Why are hospitals such a major target for hackers?

Corporate & Healthcare Security Specialist, Smoothwall

April 20, 2018

Sign up to free email newsletters


The 2022 State of Physical Access Control Report

Bank heists and double-agent spy movies were the go-to thrillers for Hollywood in times gone by.

The general public could relate to these events, based on true events or at least plausible fiction.

Yet as the advent of the internet and the ‘digital era’ clawed its way into mainstream consciousness, the film industry reflected this new age with a number of cyber hacking films. Skyfall and Snowden are great examples of corporate and governmental cyber hacking making its way onto film.

How WannaCry ripped through the NHS

It’s easy to see, though, why the story of cyber attacks on healthcare institutions have yet to make it to the silver screen. But while they don’t quite have the same mass appeal as a cyber hack on a government, they are crippling in a different way.

You only need to look at the WannaCry ransomware attack on the NHS last year to see how devastating these incidents can be.

The attack led to disruption in over a third (34%) of trusts in England, with thousands of appointments and operations cancelled. It was the biggest ever cyber-attack on the NHS (although not directed solely at the organisation) but curiously, no ransom was paid.

In the wake of the attacks, the NHS published a review, Lessons Learned, which featured 22 recommendations for strengthening the organisation’s cybersecurity protections. However, the plans have yet to be put in place or scheduled by the Department of Health, a Public Accounts Committee report just found.

It wasn’t the first time hospital trusts were hit though; two of the trusts infected by WannaCry had been infected by previous cyber attacks and Goole NHS Foundation Trust had been subject to a ransomware attack in October 2016, leading to the cancellation of 2,800 appointments.

A US hospital had to pay $55,000 to hackers after being subjected to a ransomware attack

The UK is not alone, of course: a US hospital earlier this year had to pay $55,000 to hackers after being subjected to a separate ransomware attack.

So why is it that hospitals are targeted in this way?

Selling off data

One of the main reasons is the value placed on patient data. This kind of information on any individual can be hugely valuable on the black market or potentially even sold back to the hospital.

Threat actors can monetise that data through blackmail. And hospitals will need to pay for this data or risk getting fined, particularly when you take into account the impending GDPR.

Now, not only is a hospital’s reputation at stake, but there’s a huge financial bill if companies notify that data is lost and they haven’t reported where it was stored or located in the first place.

Away from GDPR, though, hackers are still able to cause significant damage to not just the trust, surgery or hospital, but to the individuals who entrust their data to that establishment.

Building up a profile

Last October, a cosmetic surgery in London – used by celebrities – was hacked by a group known as the Dark Overlord. The hackers stole pictures and other sensitive information of celebrities and royals in what was a monumental breach for an industry so steeped in security and privacy.

Stolen information like this will often contain contact details including name, address, phone number and potentially even financial records.

Even without an immediate financial incentive, threat actors can build up a profile of the person they are trying to defraud using this sensitive information. And it’s easy to see why clinics with high-worth individuals are particularly appealing in this regard.

How healthcare establishments can beat the hackers

Of course, it’s not just celebrities that are most vulnerable, but everyday patients whose records are under threat whenever a hack occurs. The NHS, facing budget cuts and a renewed call for a change in “mindset” required to prioritise meeting the threat of future attacks, is under scrutiny to prevent further hacks occurring.

The NHS needs a multi-layered approach to cybersecurity

The NHS – and indeed any other healthcare trust or organisation to manage these risks – needs a multi-layered approach to cybersecurity.

Making sure the computers are running the latest patch, ensuring investment in security doesn’t fall by the wayside but also looking more economically at their cybersecurity strategies are all important first steps.

For smaller, more local trusts, resources are limited, so intelligent spending is a good way to ensure that costs can be balanced with a solid cybersecurity approach. Healthcare organisations also need to ensure they are reviewing all their cyber-supplier contracts so they’re not massively overpaying for their defence systems.

A trusted specialist security provider is nearly always the best bet in this instance, as it’s more cost-effective and allows hospitals to tailor the best security solution for their organisation.

The next attack on our healthcare systems doesn’t have to be around the corner. A smart, sensible approach to cybersecurity that stops hackers at the porch door must be a priority.

Listen to the IFSEC Global podcast!

Each month, the IFSEC Global Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.

Related Topics

Notify of
Inline Feedbacks
View all comments