Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Crime Medicine Businesses Databases Networking Privacy Security IT

Why Are Hackers Increasingly Targeting the Healthcare Industry? (helpnetsecurity.com) 111

Slashdot reader Orome1 shares an article by Bitdefender's senior "e-threat analyst," warning about an increasing number of attacks on healthcare providers: In general, the healthcare industry is proving lucrative for cybercriminals because medical data can be used in multiple ways, for example fraud or identity theft. This personal data often contains information regarding a patient's medical history, which could be used in targeted spear-phishing attacks...and hackers are able to access this data via network-connected medical devices, now standard in high-tech hospitals. This is opening up new possibilities for attackers to breach a hospital or a pharmaceutical company's perimeter defenses.

If a device is connected to the internet and left vulnerable to attack, an attacker could remotely connect to it and use it as gateways for attacking network security... The majority of healthcare organizations have often been shown to fail basic security practices, such as disabling concurrent login to multiple devices, enforcing strong authentication and even isolating critical devices and medical data storing servers from a direct internet connection.

The article suggests the possibility of attackers tampering with the equipment that dispenses prescription medications, in which case "it is likely that future cyber-attacks could lead to the loss of human life."
This discussion has been archived. No new comments can be posted.

Why Are Hackers Increasingly Targeting the Healthcare Industry?

Comments Filter:
  • of course (Score:5, Insightful)

    by turkeydance ( 1266624 ) on Saturday June 25, 2016 @05:36PM (#52390243)
    that's where the money is today.
    • Re:of course (Score:5, Insightful)

      by Fire_Wraith ( 1460385 ) on Saturday June 25, 2016 @06:24PM (#52390411)
      It's a combination of three things, most of which have been touched on in various posts by others here:

      1: There's a lot of money in it.
      2: The healthcare industry can't afford downtime or failures, so they pay up quickly.
      3: Insurance covers a lot of it.
      4: Generally poor security practices make it easier, on top of all that (typical of an industry that hasn't been targeted a lot in the past, their security is focused on other things, to the extent they have it).

      So in summary, it's a relatively large/easy target, with lots of money, that can't afford downtime. The only surprising thing is that it took this long to become a target.
      • And by three, I mean four.

        You know what they say - there are only two hard things in computer science: cache invalidation, naming things, and off by one errors. ;)
      • by Archfeld ( 6757 )

        "...Then thou must count to three. Three shall be the number of the counting and the number of the counting shall be three. Four shalt thou not count, neither shalt thou count two, excepting that thou then proceedeth to three. Five is right out. Once the number three, being the number of the counting, be reached..."

      • You have a few more things.
        Integrated environment nearly every system talks to the other. The Registration system talk to the Health Record System which talks to the lab systems and back to the Health System and to the billing system... That is the simple work flow for an office visit. Normally your data is being passed to a dozen independent systems.
        Healthcare typically is about 10 years behind the time in technology there is a lot of old equipment out there that slows down the others the tight integrati

        • by dbIII ( 701233 )

          The politics in healthcare are tough very hierarchal often with MD on top. IT without MD on staff tends to be under treated. As uneducated staff just the same as the people work in the cafeteria

          An insight into that attitude was demonstrated a few years ago on Slashdot with the stories about the doctor who collected other people's linux kernel patches getting into an argument with Linus Torvalds.

      • by TheCarp ( 96830 )

        > Generally poor security practices make it easier

        This. Something people don't get about hospitals.... they LOVE IT. They are IT adopters, big time. You don't hear about the tech they adopt, because they are too busy adopting it to tell you about it. They have one fucking goal: Healthcare, and they aim to meet it.

        When I worked in tech support for a hospital, I took tickets for desktop PCs sitting at bench that used to be used to solder core memory.

        Security was never their concern until very very late. Th

      • This is why Boris is backing this [facebook.com] new system.
      • by rrazian ( 107127 )

        HIPAA makes this easy--high liability. Relatively low skill=quick to pay off.

