Hospital hacks: Default passwords and no patching leaves healthcare at risk

Poor security practice, shared passwords and vulnerabilities in software increasingly aid attackers access treasure troves of sensitive personal data, warns report.
Written by Danny Palmer, Senior Writer

A sharp rise in cyber-attacks targeting hospitals has been assisted by the healthcare industry's failure to address known vulnerabilities or comply with best security practices, with password sharing, outdated software, and exposed servers rife within the sector.

This lax approach to cybersecurity means that many cyber-attackers and hackers are happy to take advantage of what they view as an easy target in order to get their hands on sensitive information -- including medical records and other personal data.

According to figures in the McAfee Labs Threats Report for March 2018, 2017 saw a 211 percent increase in disclosed security incidents in healthcare compared with 2016. According to researchers at the security company, many of these incidents were "caused by failures to comply with security best practices or to address vulnerabilities in medical software".

That compares to a rise in reported cyber-attacks against educational establishments of 125 percent and a jump of around 15 percent in reported incidents against the financial and public sectors.

While some cyber-attackers view targeting hospitals as a step too far when it comes to conducting campaigns, for others, they're lucrative hubs of valuable data just waiting to be exploited.

During the course of the study, researchers found exposed healthcare data, sensitive images, and vulnerable software, resulting in the ability to reconstruct patient body parts with the use of 3D printing.

Download now: IT leader's guide to cyberattack recovery

Typical security holes in healthcare organisations include hardcoded, embedded passwords, remote code execution, unsigned firmware, or failures to address known vulnerabilities in medical software. Default accounts, cross-site scripting, and vulnerabilities in web servers were also found to be issues, with many systems found to be running on old software.

Arguably, the most significant example of failure to apply security patches resulting in hospitals falling victim to cyber-attacks came with last year's WannaCry ransomware outbreak.

While no patient data was compromised as a result of this global cyber-attack, a large number of National Health Service hospitals and doctor's surgeries in the UK were forced offline as systems became infected.

Later analysis of the incident found that basic patching could have prevented WannaCry from having such a massive impact.

But with the rise in attacks against healthcare, combined with the sensitive personal data they hold, and how a cyber-attack against a hospital could result in harm to patients, means organisations in the sector -- and those which provide technology to them -- must take more care when it comes to cybersecurity.

"Both healthcare organisations and developers creating software for their use must be more vigilant in ensuring they are up to date on security best practices," said Christiaan Beek, McAfee lead scientist and senior principal engineer.

Recent and related coverage

Microsoft rolls out more AI-infused healthcare services, software

Microsoft's year-old Healthcare NExT research organization is stepping up its work to make Microsoft's cloud and AI services applicable to health researchers and doctors.

Apple takes on healthcare industry from patient to provider

Upcoming developments build on iPhone, Watch, HealthKit, ResearchKit, and CareKit.

Science-based healthcare: How IoT and AI can help us make health decisions based on data not opinion

Philippe Kahn, CEO of Fullpower Technologies and creator of the first phone camera, talks about how the combination of IoT and sensor technology with machine learning and AI is leading to a digital transformation of healthcare and wellness research.


Editorial standards