It's not a good prognosis for healthcare in terms of cybersecurity.
The industry is getting hit as hard as any other, but what it's lacking is a good defense.
"They have a lot of vulnerabilities going on," says Chris Tarbell, who is part of the cybersecurity and investigations practice at Berkeley Research Group. "They have a lot of old software that was never meant to be part of networks. They have old equipment, end-of-life equipment. They are kind of behind and trying to catch up. But they don't have the money."
Tarbell says it comes down to dollars not being spent properly and it makes the industry ripe for attack, especially in terms of ransomware, which is malicious software that blocks access to a computer system until a ransom is paid.
In February, Hollywood Presbyterian Medical Center paid hackers $16,700 to regain access to its network that was taken down by hackers. The ransom was paid via Bitcoin, an electronic currency that is fueling ransomware attacks.
"You have to sell millions of health records to make money on the Dark Web," says Tarbell. "Ransomware is the quick hit." If it seems ethically wrong to put sick patients at even greater risk, many agree. Even hackers are criticizing those that prey on hospitals calling it "sad and a new low."
"Hackers make healthcare look bad, and then regulators are going to come in and punish them. Healthcare is in a tough spot," said Tarbell, who was one of the lead investigators in some of the most notorious cyber cases, including the take down of Anonymous and the Silk Road. "Regulations put on by HIPPA are insane."
Tarbell says the only answer for healthcare is funding. Money is needed to add staff with specific expertise, replace old equipment, and re-configure existing systems. "IT is great, but their job is business continuity," says Tarbell. "Now healthcare needs cybersecurity staff. Guys with a cybersecurity mindset to solve problems."
This attitude is being pushed across industry. Just last week, the PCI Security Standards Council, which is part of the Payment Card industry, called for a culture of cybersecurity that is "layered and prioritizes people, process, and technology."
Hospitals need to start with equipment inventory. "We still see a lot of Windows 2003 and Windows XP boxes online," said Tarbell. "Those are not supported by Microsoft anymore, so issues are never going to be fixed."
He says these end-of-life machines need to be taken offline because they are the prevalent hacker target, even more so than phishing. He suggests virtualization as one solution even though there is some overhead.
He says hospitals should explore real-time software backups, real-time vulnerability scanning, and storing data off-site. Hospitals also need to evaluate current practices such as machines in patient rooms connected to the internet or copying from shares instead of pulling from shares, said Tarbell.
There is a trade-off, however. "You are forsaking the fast past of health care for better security, but there needs to be a better mix," said Tarbell.