Ransomware attacks of the likes of WannaCry exposed how vulnerable hospitals are in regards to cyberattacks. To date, it takes nearly a month for a small hospital to fully recover from an attack—that includes getting your AR and billing data up and running again.
With hospital sustainability and patient safety likely your big two critical priorities every year, cybersecurity vulnerabilities could very well cripple both of those efforts.
Just a couple of months ago I was listening to a lecture given by a hacker that had compromised a printer. He was able to penetrate the network through a networked printer that didn’t have patches applied (we see this more often than not in rural and critical access hospitals) and then was able to show precisely how he would go about infecting every single computer in that hospital with WannaCry ransomware.
It only takes one device!
The message to you as we start 2019 is that it only takes one device. While printers and medical devices might be a little more cumbersome for cyber attackers to penetrate—simply because these devices require additional research on their part—doesn’t mean they won’t do it. And if you have easier networked devices—say routers, laptops, desktop computers, or servers that don’t have updates, don’t think for a second that they won’t take easier verifiably known routes into penetrating your entire network with a full blown cyberattack.
It simply takes on machine or one device to get through to your entire network of hundreds of employees.
That very WannaCry infection demonstrated at the cybersecurity conference was not simply a hacker’s fireside story. Attacks like these actually have happened in hospitals and clinics in rural America. Once a criminal understands the nature of a vulnerability (which may mean a little tinkering on their part), they may have opened a door that cannot be removed from your security equation. They might have a way in and all they’ll need to do is find out their targets. Psst… they’re looking for targets with big pay days (like your hospital!).
Ransomware and credential-stealing security concerns are two of the biggest concerns coming into 2019. That is, criminals are stealing user passwords to break onto networks (this is a very easy and automatable task) or finding devices with flaws to slither onto networks and then are attacking them with ransomware-containing viruses that often lie undetected for weeks to months.
The National Cyber Strategy revealed that the battle field in cybercrime is bigger than anyone originally conceived. Criminals are defining their targets more clearly in 2019 than ever before. And those targets fall squarely in healthcare and other high value data-area sectors.
The reason why rural hospitals should be concerned? Cybercriminals understand where people are investing in cybersecurity and where would be the easiest areas to break in. After many attacks on critical access and rural hospitals in the last few years, it is clear that they have been ramping up attacks towards rural hospitals because the data they hold is critically important to operations and the IT departments aren’t doing enough to prevent ransomware attacks.
Cybersecurity experts are recommending that hospitals conduct ransomware-focused risk assessments that expose vulnerabilities that criminals are actually exploiting rather than relying squarely on HIPAA risk assessments.
