For the second year in a row, the top security niche that MSPs are focusing in on, is the healthcare industry. As hospitals expand and medical wearables are becoming more common, organizations with skeletal IT staffs are looking more and more to MSPs to handle security matters.

It’s no wonder, because the healthcare industry continues to be hackers favorite target. For server-hungry cryptominers, hospitals represent a tempting power source. For data thieves, the trove of HIPPA protected information and credit card numbers is a goldmine. For ransomware pirates, holding healthcare information hostage is the equivalent of seizing an oil tanker on the high seas.

The medical-industrial ecosystem has a lot of inherent juxtapositions that hackers know how to exploit and MSPs need to navigate. The proliferation of wearables is providing portals into larger systems for all bad actors. Medical devices are still designed for speed, convenience, and customer comfort with security as a lesser concern.

“A challenge for MSPs is that medical professionals are not choosing these medical devices based on how they can transmit data and how and when they connect to the Internet. Instead, they choose devices based on reliability, comfort for the wearer, and personal preference,” Dr. Carolyn McGregor, Professor of Business and Information Technology at Ontario Tech University in Oshawa, Ontario tells SmarterMSP.

New standard provides relief

McGregor points to a new health data interchange standard that the Institute of Electrical and Electronics Engineers (IEEE) has developed (known as 11073) as something that MSPs need to watch.

“Previously, data that medical devices generated was proprietary, making 11073 a game changer. It will be very important for wearable vendors and MSPs to use this as a robust and secure method for medical data transmission over the Internet,” explains McGregor.

Currently, if devices don’t use a standard like 11073 then the MSP must introduce their own form of security for the data transmission, as well as protecting when and how the devices connect to the Internet.

Increasing security often requires bulking up devices, which can cause consumer conflict. Hospitals and clinics have been focused on delivering excellent care, not super cybersecurity. That can lead to issues that have been experienced recently. 

For instance, an Ohio urology practice was forced to cough up $75,000 in bitcoin to appease ransomware hackers who managed to compromise their system.

A Michigan physicians’ practice closed their doors for good after hackers delivered on their promise to delete all the office’s patient records if they didn’t pay $6500 in ransomware. The physicians didn’t pay and were forced to close their long-time practice. Without the records, they would have had to start from scratch.

Emerging threat trends in healthcare

While we don’t have the specifics of how these two breaches occurred, Hussain Aldawood, a cybersecurity expert and lecturer at the University of Newcastle in Australia, tells SmarterMSP that there are some critical areas MSPs need to watch:

Incorporating personal and business activities online: Ordering vitamin powder from Amazon or pinning that amazing-looking barbecue sauce during a break at work may seem harmless, but this is an issue in a workplace environment, but one that can be easily manipulated and exploited in sensitive healthcare environments.

People frequently elect to use their work email accounts for personal activities, and they do not know how to adjust their privacy settings on their personal devices. This enables online service providers to track their movements by cookies. This privacy issue leaves a door open for social engineers to send targeted phishing emails.

Outdated Endpoints: Healthcare organizations have beefed up their defenses significantly over the past decade, but that doesn’t mean there aren’t still weak links hackers can exploit.

Healthcare organizations usually have very complex information security systems and well-developed defense infrastructure. However, the smaller vendors they work with usually do not have the same capabilities of information security defense systems. With this various vendor ecosystem, it is critical to remember that some of the third parties can access the network and sensitive data of patients through outdated endpoints.

This access could be through computers, laptops, mobile devices, or tablets. It poses a serious threat, giving attackers easier opportunities to hit a larger target by compromising a smaller one first. 

Subscribe to SmarterMSP.com

Old Medical Devices: In the medical context, “old” may mean just a few years. The decade-old internet-connect insulin pump may still be working fine, but it could be a security headache.

Medical devices should be taken into consideration as sensitive patient information is migrating to the digital world. The fact that those devices are connected to the information systems of healthcare networks creates a threat. If the OS becomes infected with a worm, they have the potential to threaten the entire healthcare network of an organization.

Ransomware: Ransomware is a significant vulnerability in the healthcare industry. In the case of the Ohio urology practice, they reported losing around $40,000 in revenue for every day the practice remained closed. Based on the math, paying the hackers the $75,000 ransom was probably an “easy” choice.

Let’s assume that an attack takes place in a medical center and the medical records are not available. Likely, some are willing to pay to recover access. Therefore, it is significant for healthcare organizations to constantly screen their third-party policies and assess whether access to their network could present such a security threat.

Reputational Harm: An attack can be costly even if nothing is compromised. If word gets out, customers may perceive the practice as skimping on security.

If healthcare organizations are not seriously requiring stronger security policies for their vendors to safeguard patients’ sensitive information, they could be putting their patients’ data in a risky situation and risking damage to the healthcare reputation.

Without giving these some consideration, like a group of unfortunate physicians in Michigan found out, you might be driven out of business altogether.

Photo: Anatolii Riepin / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *