Guest Column | May 26, 2016

How Hospitals Are Getting Hacked And How To Prevent It From Happening To You

Steve Manzuik, Director of Security Research, Duo Security

By Steve Manzuik, Director of Security Research, Duo Security

Many of you have likely heard the term ransomware begin to pop up in conversation or news reports. For those unfamiliar, ransomware is not a method of hacking, but instead a malicious malware attack that renders systems and data unusable to the victim until they pay a ransom. It’s hacking monetized.

Hospitals have recently become a ransomware target in the U.S. and abroad. A hospital in Kentucky was under one such cyberattack where patients’ files were copied and locked, with the originals deleted. The hacker requested a ransom be paid by the hospital in Bitcoin, otherwise they would lose the patient data. The hospital did pay the ransom.

It should be noted each time a hacker successfully gets a ransom payment from a hospital, it proves hackers can make significant funds by replicating these hacks on other hospitals. While this hospital was acting in a way they thought was the only way to protect patient data, it cued hackers to attempt copycat attacks against other hospitals. Prevention is key in the case of cybersecurity as much as it is with personal health.

Healthcare systems have become increasingly more vulnerable than other industries as of late. The cybersecurity experts at Duo Labs analyzed data from over one million users in the healthcare industry and compared it to users across all other industries including finance, legal, government, retail, technology, and more. The data suggests healthcare employees are logging into twice as many applications as the average user, broadening the ability for an attack. In addition, most hospital systems have a large amount of shared workstations and shared passwords used by many different employees, something not regularly seen in other industries.

Here are three of the biggest cybersecurity challenges hospitals are facing today and what healthcare organizations can do to help prevent attacks:

  • Outdated Flash And Java

On average, there are three times as many healthcare users with Java installed on their devices and two times as many healthcare customers with Flash installed compared with other industries. While these programs may be needed for EHRs and e-prescriptions, outdated versions of this software have vulnerabilities hackers know are easy to exploit. It’s the equivalent to leaving your front door unlocked — attackers will go after the easiest target that will potentially get them a reward or ransom. The best way to avoid these vulnerabilities is to keep Flash, Java, and other software up-to-date and patched, and apply patches as soon as they’re available from vendors.

  • Outdated Browsers

Internet Explorer (IE) is the most popular browser for hospitals compared to Google Chrome for users outside of healthcare. Of those healthcare users, 22 percent are using outdated browsers including IE 8, 9, and 10. Not only are these browsers outdated, but Microsoft announced it would no longer provide security patches and updates to IE versions below 10 this past January. That means more security vulnerabilities will be publicized but will remain unpatched and open to exploitation. It’s important to keep all internet browsers up-to-date to avoid any possible vulnerabilities. It is recommended, if at all possible, to switch to a browser like Google Chrome, which receives automatic updates and patches.

  • Outdated Operating Systems And Devices

Healthcare systems are overwhelmingly running the Windows operating system but only 10 percent of healthcare customers are using the latest version. Surprisingly, some healthcare providers are still running on Windows XP. Windows XP is now more than 15 years old and Microsoft stopped supporting it two years ago, which means updates and patches to protect against known vulnerabilities is no longer happening for those users. To note, the most widely used operating system in healthcare is Windows 7 and it has more than 500 known vulnerabilities. Hackers can easily exploit flaws in an outdated operating system to gain unauthorized access to your network and then attempt to lock down your systems until you pay a ransom fee.

While these findings may seem daunting, there are steps you can take to protect yourself before an attack happens. In addition to keeping operating systems, browsers, and applications completely up-to-date, it’s important to enable strong access security controls, such as:

  • Make sure the devices on your networks are up to date. With employees bringing their personal devices everywhere, IT administrators need know those devices are just as secure as their managed devices. If even one personal device brought into the network is out of date or rooted/jailbroken, it can leave known vulnerabilities open to hackers.
  • Use stronger passwords. Speak to your employees and stakeholders about using strong, unique passwords. The most popular password in the world remains 123456, proving the point passwords are easily guessed and bypassed. Instead, use a password manager like Lastpass that automates the generation of complex passwords and stores them so memorization is no longer an issue.
  • Use two-factor authentication. A hacker may steal your passwords, but it’s nearly impossible to steal those and your smartphone or token at the same time.
  • Don’t click on links or open attachments from untrusted or suspicious sources. In addition, don’t download or open .zip attachments in spam emails and report them to your IT department immediately to help contain the issue.
  • Regularly backup important files. Keep these backups on media that is physically disconnected from your local system such as the cloud or an external drive. Don’t keep important data on the local drive. Also, encrypt patient data while in transit or in storage, and never transmit patient data over public networks.

These basic approaches to security hygiene will help minimize ransomware and other network threats in your hospital. For more information on information security basics in healthcare read here.

About The Author

Steve Manzuik is Director of Security Research at Duo Security.