Healthcare: cyber attacker’s new prime target

According to a recent report published by IBM, the rate of cyber attacks against the healthcare sector climbed to the highest level of all industries studied. In the US healthcare data breaches accounted for 35% of all reported data breach incidents last year.

The 2016 Ponemon Institute study on privacy and security of healthcare data reported that 50% of US healthcare data breaches were due to criminal attacks, whilst only 13% were due to a malicious insider.

Medical records are ‘data gold mines’ and provide hackers with a treasure trove of personal data that can be used for medical identity theft and fraud. Medical data sells for a high price on the black market and up to 20 times the price of stolen credit card numbers.

Cybersecurity vulnerability: ransomware

Studies have found that hospitals often lack sufficient technology to prevent or detect a breach and the healthcare sector is said to have one of the lowest rates of data encryption. Many hospitals lack the technology, cyber security budgets and personnel with sufficient technical expertise to minimise and respond to the constant and evolving cyber threat.

However, it is not only data breaches that pose a threat to hospitals. There is an alarming new healthcare cyber attack trend that is emerging in the US - ‘ransomware’. Ransomware (a form of malware) does not access or steal data but instead encrypts it so users are unable to access it. In February 2016, a hospital in the US was forced to pay the equivalent of $17,000 in bitcoin (a digital asset and payment system) to hackers in order to unlock its electronic health records and other computer software. In the interim, the hospital was required to use paper to record patient data and communicate it by way of fax machines and telephone for more than a week. Ultimately, the hospital paid the ransom as it considered it the quickest and most efficient way to restore its systems and administrative functions.

Indeed, cyber criminals are using crypto-ransomware attack software knowing that they are able to exploit the critical nature of data that could render medical facilities ineffective when access is denied. The data and systems are so critical to operations that locking them down with ransomware results in victims that are more likely than not to pay the ransom.

Cybersecurity of medical devices

A cybersecurity vulnerability exists whenever the software provides the opportunity for unauthorised access to the network or medical device. New medical equipment that transmits patient information electronically provides another potential source of fertile ground for hackers. In the US, the Food and Drug Administration (FDA) has published its concern about the risk to the safe and effective operation of medical devices that such vulnerabilities may represent. In one recent case, the FDA issued a warning for hospitals not to use a particular brand of infusion pumps due to a vulnerability that could allow a hacker to take control of the device and change the dosage that the pump delivered.

Alarmingly, published research predicts that the number one cyber security vulnerability for 2016 is ransomware for medical devices. Fear exists that hackers could use malware to infiltrate and disable a medical device and hold the patient (whose care is reliant on that device) at ransom. Since a medical device malfunction could result in the serious harm or death of a patient, such a possibility could be the digital equivalent of a hostage situation.

While there is no documented case of a hacker holding a user ransom by their medical device, cyber security experts recognise that from a technical standpoint, ransomware malware could be adapted to attack wearable medical devices.


Ransomware is a severe threat to the healthcare sector and such attacks are expected to grow significantly. Whilst paying the ransom to obtain the decryption key might restore access to a hospital’s systems, there is no guarantee that the system will not lock again. There is also the possibility that in the future, paying a ransom may not be an option. Some cyber attackers may launch a ‘denial-of-service’ attack on a hospitals system purely for destructive purposes.

The challenge posed to the healthcare sector is clear. Failure to address these vulnerabilities could not only result in an adverse effect on public health, but also raise taxing considerations with regard to insurance cover and the ability to pay such demands.

Read other items in Healthcare Brief - July 2016

Read other items in Hong Kong Medical Law Brief - May 2017