Patient data are a favourite target of cybercriminals. Not only hospitals, but care services and insurance companies are being affected. In future, however, quite different targets could also come under attack.
A new ransomware attack on the UK's National Health Service (NHS) resulted in shutdowns in the Scottish county of Lanarkshire. They were so serious that in some hospitals, operations were cancelled and patients were asked to only visit the hospital in the event of acute emergencies.
The situation is reminiscent of the wave of attacks by the WannaCry blackmail Trojan, which severely affected the British health service in the spring. Until now, there has only been speculation about the background to the new attack. Ransomware is usually designed to extract a ransom by blackmail. The more important the victim, the higher the sum, would be the likely calculation of the cybercriminals. If health care is threatened, it may be assumed that the willingness to pay higher sums of money increases commensurate with the number of patients affected.
Criminals are successful
There are plenty of reports about the successes of the attackers, here are just two examples: Recently, in the Medical Oncology Hematology Consultants Center near Philadelphia, 19,000 patient data records were encrypted by ransomware. Previously, the same thing had happened to the St. Mark’s Surgical Center in Fort Myers, Florida, where 34,000 datasets were encrypted.
But cybercriminals are not just interested in ransoms. The theft of health data can also be a lucrative business. Either as a result of blackmailing the establishment from which the data was stolen, or by selling it on to unscrupulous data brokers who carry out scoring for insurance companies or recruitment agencies, for example, to facilitate the evaluation and categorisation of individuals.
This year alone in the USA, more than half a dozen hospitals were affected by breaches in which patient data was stolen. One of the largest thefts was the breach at the Mid-Michigan Physicians clinic, as reported by the US newspaper Desert Sun at the end of August. More than 100,000 patients may have been affected. Not many details of this attack were known. This was not the case, however, for the US care service MJHS Home Care, where a phishing attack yielded 28,000 patient files.
Dangerous medical devices
As inter-connectivity spreads, hospitals are also integrating more and more medical equipment and appliances into their networks. Often they can also be accessed unintentionally by the internet as a result. Yet manufacturers do not appear to have anticipated this, or at any rate, are failing to pay sufficient attention to security, even in the case of equipment which is a matter of life and death. IT security researchers have recently discovered no less than 8 security breaches in syringe pumps, known as perfusors, for delivering medicines intravenously. This equipment is used in particularly sensitive medical areas e.g. after major operations. They allow medicines to be dosed with very high precision, which is absolutely necessary, for example, following heart surgery. Even the slightest overdose could often be fatal.
And this incident is not unique. Shortly before, the US Food and Drug Administration (FDA) had recalled just short of half a million pacemakers. In this case too, security researchers had discovered massive problems. Cyber attackers could change the settings of the implants, so that the batteries would drain sooner, or they could even change the heartbeat, which could lead to acute danger for patients. Six different models from US manufacturer Abbott, formerly St. Jude Medical, are affected. The unauthorized interventions can however only be done from the immediate vicinity. The good news is that the problems can be rectified from outside via a firmware update. However, the security researchers had also found problems with four other manufacturers.
Especially in the case of medical equipment it is clear that not every component should be accessible in the internet. There's no doubt that it is not easy for hospitals to integrate these devices into their networks so that alerts and maintenance can be done remotely, but without at the same time exposing them to risks from the web. But at least in Germany, hospitals and other health providers will in future be monitored more closely, because in the meantime they count as critical infrastructure and so will be subject to the stringent provisions of the German IT Security Act. At the latest then, cyber security will be right at the top of the agenda.
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.