Topics
More on Risk Management

Hackers will target hospitals at unprecedented level in 2017

With Bitcoin allowing attackers to stay anonymous, and a bulls-eye painted over the industry, time to get prepared is running out, group says.

Tom Sullivan, Editor-in-Chief, Healthcare IT News

Global spending on cybersecurity in healthcare is set to surpass $65 billion by 2021 but the real problem isn't how much healthcare organizations spend -- it's how much they don't, according to new research from the Herjavec Group published Thursday.

That's because ransomware and other cybercriminal attacks are going to get a lot worse before they get any better, said Matt Anthony, vice president of incident response at the Herjavec Group.

"In 2017 healthcare providers are the bull's-eye for hackers," Herjavec Group wrote.

Bitcoin, in fact, has enabled and encouraged criminals to pursue ransomware attacks, Anthony said.

[Also: Teaching hospitals make prime targets for data breaches]

"Bitcoin is the engine for cybercriminality, and as long as there is an anonymous way for criminals to get paid, it's not going to get better anytime soon," he said. "It's a winning combination for organized crime – not necessarily Italians in smart suits and fedoras, either. There are large organized communities in China and Russia."

Anthony explained that the convergence of vulnerable legacy hardware and software systems and the emergence of connected health, Internet of Things devices that are not always built with security in mind, and the super-identity criminals can steal, all make healthcare more attractive to hackers than any other sector.

And the motivation for hospitals to pony up after a ransomware attack is acute since they are often unprepared, underfunded, bogged down by legacy systems and, most important, really need the data cybercriminals just encrypted.

"Hospitals will pay, they'll pay fast and they'll pay what it takes to get data back," Anthony said. "We ask people not to pay but sometimes there's no alternative in healthcare."

[Also: Breaking down the financial toll of healthcare data breaches]

Herjavec's report also projected that ransomware damages will reach $1 billion.

Another significant problem is that even healthcare organizations with a data backup strategy in place either lack an effective plan to restore that data in a useable fashion or do not bother to test backup and restore at least twice a year, Anthony said.

"If they've never faced a bad attack, hospitals might be complacent about testing restore technology," he said.

Anthony said that access management tools and practices are starting to improve, governance teams are taking a sharper look at security than they did before and hospital IT departments are increasingly turn to cloud services for proactive monitoring, log aggregation and alerting but they need to get better at all of those more quickly than they currently are. 

This article first appeared in Healthcare IT News.

Twitter: @SullyHIT