    • Actually, as the original article shows, the money seems to be in selling security services to hospitals. There's some general scaremongering about unnamed bogeymen targeting hospitals, and then a long discussion about how much you should be spending on security services, for example from Bitdefender, one of whose people wrote the article.
  • It's as simple as that. Hospitals, like (or due to) governments often go for the cheapest option where security is an afterthought. Once you are embedded with the cheapest vendor, you are locked in forever because the contract never demands open hardware or software and thus once the install is done, the vendor disappears and the sub-par it staff has no clue what to do to make anything work besides just opening the entire thing up.

    If you go with a big-name vendor and actually contract support for a device w

    • It's also because they hire like 1 or 2 guys to handle the entire IT department for a hospital including associated doctor's offices. I applied at one and it was 2 guys to cover both the main campus and 12 satellite locations... How can 2 guys possibly deal with every issue that pops up in a given day and work on security and make sure ever hole is patched? Worse from what I saw the IT head was at the shim of the other department heads as to what software and services they needed to offer.

      • by Anonymous Coward

        It's also because they hire like 1 or 2 guys to handle the entire IT department for a hospital including associated doctor's offices. I applied at one and it was 2 guys to cover both the main campus and 12 satellite locations... How can 2 guys possibly deal with every issue that pops up in a given day and work on security and make sure ever hole is patched? Worse from what I saw the IT head was at the shim of the other department heads as to what software and services they needed to offer.

        This!

        Th real insidious problem here is that above those two techs in the hierarchy the decisions are being mad by bean counters who have no technical competency. These organizations would do better to promote one of the 2 techs to being the designer or manager of the organization so that they can apply their experience to correcting and closing security holes rather than the managerial raises being based on "I saved you x million dollars here so give me a raise!". If I had a nickel for every organization t

        • by Anonymous Coward

          It's also because they hire like 1 or 2 guys to handle the entire IT department for a hospital including associated doctor's offices. I applied at one and it was 2 guys to cover both the main campus and 12 satellite locations... How can 2 guys possibly deal with every issue that pops up in a given day and work on security and make sure ever hole is patched? Worse from what I saw the IT head was at the shim of the other department heads as to what software and services they needed to offer.

          This!

          Th real insidious problem here is that above those two techs in the hierarchy the decisions are being mad by bean counters who have no technical competency. These organizations would do better to promote one of the 2 techs to being the designer or manager of the organization so that they can apply their experience to correcting and closing security holes rather than the managerial raises being based on "I saved you x million dollars here so give me a raise!". If I had a nickel for every organization that I have worked for that was being run by someone with less than an associates degree level of education in IT, I would have enough money to retire, twice!

          MOD THIS UP!
          In addition to this, I have noticed that tech in general are almost never promoted into management, despite the fact that they would be the absolute best qualified people to correct these problems. The management is usually someone with an MBA from some cheap college and no experience beyond that or god forbid someone with only a high school diploma. This has to change unless they want these problems to continue forever.

          • by Anonymous Coward

            Well no surprise that /. can't do so much as mod up the obvious answer to a simple problem. They have that in common with the people at the root of this problem in the industry, namely the hiring managers who keep NOT putting IT experts into management positions post haste in order to fix the gaping security holes in the medical industry! Seriously guys spend a mod point, mod this up and realize that the parent posters are right, we need IT experts in management who have a grasp of the problem and how to f

      • by encad ( 4448511 )

        It's also because they hire like 1 or 2 guys to handle the entire IT department for a hospital including associated doctor's offices. I applied at one and it was 2 guys to cover both the main campus and 12 satellite locations... How can 2 guys possibly deal with every issue that pops up in a given day and work on security and make sure ever hole is patched? Worse from what I saw the IT head was at the shim of the other department heads as to what software and services they needed to offer.

        Most Companies for Medical Equipment should do that as well.
        The security measures on most, even permanently connected stuff, was abysmal. I am not an expert on IT Security, but there were enough glaring holes that even I could easily see them.

