burglary or even home invasion -- they’re arsonists. These attacks are often carried out by punitive and malicious nation-states, including Russia, China and North Korea."
The most frightening and common of all fileless attacks on health care organizations is ransomware. With ransomware, a hacker can take control of an organization's servers and not release them until a "ransom" has been paid.
Just as ransomware is used by culprits to cripple or completely paralyze city services or corporate business, it also is used by more malicious actors to attack hospitals, putting patients at their mercy.
"In targeting healthcare organizations, ransomware attackers are taking advantage of the 'do no harm' principle," the Carbon Black report stated. "Meaning, when forced to decide between paying a ransom or being unable to access critical patient files, the health care provider has no choice -- they have to pay, lest a patient potentially incurs great harm or loss of life."
This scenario already has been played out in real life. Three years ago, ransomware attackers targeted Medstar hospitals in Washington, D.C. Patients were taken off operating tables and new patients were directed to other hospitals in Maryland and Virginia. The hackers, who were located in Iran, sought 45 Bitcoins or $19,000 in ransom. Medstar did not pay.
According to the Carbon Black report, 66% of surveyed health care organizations said cyberattacks, including ransomware, have become more sophisticated over the past year. About 45% said they’ve encountered attacks over the past year where the primary motivation was the destruction of data.
Health care getting proactive against cyberattackers
With the stakes so high, health care organizations are no longer playing defense. They are actively looking for and neutralizing attacks.
By "threat hunting," chief information security officers around the world said they had significantly improved their organizations' security protections.
But Carbon Black reports that the majority of health care security experts still put compliance as their top concern instead of data breaches.
"Approaching security with a 'checkbox' mentality opens the door for building a security program that covers the bare minimum for data protection," the report stated. "Compliance standards are a great starting point, but should not be considered a dogmatic blueprint for building effective security."
The fight against cyberattackers isn't just taking place among IT personnel. Employees on the front lines also are working to fight attacks.
Carbon Black found that 84% of health care organizations surveyed train employees on cybersecurity best practices at least once per year. Up to 45% of health care organizations conduct training multiple times per year for employees.
Update: Massive data breach exposes millions more patient records, including medical and financial info
There's more fallout from the recent data breach at American Medical Collection Agency (AMCA), as another health care client says millions of their patient records have been also been exposed. In addition to Quest Diagnostics Inc., the breach now involves LabCorp, which also runs numerous lab testing facilities around the country.