News Stay informed about the latest enterprise technology news and product updates.

Malware intrusions at hospitals: Why so many?

A growing number of hospitals have not been having a good start to spring. Kentucky’s Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, both in California, and now San Diego’s Alvarado Hospital Medical Center and King’s Daughters Health in Indiana are just a few of the institutions that have been hit by ransomware — software that freezes computer systems until money is paid to infiltrators.

All of the hospitals experienced some form of temporary network disruption. Some, like Hollywood Presbyterian Medical Center, even paid the ransom.

The malware intrusions will keep mounting until hospitals — the target du jour for crime circles — re-evaluate how they build their cyberdefenses, said Chris Ensey, COO of Dunbar Security Solutions.

“I do believe that we are on the cusp of a larger spread of this type of activity,” Ensey said.

Financial health for hackers

But why hospitals? And why now? Simple, Ensey said. It’s a quest for more revenue.

“What we’re seeing is the macroevolution of ransomware and the tactics that are being used by organized crime to continue to expand the revenue generated from ransomware,” Ensey said. “The most productive way to do that is by targeted campaigns.”

Hackers started, he said, by sending the malicious software to “a big list of email addresses” in an effort to hook as many people as possible. The hope was they’d get into a few computers, hijack the data on them and make money off each catch.

That evolved into spear phishing — similar phony-email schemes but customized for specific organizations. Hospitals use technologies that help them meet requirements set by the healthcare privacy law HIPAA and other mandates, and those are usually fine, Ensey said. Antivirus software and packet filtering as part of firewall protection “catch the common stuff.” But cybercriminals have gotten good at finding ways to burrow into systems. Hospitals in turn, have to get better at keeping them out, he said.

Guarding against malware intrusions

You may recognize the name Dunbar from the armored cars that banks and other businesses hire to transport large sums of cash. It also sells Managed security services, so of course, Ensey stands by those. His pitch: Hospitals can focus on their healthcare infrastructure while Dunbar constantly monitors for attacks. His general-purpose advice for hospitals is to keep pace with the technologies used to hack them.

A “very, very comprehensive backup strategy for their data” is a good start. Using automated backups is a solid strategy; so is the more expensive measure of highly secured colocation facilities to which hospitals can send their data over encrypted channels and replicate it.

Hospitals should also take another look at how they set up employee work stations with access to the Internet, since those can serve as portals for ransomware that can hold healthcare data hostage, Ensey said. Email can be a conduit for malware intrusions, and so can malvertisements — online ads that proliferate malicious software.

And healthcare institutions not only need a CISO in charge of cybersecurity, Ensey said — that executive needs to have “a seat at the table” — the business strategy table, that is. The CISO should have close ties to the CIO, the chief medical officer and the risk management team.

“Being part of those conversations is absolutely paramount to every decision that they make,” he said.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Considering that Hospitals are carrying out health saving and  life-saving work, atacking and disabling hospitals (even if only fora short time), should be classed as attempted mass murder, and should be dealt witn accordingly by the justice system.

The same should be done with atacks against defence and military targets.

Hopefully after the first  few life sentences dished out to some of the perpetrators, the others may decide that at least some organisations, such as the onesmentioned above  should really  be left alone.

this is not to say that I condone attacks on other organisations or individuals, which should also be punisheed vigurously but inthe greater scheme of things I think these  organisations should not be touched ever.

It goes without saying that these organisations should really look more seriously into their IT security, with those who through neglect or corruption make such attacks possible and successful, should also be dealt with  according to harsher laws and punishments

It is a grave oversight to omit the subject of security awareness since over 90% of attacks come from email phishing attacks. Employees should be well trained and IT use simulated phishing platforms like KnowBe4 to isolate the phish prone and keep users aware with security top of mind.
I agree that hospitals should take another look at how employee work stations are set up and educate employees on possible red flags:
I have spent a lot of time in hospitals, personally and because of family members. It amazes me how the staff sometimes leaves devices unattended. It seems it would be easy to inject something into their system undetected. This will only get worse in my opinion if wearables and the IoT become more widespread.