        Since a lot of this tech got a common sight security by obscurity won't work there as good as it did five years ago....

        Most hospitals here have quite extensiv IT Staff, still close to none in management. Reason for that are real tough data protections laws and the poss

    • I was going to say "low hanging fruit."

      There's a lot of easy targets in healthcare, in part because so many hospital IT departments are so f-ing paranoid that they lock down their networks to a point of near dysfunctionality, especially in places like operating rooms. So, device makers, not wanting to add to the security frustrations, tend to rely a bit on that network paranoia and keep their device security relatively simple - who wants to be sent out to a customer site to help work through a security iss

    • Once you are embedded with the cheapest vendor, you are locked in forever because the contract never demands open hardware or software and thus once the install is done, the vendor disappears and the sub-par it staff has no clue what to do to make anything work besides just opening the entire thing up.

      That and they're buying equipment to be used for 10-20 years, and the computer systems of even 10 years ago were barely planned to be connected to a network, much less the internet.

      Meanwhile, the computer systems connected and integrated into such devices are considered medical equipment, and certification was on the basis of 'as installed', IE no patches, no upgrades. It's only in the last few years that the FDA changed this to that in order to remain certified that the computers need to be patched or kep

  • Because it's been shown that they will pay.. From a fiduciary standpoint, it is probably has the highest profit-to-effort ratio.
  • by PopeRatzo ( 965947 ) on Saturday June 25, 2016 @05:58PM (#52390321) Journal

    Why Are Hackers Increasingly Targeting the Healthcare Industry?

    Because they're horrible human beings. Real shitstains who would throw a puppy off a bridge for a quarter. Many are probably bedwetters. All sociopaths. May they die horrible deaths and then be forgotten.

    • To be fair, it was a quarter ounce of bud and no one liked that puppy anyway.
    • by GuB-42 ( 2483988 )

      It is not much more horrible to attack the healthcare industry than any other.
      Hackers aren't after human lives, it attracts too much attention and doesn't pay well.
      They are after your bank account, and emptying your bank account from a hospital is not worse than emptying it from an e-commerce site.

      The real evil here are all the people who legally exploit the system by overpricing essential drugs, equipment and services because the insurance will pay, insurance themselves for changing monster premiums for s

      • They are after your bank account, and emptying your bank account from a hospital is not worse than emptying it from an e-commerce site.

        Sure it is. They're going after the bank accounts of sick people.

        The real evil here are all the people who legally exploit the system by overpricing essential drugs, equipment and services because the insurance will pay, insurance themselves for changing monster premiums for said monster fees and paying only after being threatened by a lawyer, who is the final link of this

        • by DarkOx ( 621550 )

          So just to be clear less ok to steal from some people then others. Does that spectrum run all the way to it being actually ok to steal from some people?

          If someone is healthy wealthy and strong enough, are others morally entitled to rip them off? If everyone ripped them off would they still be wealthy?

          I was taught it wrong to take things that don't belong to you and are not freely given.

          • So just to be clear less ok to steal from some people then others. Does that spectrum run all the way to it being actually ok to steal from some people?

            Yes.

            http://screenrant.com/wp-conte... [screenrant.com]

            Seriously, though if you believe that stealing a loaf of bread to feed your family is the same as stealing the crutches of a crippled man, your parents taught you morals all wrong.

            • by DarkOx ( 621550 )

              No that isn't the same. The reason is not the baker or grocery store owner is some rich guy though. The issue is your need and own desperation. A lot usual mores go out the window when your survival is at stake. Its not normally ethical to use violence against someone but if you are forced to defend yourself from violence it certainly is; same thing.

              So yes if you are stealing to prevent yourself and loved ones from starvation, fine you get some kind of a pass, providing you are only stealing what it tak

    • by vernonB ( 636207 )
      Although you gotta admit -- the scene from the TV show Homeland in which they assassinate a guy (who had it coming) by hacking his pacemaker was pretty cool.
  • Why did Somali pirates attack international shipping?

