A lack of knowledge, money, and security expertise is exposing the healthcare sector to further attacks

Healthcare security was on the agenda at the AppSec Europe 2018 conference last week, as poor practices continue to threaten patients’ health and data.

Cybercriminals persist in attacking the healthcare sector on a regular basis, stealing data, crashing entire systems, and generally putting fear into the heads of medical staff ill-trained in security.

This is a reality that Jelena Milosevich knows all too well, she told the audience in London on Friday.

Milosevich is a paediatrician and intensive care nurse who became interested in cybersecurity when she noticed a lack of it in her workplace.

She now works to encourage better security practices within hospitals around the world in the hopes of avoiding large-scale attacks, such as last year’s WannaCry ransomware incident.

And Milosevich agreed that healthcare is perceived as “low-hanging fruit” – a view many security analysts have voiced in the past.

Milosevich said: “Hospitals store medical records, they have insurance information, they have also payment information, so why would you go to different places to find all this information when you can have just the medical records and find it all there?

“Everyone goes to the hospital not just patients or family, but visitors or people who want to donate to the hospital, and people who work there.”

One of the main reasons cyber-attacks are so successful is that medical staff aren’t trained in security awareness, and often don’t view it as their responsibility.

Milosevich said: “People who are medically educated, most of the time they don’t want to know anything about technology.

“They think the IT department is also the security department.

“But when I talk with medical people and tell them what can happen they’re really scared.

“What I want is for a movement, so that medical people are saying, ‘I want change and I don’t want to work in an insecure environment’.”

Growing threat

A study by McAfee Threat Labs revealed that cyber-attacks rose by 211% within the healthcare industry in 2017 alone.

There are currently around 348 cyber-attacks recorded around the world per minute – a worrying trend, given the devastation caused by WannaCry last year.

Another concern is institutes being so reliant on their data that they pay the ransom to have it decrypted.

McAfee chief scientist Raj Samani told The Daily Swig: “It’s perceived as low-hanging fruit, so they do that because sadly what happens is when people pay they continue to do this.

“Criminals will only go after something if there’s a return on investment, if they can make money out of it.”

While poor security awareness is one factor contributing to these statistics, machines running out-of-date systems – often Windows XP – and a general lack of concern towards patching can also hinder hospitals.

Security analyst Xavier Mertens, speaking together with Milosevich, claimed that hospitals can take control of their systems without breaking already-tight budgets, if they simply patch any flaws.

He said: “The UK was really, really hit by WannaCry last year and to prevent something like WannaCry again you don’t need a lot of budget because patches were available for months.

“So you didn’t need to buy new nice appliances [but] why the hell would you expose SMB (Service Message Block) servers on the wild?

“You don’t need a lot of money to prevent against attacks.”