Why hackers love the healthcare sector

Hacking hospitals is a lucrative business. A complete personal file, with insurance number, address, social security number and name, is worth 50 to 500 dollars on the online black markets. Far more than a single creditcard number. Those are sold for less than 15 cents apiece. While a full patient record provides the hacker with lots of information and possibilities.

Sometimes medical information is offered for sale to the hospital it was stolen from. In that case hackers hold data hostage with so called ‘ransomware’. Until the ransom was paid, no one could access the patients files. In 2017 the malware attack Wannacry hit the British healthcare sector hard. The attack led to disruption in 34% of trusts in England, with thousands of appointments and operations cancelled. It was the biggest ever cyber-attack on the National Health Service in Great Britain.

There is no sector in the world that handles so much personal data as the healthcare industry. Not only doctors, but nurses, insurance companies, pharmacists, other professionals in health care and trusted third parties need access to your personal files in order to provide the best care. In healthcare, acting fast can make the difference between life and death. So in case of an emergency, no doctor has time to access your data with a password of at least 8 different characters and multi factor authentication.

With tons of people accessing personal information and limited security, it’s almost as healthcare facilities are sitting ducks when it comes to cyberattacks. That’s not entirely true. The sector has made huge steps forward compared to other sectors when it comes to cyber security. But despite mayor investments in antivirus software, advanced network security and overall better cyber security, breaches still happen. And for that humans are only partially to blame. Medical staff is trained to recognize a disease, not the next malware attack. So another protocol on how to handle phishing e-mails or ransomware is another load on their plate.

It’s not all about human failure. Another vulnerable aspect of healthcare is medical equipment. The Internet of Things is growing with every MRI scanner and IV. It makes data easy to reach from every device, but leaves this kind of data also easy to expose by hackers. More often than not, medical equipment runs on outdated software and standard passwords. With intensive use of medical devices, it’s hard to find time to run software patches. Imagine the hospital network administrator updating the MRI-scanner leaving it out of business for a couple of hours. Precious time that could have been used otherwise.

Then what can be done to prevent more personal data leaking into the deep web? Every organization, whether public or private, large or small, has to manage data and other information. If you want to manage information security risks, ISO 27001 can help, also in healthcare industry. By setting out the requirements for an information security management system, it helps you ensure your information is protected. Read more on ISO 27001 certification by Kiwa.

NEN 7510 certification is important for any organization in the Netherlands that works with healthcare information, including suppliers. Read more on NEN 7510 certification by Kiwa.