March 22, 2021 By Asheesh Kumar 4 min read

As hospitals get smarter, threat actors have more routes inside. IBM’s recent research on the health care industry shows how smart tools, which could be very valuable for today’s medical facilities, also need healing of their own. What should hospital IT security teams look out for? Our overview of the state of cybersecurity in the health care industry shows what threats are out there and how you can mitigate them.

Why Are Health Care Cyberattacks Significant?

Who counts as part of the health care industry? It’s a wide field, from companies that offer clinical services, manufacture drugs and medical equipment to related support services, such as medical insurance. These services operate in a web of partnerships including doctors, nurses, medical administrators, government agencies, pharmaceutical companies, medical equipment manufacturers and medical insurance companies.

The industry is broken down into three segments:

  1. Health care providers – hospitals, nursing homes, rehabilitation centers and teaching, research and training centers.
  2. Health care payers – government and private health insurance policies and health care fund services.
  3. Life science – pharmaceutical firms, biotechnology firms and medical equipment manufacturers.

Health Care Cybersecurity Challenges: Costly Data Breaches and a Range of Threat Actors

Figure 1 by IBM. All numbers are in millions.

The average health care data breach costs its victim $7.13 million, the highest cost in 2020 across all industries. That’s almost double the global average. Of these incidents, 80% resulted in the exposure of customers’ personally identifiable information, according to IBM’s Cost of a Data Breach report. Just 23% of health care organizations have fully deployed security automation tools. On average, it takes six months to detect a data breach. Beyond that, it takes 280 days on average for an organization to identify and contain the breach.

Figure 2 by IBM, with reference to Statista. All numbers are in millions.

With many organizations unprepared, threat actors see several advantages to launching cyber attacks. In health care, they’re mostly after money or secrets. Overall, the top five motivations behind any cyberattacks are financial, espionage, disruption, political and retaliation. Information, data and user credentials can be sold on the dark web. That’s why those are the most common things threat actors are looking to steal during an intrusion: they’re after the money.

The second most common motivation is espionage, and it is on the rise. It’s becoming more common mainly due to ongoing geopolitical and commercial tensions.

Cybersecurity Threats to Smart Hospitals

Hospital cyberattacks, like a recent one on the Brno University Hospital in the Czech Republic, are especially dangerous in the middle of the COVID-19 pandemic. This forced the hospital to reroute patients and postpone surgery. This incident highlighted how disruptive such attacks can be, since this hospital is one of the Czech Republic’s biggest COVID-19 testing laboratories.

Balancing protection against health care cybersecurity attacks with today’s ‘smart’ technology standards comes with challenges. What makes a hospital ‘smart?’ Essentially, the critical assets in smart hospitals are connected through a network and can be controlled remotely. This increases the possibility of cyberattacks. Highly critical assets for smart hospitals, such as an interconnected clinical system, networked medical devices and a remote care system, can be at risk. In addition, in order to achieve improved medical care and enhanced diagnostic capabilities, the hospital may replace legacy systems with Internet of things (IoT) components and devices. This means those systems become directly critical not only for individual patient safety but also for the overall functioning of the hospital.

In most cases, the root cause of a data breach at a health care organization is one of three factors: a malicious attack (52%), system glitch (25%) or human error (23%).

Likelihood and Criticality of Cyberattacks to Smart Hospitals

Let’s take a closer look at those three major threat factors impacting smart hospitals. As one might expect, malicious attacks are deliberate attacks by a person or organization. System glitches are highly relevant in the health care sector, particularly due to the increasing complexity and dynamics of the systems they affect. Human error can occur during the configuration or operation of devices or information systems, or the execution of processes.

Figure 4 by IBM

Health Care Threat Actors and Threat Vectors

By defending against threat actors from outside, hospitals and other health care organizations can cut down on the most likely source of an attack. Threat actors in a smart hospital can come from a variety of sources and have a variety of motivations. They could be insider threats: physicians, nurses or administrative staff with a reason to hurt the organization. Or, threat actors could be malicious patients and guests. Lastly, threats could come from remote attackers: people who for any reason use equipment to attack without being physically inside the hospital.

These potential attackers have several different approach vectors in a smart hospital to choose from. First, they could physically interact with IT assets. Another very common technique is to use wireless communication to access IT assets within range. Attackers can use wired communication with IT assets through related online tools including cloud services and online health care information systems. Finally, attackers can get in by using other people to unknowingly help them. Social engineering attacks are very common in the health care sector. They are usually where ransomware attacks start.

How to Improve Your SOC

Threats toward the health care industry are increasing year over year as hospitals get smarter. The industry has been a top target for cyberattacks in terms of both information technology and operational technology (OT). This is a critical time for hospitals and other health care organizations to invest and mature their security operations center (SOC).

One way to do this is to bring IoT and OT into the scope of the SOC’s responsibilities. Next, you can assess the existing SOC in terms of finding gaps in its capabilities.

Threats are always evolving, but information security is evolving along with them. By keeping up to date on your existing security and SOC capabilities, health care organizations can work toward smooth operations and making sure patients get the best care possible.

More from Intelligence & Analytics

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today