    Because it worked and shipping companies were paying their ransom. Likewise for hospitals. Hospitals are dumb enough to pay which makes them a target for more attacks.

    • by s.petry ( 762400 ) on Saturday June 25, 2016 @06:29PM (#52390433)

      Two things missing from your summary. First, the health care industry now has to hold massive amounts of data on you, and has to make it available to the Government. This is the price of government mandated and controlled insurance. All of this data makes it simple to steal your identity, which ties into our second item.

      Second item: Profit. In addition to using your prescription coverage for codeine, big ticket items are being charged to people because identity theft is so easy. Within the last month or so,. two people hit with tens of thousands of dollars in co-pay for major surgery, and another was hit with fees from a transplant. All of which were done to other people. A bit of investigation determined that the people bought insurance on the black market for their procedures. The better the insurance being stolen, the higher price it retrieves. Shame on the US for using a SSN for nearly everything.

      • Re: (Score:2, Informative)

        by Anonymous Coward
        The healthcare industry has *always* held massive amounts of data on you. Of all the sweeping changes made by ACA, this is not one of them.
        • by tomhath ( 637240 )

          Of all the sweeping changes made by ACA, this is not one of them

          He didn't say ACA. Much of it was mandated by HIPAA, but it's really due to malpractice lawsuits. A healthcare provider needs to document everything and keep it essentially forever, including billing information in case they get charged with fraud.

      • by Gr8Apes ( 679165 )

        First, the health care industry now has to hold massive amounts of data on you, and has to make it available to the Government. This is the price of government mandated and controlled insurance.

        They've always done this. And it's always been available to the government. They might have needed a warrant, but it's available.

        All of this data makes it simple to steal your identity, ... Within the last month or so,. two people hit with tens of thousands of dollars in co-pay for major surgery, and another was hit with fees from a transplant. All of which were done to other people.

        Seems like an easy thing to get out of. Did I have a transplant? No? You billed the wrong person. Also seems like a very simple thing to track down the guilty party, especially with something like a transplant that requires specialized long term oversight and care. A last note, tens of thousands of copay for a single incident is pretty crappy insurance.

        • If you don't like the label don't perform the act.

          Less than 20 years ago we had to hand carry files, lab results, and images from doctor to doctor. "Always" is complete horse shit, and as we have moved to everything being on-line crimes have increased due to opportunity.

          The on-line convenience for some has impact to everyone. I'd be willing to bet you can see it if you just opened your eyes.

          • by Gr8Apes ( 679165 )

            Take your meds.

            Hand-carrying files doesn't mean the gov couldn't get their hands on the data, it reinforces that yes, they indeed could get data that was there to get. Very little is not subject to a court order. Medical records are not an exception.

            Considering I have done work in the health-care industry, I'm well aware of what the online "convenience" means, and how shoddy current privacy protections are. And even then, I still have to go grab my paperwork from various locales to give to my new doc, so

            • Generally speaking the Government was prevented from accessing your health care data by law. It was not until the government mandated and regulated recent history that they had access to your data.

              Exceptions were people in the Government system, such as Welfare/Veterans, etc... Many veterans avoided Government doctors for exactly that reason.

              Instead of claiming someone else needs meds, evaluate your own lack of truth and desire to defend your lies.

              • by Gr8Apes ( 679165 )

                You still don't get it. I think you're arguing an unstated semantic point here. If your statement is the government now has easy unfettered and full access to your medical history, that's a different statement and one I'd respond that while they technically can have that level of access, but in reality the access is fettered by a whole set of incompatible and crappy systems that only marginally talk to each other, at least in my experience.

                That the gov has always been able to get access if there was a (le

                • by s.petry ( 762400 )

                  My point is absolutely factual, you are arguing that recent trends of making everything digital and on-line data have "always" been the norm. Your view is factually incorrect on all accounts. It was not quite 2 decades ago that everything was in paper and film. Very little was digital in terms of patient data. I had a full reconstruction of my shoulder and had to hand carry MRIs, Xrays, and folders full of data between my Orthopedic Surgeon and the Hospital because it was illegal for them to make copies

                  • To recap:

                    First, the health care industry now has to hold massive amounts of data on you, and has to make it available to the Government. This is the price of government mandated and controlled insurance.

