Healthcare infrastructure has been severely attacked on multiple occasions as well. According to the HIPAA Journal, cyberattacks against healthcare providers have resulted in 3,705 data breaches and 267 million compromised medical records since 2009. In 2020, healthcare is the industry with the highest number of publicly disclosed breaches. According to a report by Risk Based Security, 484 (13 percent) of the 3,932 breaches in 2020 involved healthcare providers, more than any other industry. This is a 25 percent increase from 2019.
Trinity Health was the most affected among healthcare providers as a result of a 2020 ransomware attack on Blackbaud, a provider of cloud-based customer relationship management software. The attack on one of Blackbaud's self-hosted cloud servers affected hundreds of customer organizations worldwide, including more than two dozen healthcare organizations, and resulted in the destruction of more than 10 million records. blackbaud stopped cybercriminals before they could fully encrypt the files in the hacked database, but before they could compromise sensitive data. The company paid an undisclosed amount to the hackers to destroy the stolen data. The number of people affected was 3.32 million.
In 2016, hackers used malware to compromise the payment processing system of a Banner Health food and beverage store. The attackers then used the system as a gateway into the Banner Health network, eventually gaining access to servers containing patient data. The cyberattack went undetected for nearly a month. The stolen data included highly sensitive information such as social security numbers, dates of service and claims, and health insurance information. The number of people affected was 3.6 million.
Private patient information is valuable to attackers. Personal health information (PHI) is more valuable on the black market than credit card credentials or regular personally identifiable information (PII). As a result, cybercriminals have a higher incentive to target medical databases. They can sell PHI and/or use it for personal gain. The average cost of a data breach per stolen record for non-healthcare related organizations is $158. For healthcare organizations, the average cost is $355. Credit card information and PII sell for $1 to $2 on the black market, but according to the Infosec Institute, PHI can sell for as much as $363. That's because unlike credit card information or Social Security numbers, a person's personal health history, including illnesses, diseases, surgeries, etc., cannot be changed.
Medical devices are an easy entry point for attackers; medical devices themselves do not contain any patient data. They are an easy target because they lack the security found on other network devices such as laptops and computers.
Medical devices are an easy entry point for attackers; medical devices themselves do not contain any patient data. They are an easy target because they lack the security found on other network devices such as laptops and computers.
Modern healthcare organizations are responsible for handling large volumes of patient data and extensive networks of connected medical devices. Larger organizations can handle thousands of medical devices connected to their networks, each posing a potential threat to attackers. Healthcare personnel are often too busy to stay abreast of the latest device threats, making it less realistic for IT specialists to be tasked with protecting the entire hardware network from attack, and often an attack on one device puts the entire system at risk.
While medical technology has made incredible strides in recent years, not every aspect of the healthcare industry has kept pace. Limited budgets and hesitation to learn new systems often mean that medical technology is outdated. Some of the equipment they use is so old that it is no longer being maintained and has vulnerabilities that are not being updated and maintained. So attacks on healthcare systems don't necessarily demonstrate highly sophisticated solutions. They are simply taking advantage of weaknesses that healthcare organizations have not yet addressed. Especially the systems of small and medium-sized healthcare companies, usually due to budget constraints, they do worse or have no investment in security. That's why effective security measures are critical to the healthcare industry.
Our Shambles system, targets exactly the security solutions for embedded systems. Security inspection of exposed APIs of devices, tracking of firmware that is not being officially maintained, version management. Generate firmware supply chain data and review it in conjunction with disclosed vulnerabilities. Automates, comprehensively, and accurately addresses these security issues without disrupting existing healthcare operational processes and with no requirement for an operator's security knowledge background.
