Hospital hacks: Default passwords and no patching leaves healthcare at risk
A sharp rise in cyber-attacks targeting hospitals has been assisted by the healthcare industry’s failure to address known vulnerabilities or comply with best security practices, with password sharing, outdated software, and exposed servers rife within the sector.
This lax approach to cybersecurity means that many cyber-attackers and hackers are happy to take advantage of what they view as an easy target in order to get their hands on sensitive information—including medical records and other personal data.
According to figures in the “McAfee Labs Threats Report for March 2018,” 2017 saw a 211% increase in disclosed security incidents in healthcare compared with 2016. According to researchers at the security company, many of these incidents were “caused by failures to comply with security best practices or to address vulnerabilities in medical software.”
That compares to a rise in reported cyber-attacks against educational establishments of 125% and a jump of around 15% in reported incidents against the financial and public sectors.
While some cyber-attackers view targeting hospitals as a step too far when it comes to conducting campaigns, for others, they’re lucrative hubs of valuable data just waiting to be exploited.
During the course of the study, researchers found exposed healthcare data, sensitive images, and vulnerable software, resulting in the ability to reconstruct patient body parts with the use of 3D printing.
Typical security holes in healthcare organizations include hardcoded, embedded passwords, remote code execution, unsigned firmware, or failures to address known vulnerabilities in medical software. Default accounts, cross-site scripting, and vulnerabilities in web servers were also found to be issues, with many systems found to be running on old software.
Arguably, the most significant example of failure to apply security patches resulting in hospitals falling victim to cyber-attacks came with last year’s WannaCry ransomware outbreak.
While no patient data was compromised as a result of this global cyber-attack, a large number of National Health Service hospitals and doctor’s surgeries in the UK were forced offline as systems became infected.
With the rise in attacks against healthcare, combined with the sensitive personal data they hold, and how a cyber-attack against a hospital could result in harm to patients, means organizations in the sector—and those which provide technology to them—must take more care when it comes to cybersecurity.