                    They've always done this. And it's always been available to the government. They might have needed a warrant, but it's available.

                    Your reading comprehension leaves something to be desired, or there's something worse afoot with you. To make this absolutely clear, I stated the following:

                    They've always done this.

                    to clearly and, yes, pedantically state what that means, since your comprehension of said quotes above seems severely lacking this can be transformed into a plain fully qualified self-standing sentence:

                    The health care industry has always held massive amounts of data on a patient

                    I do not believe there's any question that they've done this for

  • Why the healthcare industry? Easy. There is lots of valuable information and money to be made by doing so and frankly the healthcare industry is a soft target if there ever was one. Their IT systems typically have security as an afterthought if they consider it at all. They don't tend to hire the best and brightest IT people and the results prove it. They are hamstrung by regulations that legally prohibit them from updating equipment for security reasons even when it needs it. The people that run medi

    • The healthcare systems are a flipping nightmare from an interoperability standpoint - so many things all trying to hang together in a single functional ecosystem, so little in the way of true standards (HL7, DICOM, yeah like saying you speak an "Eastern Language" something between Farsi and Mandarin.)

      In those systems are records that literally are "worth money," so, yeah, low hanging fruit.

  • Put lots of data in one place, it becomes a target.
    There seem to be a belief that by using e-records, it will save your life. In an emergency, your records are immediately available. Now you have conflicting goals. 1) Open access (even if you are unconscious) for medical professionals everywhere all the time and 2) locked-down, secure systems.
    What we get is a system where medical professionals can't get access to your records when they do need them. The quality of record keeping drops significantly becau

    • I'm not against electronic medical records, though I do see the potential security issues. But it's not hackers I am most worried about, it's medical staff with legitimate access, who have no business nosing around my records but do so anyway. It happens a lot more than you'd think, not too long ago there was a big stink here about policemen going through all manner of records they had no business peeking into. Bored cops reading up on celebrities, or checking records on their ex or recent date. And in case
      • by ebonum ( 830686 )

        Agree with you 100%.

      • And about thirty minutes after you started that, you would put that email address in your spam folder. You'd get more hits than a Slashdot article on Hilary Clinton. We are constantly opening your file - doing financial audits, do pharmacy audits, checking for overdue records, checking to see if you are overdue for an appointment, checking the status of an insurance claim (twenty times a day), counting the number of diabetics, counting the number of people who need tetanus shots.

        All manner of reports all

        • doing financial audits, do pharmacy audits, checking for overdue records, checking to see if you are overdue for an appointment, checking the status of an insurance claim (twenty times a day), counting the number of diabetics, counting the number of people who need tetanus shots.

          You shouldn't have to access my personal medical records for that, I'm not talking about generic hospital administration stuff. In fact over here you're not even allowed to access medical records for any of those reasons, the best you get is anonymized aggregated data. Hospitals do keep a lot of additional data in order to keep their books in order, but even so that information is still classed extremely sensitive, and they're not about to open up that data to other parties like insurance companies (thoug

      • by swb ( 14022 )

        I have a friend who works in IT in a hospital system, managing the middleware that translates between hospital systems. He says its really heavily audited and even the middleware troubleshooting system where you can pull HL7 records out of the queue to figure out why they're not working is audited.

        Pulling records at random without audit information being logged, while not technically impossible for him, is very difficult and basically impossible for anyone not operating at the IT level. Even then he says

  • Because of the slope of the tradeoffs.

    Security is always a tension between making the data safe vs. making it usable.

    In the case of health care, if the data isn't usable: people die.

    So in any situation where a human may route around security so that someone doesn't die: they do so. It leaves the system riddled with security holes, but on whole: functional for the intended purpose of keeping people alive.

