Hackers will target medical devices for cyber extortion next year, taking advantage of the rise of virtual currencies and the number of victims who are willing to pay to regain access to their data, a new research report warns.
Consumer-generated health data hold value for patients as well as healthcare providers, insurers, public health researchers and policy makers — from GPS-enabled asthma inhalers to wearable tech-tattoos that monitor vital functions. Cybercriminals also see value in the data, according to Predictions 2016: Cybersecurity Swings to Prevention by Forrester Research.
A partial electronic health record sells on the black market for roughly $50, and health credentials sell for $10 each, many more times the value of a credit card number, the report says. Health information is not only the target of theft, but also extortion, as cybercriminals seek to gain access to the data and demand ransom.
To protect data, the report advises facilities take the following steps:
Experts Weigh In
Cybersecurity expert Billy Rios says he believes that attacks against devices will occur in the near future.
“Given the mass adoption of devices, there is now incentive for attacking these devices. Also, the poor security associated with these devices makes it so attackers can actually pull off brazen attacks like ransomware,” he tells IDDM.
Ken Hoyme, distinguished scientist with Adventium Labs, says it’s possible that these new vectors will be applied in the healthcare space — and potentially in the next year — although he wouldn’t expect it to begin with implantable devices or wearables.
For data theft, attackers want to get into an organization and remain undetected for a long period of time so they can obtain a lot of data. Many devices are poor targets as they are rarely connected to networks, or may be on/off at random intervals. Better candidates would be large machines like MRIs, CAT scanners, or equipment in blood lab — systems that directly interact with the electronic health record, he says.
“The other risk to devices in the data theft category is being a ‘pivot’ to insert malware into other systems on the hospital,” Hoyme says. “If a poorly patched/maintained medical device can be breached, it may be used as an attack vector to place monitoring malware on better secured systems inside the hospital, if those systems place trust in the medical device because it is inside the hospital walls.”
In terms of devices that are hacked and unlocked, they may have adulterated software and should not be used, says Hoyme. If a hacker demands a ransom to unlock MRI system or CAT scanner, facilities should take them off the network and reprogram them from scratch to remove the ransomware and be assured that the device was unadulterated.
Still, as Hoyme points out, there are many uncertainties. “Predicting the future when it comes to cybersecurity is mostly guesswork,” he tells IDDM. “You are trying to put an estimate on something that involves human behavior and motivation. Predicting which sector and which vector may be used is always easier in hindsight than foresight.” — Jonathon Shacat