This summer, the U.S.-based pharmaceutical giant Merck has suffered the Petya ransomware attack that required to hand over a ransom or have its computers remain locked and inaccessible. One month before, the WannaCry ransomware attack devastated many big organizations around the world, including national health-care organizations such as UK’s National Health Service (NHS).
Last week, cybersecurity experts warned that medical care would suffer from new additional risks they are not prepared to handle. The new threats are coming from the “Internet of Bodies”—IoT devices incorporated into human bodies for medical purposes.
“Health-care companies are probably the most susceptible to upcoming ransomware attacks—and these attacks will come again, we have no doubts about it,” said Marty P. Kamden, IT security expert and CMO at NordVPN. “Outdated technology, lack of experience in managing the IT sector, and vulnerabilities of the new Internet-connected medical devices pose a grave danger to the safety and even lives of thousands of medical patients around the world.”
In fact, several months ago, the FBI (United States Federal Bureau of Investigation) issued a warning to all health-care sector companies to remain vigilant of new cyber threats, possibly stemming from foreign governments.
Here is NordVPN’s advice about protecting health-care companies from cyberattacks:
- Don’t use FTP servers operating in anonymous mode. According to FBI, “some criminal actors from abroad are trying to target protected health-care information (PHI) and other personally identifiable info (PII) from medical facilities to intimidate, harass, and blackmail business owners.” FBI was alerting health-care companies against the use of FTP servers operating in anonymous mode.
- You are as strong as your weakest link. Health-care companies should choose their suppliers carefully and should work together with them to tighten overall IT security. The new trend is supply-chain attacks: attackers look for the weakest link in the supply chain to install their malware, which will affect all the companies within the chain. The supply-chain vulnerability was used in the destructive NotPetya attack, originating in Ukraine and branching out to various European and U.S. organizations.
- Use a VPN. Health-care organizations usually use Intranet for private internal communications, which include local area networks (LAN) as well as on-site networks. When employees need to access the organization’s Intranet while traveling or working remotely, they should use virtual private networks (VPNs) for a secure connection. When using a public or unprotected Wi-Fi connection, VPNs create an encrypted tunnel that connects the computer and the Intranet or VPN server. This tunnel protects the connection from public access, should there be hackers ready to breach the system.
- Back up all data. Organizations should back up their data in external drives and keep them unplugged and stored away. Backing up data regularly is one of the best ways to protect an organization from ransomware because only unique information is valuable to cybercriminals.
- Back up all systems and configurations. In addition to data backups, health-care organizations can protect themselves from ransomware attacks by backing up all their systems and configurations.
- Analyze the effects of a potential ransomware attack and get ready. Organizations should assess their risks and make a list of the most vulnerable systems. The most vulnerable systems that cannot be down for more than one hour need to be especially protected and to have a clear backup plan.
- Carefully choose cybersecurity vendors. Many medical organizations are scrambling to hire experienced IT staff after the ransomware attacks have shocked the health-care world. However, it’s wise to get consulting help from outside as well by hiring external experts who can evaluate the vulnerabilities of the entire organization.
The most difficult task still remains the protection of Internet-enabled medical devices. “When it comes to Internet-connected medical devices, there is not much that hospitals can do. Regulations must be placed on manufacturers demanding tighter in-built security, and these regulations must come from the government,” said Marty P. Kamden. “By hijacking Internet-run medical devices, hackers can administer fatal doses of drugs or use monitors as entry points to larger hospital networks, which could lead to theft of medical records or ransomware attacks.”