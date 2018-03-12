A sharp rise in cyber attacks targeting hospitals has been assisted by a failure by healthcare to address known vulnerabilities or comply with best security practices, with password sharing, outdated software and exposed servers rife within the sector.

This lax approach to cyber security means that many cyber attackers and hackers are happy to take advantage of what they view as an easy target in order to get their hands on sensitive information - including medical records and other sensitive personal data.

According to figures in the McAfee Labs Threats Report for March 2018, 2017 saw a 211 percent increase in disclosed security incidents in the healthcare compared with 2016. According to researchers at the security company, many of these incidents were "caused by failures to comply with security best practices or to address vulnerabilities in medical software".

That compares to a rise in reported cyber attacks against educational establishments of 125 percent and a jump of around 15 percent in reported incidents against the financial and public sectors.

While some cyber attackers view targeting hospitals as a step too far when it comes to conducting campaigns, for others they're lucrative hubs of valuable data just waiting to be exploited.

During the course of the research, researchers found exposed healthcare data, sensitive images and vulnerable software, resulting in the ability to reconstruct patient body parts with the use of 3D printing.

Typical security holes in healthcare organisations include hardcoded, embedded passwords, remote code execution, unsigned firmware or failures to address known vulnerabilities in medical software. Default accounts, cross-site scripting and vulnerabilities in web servers were also found to be issues, with many systems found to be running on old software.

Arguably, the most significant example of failure to apply security patches resulting in hospitals falling victim to cyber attacks came with last years' WannaCry ransomware outbreak.

While no patient data was compromised as a result of this global cyber attack, a large number of National Health Service hospitals and doctor's surgeries in the UK were forced offline as systems become infected.

Later analysis of the incident found that basic patching could have prevented WannaCry from having such a massive impact.

But with the rise in attacks against healthcare, combined with the sensitive personal data they hold, and how a cyber attack against a hospital could result in harm to patients, means organisations in the sector - and those which provide technology to them - must take more care when it comes to cyber security.

"Both healthcare organisations and developers creating software for their use must be more vigilant in ensuring they are up to date on security best practices," said Christiaan Beek, McAfee lead scientist and senior principal engineer.

