Visualize: Insights that power innovation

Visualize: Insights that power innovation

Healthcare’s hidden cyber threat

By Stephen Whelan  |  April 23, 2020

The healthcare industry is no stranger to cyberattacks. Just two years ago, it was the number one industry targeted by hackers, and health information was the second most at-risk data type, behind Social Security numbers.1 One study found that healthcare businesses were also highly likely to be retargeted following a successful cyberattack, an indication of just how attractive a target the sector is.2

Not surprisingly, the Internet’s black market (aka “the Dark Web”) is reportedly awash in stolen healthcare credentials and medical databases containing patient health records and other personally identifiable information.3

While the healthcare industry has been on notice for many years to the threat from phishers and hackers, a new vulnerability has surfaced. According to a recent report, 83 percent of medical imaging devices are running on unsupported operating systems (OS).4 These unsecured medical Internet of Things (IoT) devices constitute a significant new threat vector for cyberattacks: more than half of the cybersecurity threats that healthcare businesses face come in the form of a connected imaging device.5 Beyond imaging devices, some ventilator manufacturers have added Internet connectivity to their devices, raising the harrowing possibility of vulnerabilities in devices that are now in urgent demand.6

When the sun sets on an operating system

When an OS reaches the end of its life, the OS vendor stops issuing needed security patches and updates, even if serious security flaws are discovered.7 Devices running an outdated operating system pose a significant risk of malicious intrusion—a risk that only grows more severe the longer that unsecured device remains on a business network.8

In the context of the healthcare sector, unsecured imaging devices can be used by hackers to organize botnets (a swarm of hijacked computers and connected devices operating in unison) or as an entry point to spread malware to other devices on a business network. This malware, in turn, can be used to exfiltrate sensitive information from a healthcare provider’s network or to hijack IT infrastructure to surreptitiously mine cryptocurrency in so-called “crypto jacking” attacks.9

A road map for good cyber health

Many in the healthcare industry have been addressing the threat posed by their imaging devices by, for example, placing those devices in isolated networks that don’t interact with other pieces of IT infrastructure. Still, research indicates that the majority of healthcare businesses continue to use their unsecured medical devices on the same networks as other devices.10

Risk transfer is also an essential component in any cybersecurity risk management portfolio. The average cost of a cyberattack to a healthcare business is around $1.4 million,11 but those costs could soar if the medical devices themselves are damaged or destroyed.12 Beyond hardware costs, healthcare businesses are typically forced to ramp up advertising expenses following a data breach to try to repair the reputational damage suffered from the attack.13

Cyber insurance solutions can help provide healthcare providers with the means to minimize cyber loss exposures and facilitate a quicker recovery if an incident does occur.

To learn more about Verisk’s suite of solutions for the cyber insurance market, please visit www.verisk.com/cyber.

 

  1. Managing Enterprise Risks in a Digital World, Baker Hostetler, 2019,
    < https://f.datasrvr.com/fr1/019/33725/2019_BakerHostetler_DSIR_Final.pdf >, accessed on April 14, 2020.
  2. Beyond Compliance: Cyber Threats and Healthcare, FireEye, August 23, 2019, < https://content.fireeye.com/cyber-security-for-healthcare/rpt-beyond-compliance-cyber-threats-and-healthcare >, accessed on April 14, 2020.
  3. Ibid
  4. 2020 Unit 42 IoT Threat Report, Palo Alto Networks, March 10, 2020, < https://unit42.paloaltonetworks.com/iot-threat-report-2020/ >, accessed on April 14, 2020.
  5. Ibid
  6. Fink Densford, “Philips connects Trilogy ventilators to the Internet of Things,” Medical Design and Outsourcing, July 21, 2016,
    < https://www.medicaldesignandoutsourcing.com/philips-connects-trilogy-ventilators-internet-things/ >, accessed on April 14, 2020.
  7. What happens when Windows 7 support ends? Microsoft, January 14, 2020, < https://support.microsoft.com/en-us/help/4467761/windows-what-happens-when-windows-7-support-ends >, accessed on April 14, 2020.
  8. Ian Barker, “Outdated operating systems triple the risk of a data breach,” BetaNews, June 8, 2017,
    < https://betanews.com/2017/06/08/outdated-os-data-breach/ >, accessed on April 14, 2020.
  9. 2020 Unit 42 IoT Threat Report, 7
  10. Ibid
  11. Jessica Davis, “Healthcare Cyberattacks Cost $1.4 Million on Average in Recovery,” HealthITSecurity, January 22, 2019,
    < https://healthitsecurity.com/news/healthcare-cyberattacks-cost-1.4-million-on-average-in-recovery >, accessed on April 14, 2020.
  12. Nicole Wetsman, “Health Care’s Huge Cybersecurity Problem,” The Verge, April 4, 2019,
    < https://www.theverge.com/2019/4/4/18293817/cybersecurity-hospitals-health-care-scan-simulation>, accessed on April 14, 2020.
  13. Jessica Davis, “Hospitals Spend 64% More on Advertising After a Data Breach,” HealthITSecurity, January 2, 2019,
    < https://healthitsecurity.com/news/hospitals-spend-64-more-on-advertising-after-a-data-breach >, accessed on April 14, 2020.

Stephen Whelan is director of product development, management and professional liability, Verisk. He can be reached at Stephen.Whelan@verisk.com.