In 2017, ransomware and SaaS challenges will persist in healthcare
2016 was the year of ransomware in cybersecurity, and it was especially impactful in healthcare. For this post, I’ve laid out a few predictions about the type of threats that the healthcare industry will face in 2017. Also, I’ve organized my predictions into “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.
1. Ransomware will continue to target healthcare
I suppose this is an obvious one. Many hospitals were impacted by ransomware this past year. Hospitals in California, Indiana and Kentucky were hit especially hard by ransomware variants that target servers, as opposed to user PCs. A hospital in Washington was impacted to the point where it had to redirect patients to other facilities in order to maintain adequate quality of care.
The bad guys have turned to ransomware as their go-to choice of attack because the Bitcoin payments are anonymous and, as a business model, it is an effective way to get paid without getting caught by the police. They target healthcare because the attack vector for the highly effective SAMSA ransomware variant is through unpatched JBOSS application servers in the DMZ (the internet-facing area of a network). Hospitals that have many of these servers and are being successfully exploited in increasing numbers.
With any luck, the word has been spread well enough to healthcare organizations so that JBOSS vulnerabilities have been patched or at least mitigated. However, we haven’t seen the last of this trend. Ransomware will continue to target healthcare throughout 2017 through the standard areas of attack: web-based drive-by downloads, malicious email attachments or links, and unpatched servers in the DMZ.
2. Accidental oversharing in SaaS apps will increase, resulting in losses of patient data
Medical staff love to use cloud file-sharing SaaS apps, like Box, Dropbox and Google Drive, because they fill a gap in many healthcare organizations: easy file sharing. The problem with the public versions of these services is that it’s up to the user to control who has access to the files, and it’s quite easy to accidentally configure a file containing protected health information (PHI) to be shared with the entire internet public. Enterprise versions of Box, for example, enable administrators the ability to restrict public access, but many healthcare organizations don’t block the free versions.
Until healthcare organizations provide a sanctioned method for file sharing, both within and external to their organizations, and proactively block unsanctioned file-sharing websites, we are likely to see losses of patient data because of accidental oversharing.
3. Threat intelligence will improve healthcare SecOps and introduce more automation
Historically, threat intelligence processes in healthcare have looked something like this: Threat feeds (if any) are transmitted as emails into security team email boxes and then manually reviewed and processed. Then, once reviewed, the security team member opens a ticket with the network team to take action. That’s quite a slow, manual and time-consuming process.
Threat intelligence is especially important in the healthcare industry, given that the bad guys frequently target them. In 2017, healthcare organizations will begin to take advantage of more advanced threat-sharing capabilities available in the security market today. These types of capabilities enable highly reliable and automated action (such as blocking bad domains, IPs and malware on the network) with little-to-no human review required.
1. A cyberattack on a medical device will cause the first confirmed injury to a patient
Many medical devices used in medical facilities today lack basic security. Often, medical devices lack endpoint protection, and regular patching, functioning on outdated operating systems, like Windows XP. For these reasons, they are prime targets for malware and cyberattacks.
There has been only one confirmed FDA order to pull a specific medical device out of hospitals. I believe the reason we have only seen one is because of insufficient research on and awareness of the problem. There hasn’t been much research because medical devices are expensive, and there is no financial incentive to perform the sort of security research required to find and fix medical device vulnerabilities.
Attackers motivated by money have used ransomware because of the quick payout and anonymity, but there’s a type of attacker who is in the “I did it because I could” crowd. These adversaries hack for fun. To date there have been no confirmed cases of physical harm to patients because of a cyber attack on a medical device, but I believe that it’s only a matter of time before a bad actor takes advantage of the most vulnerable area of hospital networks – medical devices – and wants to make a statement.
What are your cybersecurity predictions for the healthcare industry?