Are Hospitals Taking the Hippocratic Oath in Cybersecurity?
Contrary to popular belief, the original Hippocratic Oath doesn’t require caregivers to “do no harm.” Instead, it mandates that doctors treat their patients with care, give the best health-related advice possible, and see to it that the patients do not suffer any “hurt or damage.”
The oath was written in antiquity; when wars were either fought on land or by boat, and the word ransom was synonymous with Helen of Troy. Fast-forward to today, where cyberspace is the battlefield, skirmishes are fought using bytes and botnets, and the word ransom scares every organization that’s connected to the Internet.
Hospitals, which weren’t previously exposed to cyber attacks, now find themselves firmly in the crosshairs of hackers and their extortion attempts. And when it comes to a payday, cyber criminals don’t discriminate between hospitals and corporations as long as there’s money to be made.
With precious seconds and lives on the line, hospitals that receive ransom notes are often caught in a tough spot.
One option is to pay the ransom and temporarily suspend the attack. This option relies on the hacker’s integrity to stop the attack, but it doesn’t inoculate them from future attacks. In fact, if they paid, they could become a prime target for another hacker. Another option is to not pay the ransom and find a solution capable of loosening the hacker’s grip on their digital infrastructure. This option, while noble, doesn’t guarantee immediate relief. Time matters.
Regardless of debate positions, the patients – and their sensitive information – remain in the crosshairs. And thanks to the Internet of Things (IoT), the attack surface is now wider.
IoT was conceptualized as a way to improve efficiencies. Rather than have a nurse check every patient’s vitals and administer medication if warranted, IoT automates the process, allowing for instantaneous attention. But as is often the case with technology, there can be unintended consequences if the network isn’t secure.
According to a Bloomberg Business article, some vulnerabilities were built-in to the equipment itself, leaving the machine – and its patients – subject to the desires of hackers. And with the right amount of knowledge, a hacker could automate the machine to provide a false reading and dispense a lethal dosage of medicine.
But there are potential remedies for the healthcare industry:
1. Maintain Sterilization via Social Engineering Education
Social engineering - or manipulating somebody to act in order to gain something from them – remains the number one vulnerability for all hospitals and enterprises. As is often the case with hospital workers who just want to help, that kindness is often used against the organization. Whether it’s accidentally inserting a malware-infected USB stick or simply leaving paperwork on the counter, germs aren’t the only foreign enemy in hospitals. Continuing education and updated policies on how to interact with the general public and non-hospital affiliated organizations is strongly recommended.
2. Secure Your Network and Devices
It’s foolhardy to ask hospitals to pull the plug on interconnected devices. IoT enabled devices are engrained in our healthcare system, but as we noted earlier, not all are properly secured. If your network isn’t entirely buttoned up, a hacker sitting in the lobby can access devices, patient information and sensitive records in a couple of short strokes. It’s good practice to have multiple networks, and periodically change the password on IoT enabled devices.
3. Bolster Your DDoS Defenses
Distributed denial of service (DDoS) attacks aren’t going anywhere. In fact, they’re only becoming more complex and common place. According to recent research, 73% of organizations were hit with an attack, with 82% suffering more than one strike. The latest dangerous trend is to use multi-vector attacks on everything from your DNS to NTP. And since hackers are opting for ‘low and slow’ attacks that no longer seek to overwhelm defenses, a sudden shift in network traffic that once thought of as weird is now a cause for concern.
4. Prioritize Patches and Updates
This advice sounds obvious, but often goes unheeded. Some recent high-profile hacks can be attributed to people not installing updates or patches to address vulnerabilities. If a hacker has their eyes set on your network, all it takes is one misstep to infect and hijack your digital infrastructure. It’s also advised to backup systems on a server that isn’t connected to the Internet.
5. Information Sharing is Caring
As is the case in most assaults, attackers prey on the vulnerable and misinformed. Routinely sharing best practices and communicating threat landscapes with peers and law enforcement is an important step towards protection. Although hackers vary their techniques, they also live by the creed “if it ain’t broke, then don’t try to fix it.” By sharing attack insights and stories, hospitals can band together and proactively take steps to prevent attacks before they begin.
As the public learns more about cyberattacks aimed at the healthcare sector, the debate over paying ransoms may not be enough. Now that hospitals know they’re just as - if not more – susceptible to attacks, there will be increased pressure to safeguard their networks and live out the newest version of the Hippocratic Oath, which is to “do no harm.”