Hospitals and medical clinics appear to be the biggest target of cyber criminal activity over the last year. According to a study done by Health and Human Services, more than 113 million medical records were stolen in 2015. A different report from the Institute for Critical Infrastructure Technology found that 47% of Americans have had their medical records breached in the past 12 months.
And why are those records so sought after? Money, of course. Medical records are
currently going for around $60 apiece on the dark web. Is that high, you ask? In comparison to stolen credit card data, which is sold for $3 per record, yes those records are deemed very valuable to cyber criminals.
currently going for around $60 apiece on the dark web. Is that high, you ask? In comparison to stolen credit card data, which is sold for $3 per record, yes those records are deemed very valuable to cyber criminals.
Why are Hospitals Such a Valuable and Easy Target?
Large hospitals like Hollywood Presbyterian Medical Center, which paid $17,000 in ransom for encrypted data after being hit with Locky Virus in February of this year have thousands and thousands of up-to-date patient records. Records that include an incredible amount of sensitive data: social security number, address, date of birth, drug history and more. These records contain far more valuable information than one’s credit history, which increases the value on the dark web.
Not only are these hospitals such a desirable target due to the amount of information they have, but they are also one of the easiest targets to infiltrate. It may appear that hospitals are very financially successful operations, but that is not always the case. With the incredibly high cost of operations, large number of staff required, and extremely high salaries required for top surgeons and doctors, upgrading old software and security measures often take a back seat on the list of priorities.
What Can Hospitals Do to Better Protect Themselves?
The first step for any business looking for a tighter security solution is proper training for employees. Employees are our first line of defense. Without proper training it does
not matter what defenses we use, the bad guys will get in. For an in-depth look on how to train your employees on cybersecurity, please follow the link here.
Whitelisting is always a possibility, but it is met with great pushback from users. Whitelisting entails scanning all machines, noting all necessary applications, and disallowing any further executables to run. While a good plan in theory, in a hospital atmosphere with thousands of machines, it can be a daunting task for any IT team. Then what is the policy when a doctor wants to add a new application? How do you upgrade each machine? The reality of this solution is that it would probably cause quite a bit of a headache, not to mention a disgruntled staff.
A good start that can be easily deployed on top of training should include Anti-Virus, firewall, patch management software and deception technology. It is not only important to put up a good preventative perimeter but to also have a strong protection plan to identify the moment a threat is on your network.