By Anis Shakirah Mohd Muslimin
[email protected]
As a national epidemic of health-care hacking goes local, network security experts say they anticipate the national trend of cyber attacks to continue to rise this year.
Iowa City’s Mercy Hospital is the latest victim in a stream of computer virus infections across the nation.
“One of the predictions we made in our 2016 predictions is that extortion is going to increase,” said Jon Clay, the senior global marketing manager at Trend Micro. “And this is a form of extortion, they are extorting organizations for ransom by encrypting files or making systems inaccessible. So we don’t see this diminishing any time soon.”
According to the Identity Theft Resource Center, the number of U.S. data breaches tracked in 2015 totaled 781, the second highest year on record since the ITRC began tracking breaches in 2005.
Clay said the high infection rates on organizations means it has been fairly easy for hackers to intercept different groups. He said a lot of the traditional technologies, such as emails, are being by-passed by these threats.
“The rise of ransomware attacks aimed at hospitals over the last several months indicate that cybercriminals are increasingly targeting patient information due to its valuable nature,” said Zubair Shafiq, a UI computer-science professor who does research on computer and network security.
According to a press release by Mercy Hospital, Mercy Iowa City notified affected patients on March 25 about a privacy breach that occurred on Jan. 26.
Mercy wrote it immediately took steps to secure the computer systems and began an internal investigation, including working with a leading forensics firm to assist with the investigation, the press release said.
Recently, Methodist Hospital, located in western Kentucky, came under a ransomware attack. Ransomware is a type of malware that restricts access to the infected computer system in some way. Hackers would demand the user pay a ransom to the malware operators to remove the restriction.
Hollywood Presbyterian Medical Center in Los Angeles was attacked on Feb. 5, the attack resulted in a two-week standoff, which ultimately ended with the institution paying a $17,000 ransom.
The most recent attack alongside Mercy was the March 28 attack on MedStar Health — a not-for-profit health-care organization in Washington. A virus attacked the computer network of the organization, forcing the medical network to shut down its online database.
“It’s important that the vendor of the software fixes the bugs in the software as soon as possible.” Shafiq said. “Attackers hope they can launch attacks on software which have zero dead bugs.”
Medical institutions are the current targets of cyber hackers because hospitals have information that is very important and valuable, such as electronic data, personal health information and financial data, Clay said.
The critical systems of hospitals, he said, also make it susceptible to hackers.
“Hospitals, governments, and financial-services organizations are ideal targets for the cybercriminal today because they house highly valuable personal and mission critical information,” said Michael Zofkie, the Midwest regional sales director of Comodo, a privately held group of security companies providing computer software and SSL digital certificates.
The bottom line is, Zofkie said, for IT departments to focus their shift from detection of a cyber attack to prevention of a cyber attack, which requires them to install modern, secure web gateways and advanced endpoint protection solutions that can stop malware and cyber attacks.
The need to comply with strict federal regulations such as HIPAA, Shafiq said, also makes it harder for medical institutions to change and update their software.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information.
“And remember all software are susceptible to attacks, there is no secure software,” he said. “So when people find out there are different bugs in a software, if they cannot quickly patch those software, it’s a problem.”