    Keeping the data useful is also why these companies are fairly quick to pay the ransoms, and (I'd like t

  • by Crashmarik ( 635988 ) on Saturday June 25, 2016 @06:54PM (#52390515)

    Good luck getting them to comply with security policy or keeping any policy in place that one objects to.

    • Good luck getting them to comply with security policy or keeping any policy in place that one objects to.

      Oh, they don't want to listen? Fine.

      Tell them their liability insurance is going to go up by 20% every year until they do fucking listen.

      Only way ANYONE listens is when you speak directly to their wallet.

      • Good luck getting them to comply with security policy or keeping any policy in place that one objects to.

        Oh, they don't want to listen? Fine.

        Tell them their liability insurance is going to go up by 20% every year until they do fucking listen.

        Only way ANYONE listens is when you speak directly to their wallet.

        And they will just pass that on.

        Don't like the paying the price? Feel free to get worse / die while price shopping then.

        The stick is not the answer here. Systems engineering needs to step up and accommodate them in this case

  • by Sarusa ( 104047 ) on Saturday June 25, 2016 @07:11PM (#52390541)

    I've worked a bit with the health industry (not as a career, thank god, that would be soul crushing), and outside of government health care has the worst IT and worst security I've ever seen. Because they just don't care unless it impacts their bottom line.

    All those health apps that doctors and nurses uses, and all those devices? Yeah, they have terrible security because the hospitals don't make it a priority and they just don't care either. Class C medical devices that are PCs running windows XP with active USB ports? You bet.

    Your online records? Those are handled by outsourced people running cobbled together Ruby scripts that take 30 hours to process 24 hours worth of data in plaintext csv (I use that because I've seen it)- they certainly don't care about security. Your insurance company? They certainly don't give a damn whether you live or die as long as they're raking in the cash.

    All they care about is preserving the appearance of not violating HIPAA because that might cause them some grief.

  • Comment removed based on user account deletion
  • It's a soft target with lots of interesting information.

  • because they have horrible security and greater information.
  • Because they're used to viruses and infections?

  • Because it is trivially easy to break into the medical industry systems while their IT security is being designed by MBA managers with impotent and clueless security policies. Anyone here ever tried to apply for one of these management positions? Anyone here ever worked in the medical industry's IT division and realized that it was a dead end job if you are an IT worker? You are never going to get into the management there because they don't promote people from IT into management positions. It does not take

  • Fake medical bills.

    The fact that you don't know how many medical bills you'll get, from whom, or what the total will be creates huge opportunities for fraudulent medical billing. You find out when someone was in a hospital and for what, then send them a fake bill for a couple grand for (insert bullshit reason here). Then harass the living shit out of them until they agree to settle for half of what you originally asked for.
  • This problem has to be a myth.

    Each time I enter the healthcare industry, I have to fill out the same "wonderful" multi-page form by including basic personal information and health history therein.

    So what data is being hacked?

    Yes, I'm being facetious, if that fails to go without saying.

    • ... Each time I enter the healthcare industry, I have to fill out the same "wonderful" multi-page form by including basic personal information and health history therein.

      So what data is being hacked? ...

      They have your data, they just want to see if you are the same person and if you can remember it. It's a test! 8-P

  • The doctors and other personnel consider "data should be free", for their work, and security is not in their area of expertise. They consider patients first, which is good, but they don't believe that the patients also need the security. It is in the way, so they push it aside and forget it.

    It is basically a lack of training in the medical collages.

  • I have to wonder if this is simply a LEO phishing attempt. I'd think we'd all know why they're doing it. They've told us according to the articles I've read. It's a punch in the nose to bloody it so they'll actually do their jobs. You know, actually patch machines, keep software up to date, things like that. A number of hospitals, they're version of windows is real old, not updated, easy pickins. One article said they even told the hospital many times over three years about it. Didn't move them at all. Ok,

The reason that every major university maintains a department of mathematics is that it's cheaper than institutionalizing all those people.

Working...