This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that are less likely to happen) in cybersecurity in 2017.
2016 was the year of ransomware in cybersecurity, and it was especially impactful in healthcare. In this blog post, I’ll lay out a few predictions about the type of threats that the healthcare industry will face in 2017.
1. Ransomware Will Continue to Target Healthcare
I suppose this is an obvious one. Many hospitals were impacted by ransomware this past year. Hospitals in California, Indiana and Kentucky were hit especially hard by ransomware variants that target servers, as opposed to user PCs. A hospital in Washington was impacted to the point where it had to redirect patients to other facilities in order to maintain adequate quality of care.
The bad guys have turned to ransomware as their go-to choice of attack because the Bitcoin payments are anonymous and, as a business model, it is an effective way to get paid without getting caught by the police. They target healthcare because the attack vector for the highly effective SAMSA ransomware variant is through unpatched JBOSS application servers in the DMZ (the internet-facing area of a network). Hospitals that have many of these servers and are being successfully exploited in increasing numbers.
With any luck, the word has been spread well enough to healthcare organizations so that JBOSS vulnerabilities have been patched or at least mitigated. However, we haven’t seen the last of this trend. Ransomware will continue to target healthcare throughout 2017 through the standard areas of attack: web-based drive-by downloads, malicious email attachments or links, and unpatched servers in the DMZ.
2. Accidental Oversharing in SaaS Apps Will Increase, Resulting in Losses of Patient Data
Medical staff love to use cloud file-sharing SaaS apps, like Box, Dropbox and Google Drive, because they fill a gap in many healthcare organizations: easy file sharing. The problem with the public versions of these services is that it’s up to the user to control who has access to the files, and it’s quite easy to accidentally configure a file containing protected health information (PHI) to be shared with the entire internet public. Enterprise versions of Box, for example, enable administrators the ability to restrict public access, but many healthcare organizations don’t block the free versions.
I wrote a blog post earlier this year on the topic of SaaS security, along with some recommendations for mitigating the risk. Until healthcare organizations provide a sanctioned method for file sharing, both within and external to their organizations, and proactively block unsanctioned file-sharing websites, we are likely to see losses of patient data due to accidental oversharing.
1. A Cyberattack on a Medical Device Will Cause the First Confirmed Injury to a Patient
Many medical devices used in medical facilities today lack basic security. Often, medical devices lack endpoint protection, and regular patching, functioning on outdated operating systems, like Windows XP. For these reasons, they are prime targets for malware and cyberattacks.
There has been only one confirmed FDA order to pull a specific medical device out of hospitals. I believe the reason we have only seen one is due to insufficient research on and awareness of the problem. There hasn’t been much research because medical devices are expensive and there is no financial incentive to perform the sort of security research required to find and fix medical device vulnerabilities.
Attackers motivated by money have used ransomware due to the quick payout and anonymity, but there’s a type of attacker who is in the “I did it because I could” crowd. These adversaries hack for fun. To date there have been no confirmed cases of physical harm to patients due to a cyberattack on a medical device, but I believe that it’s only a matter of time before a bad actor takes advantage of the most vulnerable area of hospital networks – medical devices – and wants to make a statement.
What are your cybersecurity predictions for the healthcare industry? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for financial services.
This article originally appeared on HealthDataManagement.com
[Palo Alto Networks Research Center]