How to Cure the Healthcare System's 'Cyberflu'

Expensive, top-heavy, bureaucratic – the healthcare system is all that, but we're all grateful to be living in an era when medicine has advanced to the point that it keeps us alive, on average, until we're well into our 80s.

But, to those criticisms of the healthcare system, add another; a marked lack of security on servers in doctors' offices, hospitals and clinics, as busy medical staff ignore strictures on logins and passwords, leaving accounts open and email in plain sight. This gives hackers the opportunity to wreak havoc – by installing malware or ransomware on networks, often using fileless malware attacks, which are largely immune to standard security systems, call it a case of ‘cyberflu.’

Why would hospitals – or doctors' offices, HMOs, insurance company, and medical clinics – be more vulnerable to hack attacks than, say, banks? According to experts, the simple reason is that the medical profession is focused on treating patients and protecting lives, and puts the lion's share of its efforts into that.

Banks are in business to protect money, and they take the necessary steps to protect that. The upshot is that cybersecurity is very much on the minds of people in the bank business – but not necessarily those in the medical profession.

Numerous studies show that “cybersecurity appears worryingly low and many hospitals are wide open to attack,” as one study puts it. Why? Because they need to constantly access patient records and communicate with other departments, medical staff tend to ignore logging out after they log into a network.

Besides doctors, other staff – nurses, social workers, LPNs, financial officers, insurance workers – may access patient records, sometimes several times a day if the patient's health situation is fluid. 

All those staff will have the credentials to enter the system and access records – and the more access to those credentials, the more likely they are to leak, or to get stolen. Personnel often access a hospital network from their own devices – laptops, tablets, or even smartphones – again, because they are focused on saving lives, not on security.

That's all the windows a hacker needs; they can send an email from a hacked account, with a file that has a likely-looking title (“Update on Patient X,” or the like) that could have malware embedded in it. Studies show that as many as 95% of those security breaches are due to phishing, socially-engineered attacks that convince users to open a document or click on a link, with many of those attacks in the guise of macros or Javascripts attached to documents that sandboxes, anti-virus programs, and other popular systems are unable to detect.

Is an anti-virus program installed on the target's machine? No problem; hackers can use tried and true tactics such as embedding malware in a macro in a Word document, for example. That kind of attack is undetectable by antivirus programs.

That these attacks work is proven by the numbers: In the first half of 2017, the healthcare industry was the second biggest target for hackers (behind the finance industry), but it was the industry that experienced the biggest increase in attacks.

Overall, over 30% of breaches reported in 2017 were in healthcare, compared to 22.6% in 2016. And in 2018, industry experts expect 35% of all malware attacks to utilize fileless malware tactics.

With the medical industry clearly at a cybersecurity disadvantage, those responsible for security in the industry need to think outside the box when developing security strategies. To expect medical personnel to suddenly change their ways and hew to strict cybersecurity guidelines is pretty unrealistic; the best strategy would be for security watch dogs to prevent malware from getting to personnel in the first place.

To do that, they need an intelligent security system that can detect attachments that may contain fileless malware – systems that can analyze macros and remove offending malware before passing files onto users. Anything less will practically guarantee that the medical profession – and the health of those it serves – will remain at risk.

What’s Hot on Infosecurity Magazine?