If you scan the news headlines, you might be forgiven for thinking that the biggest target of online attackers is financial institutions. Cyber attacks aimed at banks typically gain a lot of press coverage, because everybody likes to think that their money is safe. In reality, though, hospitals and other healthcare providers are perhaps the biggest targets for malicious hackers. More than 25 percent of all data breaches that occur in a given year affect hospitals and healthcare facilities and in 2019 there have been more than 25 million patient records affected. There are a few reasons for that and in this article, we’ll explain why hospitals are such a target, what kinds of attacks hospitals are exposed to, and what they can do about it.

Why Do Black Hat Hackers Target Hospitals?

There are a few key reasons why malicious hackers target hospitals. The most obvious reason is that healthcare data is in huge demand on the black market. It can be easily sold over the dark web, and in some cases, even back to the hospital that it was stolen from. Essentially, online attackers can make money from either selling data off or blackmailing the companies it was stolen from.

In some cases, black hat hackers target hospitals in order to steal information on high-profile clients. Back in 2017, online attackers got into the network of a leading plastic surgery clinic in London. In a high-profile case, they stole information that included data on several celebrity clients. That information contained pictures, medical records, addresses, and even sensitive financial data.

The other major reason why cyber attackers target hospitals is that the healthcare sector is really bad at protecting data. In the context of an economy-wide cybersecurity skills gap, few healthcare providers can afford to employ staff with the requisite skills. This is the same reason why hackers are targeting city governments: both local governments and local hospitals still don’t know what they are doing when it comes to cybersecurity.

This issue has become particularly acute recently because many hospitals have embraced new technologies without being aware of their security implications. Many aren’t making use of strong cloud security protocols, and in many cases, their choice of hosting or server architecture is made on price rather than with patient security in mind.

Finally, hospitals have been quick to adopt the Internet of Things (IoT) devices for monitoring patients and managing their health. Unfortunately, the security of the IoT is a major concern among security professionals, and the link between web security and IoT security is still poorly understood in many sectors, including healthcare.

Hospital Data Breaches

There are a few different types of attacks that hospitals are exposed to. In almost all cases, black hat hackers aim to steal sensitive medical records but the methods they use for doing this are varied.

Unlike some other sectors (such as financial services), social engineering hacks are a primary attack vector for hospitals. This type of attack can involve phishing emails, or a malicious hacker impersonating an IT maintenance worker. By doing this, they can con healthcare workers – who are not so canny when it comes to cybersecurity and in any case, have more important things to worry about – into giving them access credentials.

A second method for attacking hospitals is a brute force attack, in which online attackers deploy specialized software that can try thousands of passwords a second until it comes up with the right one. This was the approach used in The Hacking Hospitals report, which was released back in 2016. During this study, cybersecurity specialists were hired to penetrate the network of 12 medical establishments in the US and two medical data centers. They succeeded in doing so to a worrying degree.

A third attack method is to intercept patient data as it is sent between healthcare workers, between parts of a hospital’s network, or between sites. Hospitals are getting better at encrypting and protecting data when it is at rest, being stored on a server. But many staff don’t follow a basic computer security checklist or SOP to encrypt this information when it is being sent across hospital networks or when they are working remotely. Failing to do so opens the door to network vulnerabilities.

Finally, there are web attacks, which hospitals are no more immune to than any other company. In fact, many hospitals and other healthcare providers have tried to make their services more accessible by giving patients direct access to booking databases via web portals. Unfortunately, these portals can be susceptible to common forms of web-based attacks like SQL injection, unless they are properly secured.

Best Practices For Hospital and Patient Security

The best security practices for hospitals stem directly from the different types of attacks that they are exposed to.

  • First and foremost, both healthcare professionals and patients need to be made more aware of the risks they face from social hacks. Spotting phishing emails should be part of every healthcare worker’s basic training, as should the ability to spot suspicious-looking “IT guys”.
  • Secondly, hospitals also need to implement a fully-featured vulnerability detection software like the Acunetix web security scanner. Software like this can detect vulnerabilities before they lead to patient data being compromised and can allow weaknesses in a hospital’s system to be fixed before they become a problem.
  • Finally, it’s important that internal communications between staff are secured using a high-security VPN. This ensures that data is encrypted as it moves around the hospital’s network. That way, even if it is intercepted, it’s extremely difficult to ascertain the contents of the data. This renders the information useless for either blackmail or re-selling.

A Holistic Approach

At the broadest level, ensuring the security of hospitals is about integrating security measures into every aspect of the business cycle. The adoption of new technologies in the healthcare sector – whether cloud storage or IoT solutions – is to be welcomed if it leads to better patient outcomes. But hospital managers need to be aware that each new technology brings new risks.

In short, cybersecurity (for hospitals or any other organization) is more of a process than an event. While the current statistics on the number of records stolen from hospitals is certainly worrying, raised awareness of this issue and a sustained program of hardening security could lead to better outcomes in the future.

Samuel Bocetta
Retired Research Engineer and Freelance Journalist
Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography. Currently working as part-time cybersecurity coordinator.