Why has healthcare become such a target for cyber-attackers?

Attackers can also use the health network to spread into connected medical devices and equipment such as ventilators, X-ray machines and medical lasers. From here they can create a “back door” that will allow them to maintain access even if software is updated to improve security.

It’s also possible that attackers could one day use artificial intelligence to mount more complex attacks. For example, hackers could use an intelligent system to block algorithms in the healthcare network that manage prescriptions or drug libraries and replace them with fakes.

Why is healthcare such a target?
Yet any organization with a computer is at risk from cyber-attacks and there are arguably far more obvious targets for those wanting to extort money. The recent attack on the NHS, for example, yielded very little ransom.

Part of the reason for the threat against the healthcare sector is that it is classed as national critical infrastructure, alongside water, electricity and transport networks. This makes it an attractive target for those hackers wanting to cause chaos, especially from a hostile foreign country. Attacking a healthcare organisation that is part of a wider network of infrastructure could also provide a way in to other critical facilities.

There are also a huge number of opportunities for attacks on healthcare systems simply due to the extent to which they rely on technology. Healthcare today makes massive use of expensive technology, not just in computer systems and hospital equipment but also devices attached to and even embedded in the human body, such as fitness monitors or digital pacemakers. There are also many ways in for a healthcare hacker, from data networks to mobile applications and even non-medical systems such as CCTV.

In particular, the spread of the Internet of Things, the connection of increasing numbers of devices and objects to the internet, is increasing the number of potential access points for hackers. Unlike many of the more trivial uses for the Internet of Things, connected medical devices have obvious benefits because they can instantly exchange useful data or instructions with medical staff. This is where some of the greatest dangers lie because the devices are often involved in critical procedures or treatments. Interference with the signals to a robotic surgical tool, for example, would be devastating.

How can we protect healthcare from attacks?
Most of the attacks against health systems fall under the category of missile attacks. They cannot spontaneously harm the attacker and leave limited traces, but can cause significant damage. This makes it very difficult to track down the attackers or predict future attacks.

But healthcare organizations have already become more aware of the danger they are in and started to take measures to protect themselves, for example by building cyber-security into their information technology strategies. At a delivery level, hospitals can establish new security standards and better ways to effectively integrate the new interconnected systems as they emerge.

But healthcare systems suffer from the same inherent problems as any technology. Even when a security team thinks is has a grip on a problem, another often appears. When one is solved, many more are often generated. What’s more, they are designed by humans for humans, and so it’s fair to assume they are vulnerable by default thanks to human error.

Although you can train staff as best you can, it only takes one person clicking on a rogue attachment to let in malware that can disrupt the whole system. What’s more, the fear of legal costs and responsibilities might lead some organizations to under-report incidents and take action that could increase the threat, for example by paying ransoms to hackers. In reality, the reputation and trust of healthcare organizations depends on them understanding the true extent of the threat and taking sufficient measures to guard against it.

Myrsini Athinaiou is Ph.D. Student in Computing, Engineering and Mathematics, University of Brighton. This article is published courtesy of The Conversation (under Creative Commons-Attribution / No derivative).