North American hospitals are the most exposed to cyber-threats in the world, according to a new Trend Micro study revealing a thriving black market in the Electronic Health Records (EHRs).
Its latest report, Cybercrime and Other Threats Faced by the Healthcare Industry, uses Shodan searches to reveal that patient data is at risk thanks to internet-connected but unsecured devices.
It revealed that Canada (53%) and the US (36%) are the two countries with the highest number of exposed healthcare organizations. It found over 1000 expired SSL certificates in the US alone.
Although the UK was fairly low down on that list (0.9%), its healthcare industry reported over 870 beach incidents to privacy watchdog the Information Commissioner’s Office (ICO) in 2016.
Also, separate research last year revealed that nearly half of all NHS Trusts in England had suffered a ransomware attack in the previous 12 months.
Simon Edwards, European cybersecurity architect at Trend Micro, told Infosecurity that the volume of attacks targeting the NHS is “truly astounding.”
“In the most case these tend to be based around ransomware, and there have already been a number of hospital trusts who have had ransomware outbreaks which have impacted their ability to offer care to patients,” he added.
“One assumes that it is this need to provide vital services which makes them targets, for if a hospital A&E department is closed because of a cyber-attack, then people could die and so they will pay up. But it is also challenged by underfunding in cybersecurity projects and a lack of skilled and experienced security staff which makes them vulnerable.”
The Trend Micro report, which has a US bias, also revealed just how lucrative patient data can be for information thieves.
Complete EHR database can sell for as much as $500,000, it claimed.
Part of the attraction for cyber-criminals is that patient data typically includes a blend of information, including PII, medical, insurance and financial details.
Many of these are unique and can’t be reset if breached, allowing the hackers to reuse them multiple times and stitch pieces of stolen data together to commit follow-on identity fraud, the report claimed.
Fraudsters could technically use stolen information to get hold of prescription drugs, apply for medical insurance and even create birth certificates, it said.