Why cybersecurity experts are so concerned about the health-care industry

New research released by two security companies paints an unsettling picture for the health-care industry: Hackers are stepping up their attacks on hospitals and other health organizations that may be ill prepared to defend against the wave of malicious activity.

In its quarterly threat report unveiled Tuesday, cybersecurity company Rapid7 found that the health-care sector experienced a surge in cyberattacks during the first quarter of 2018 - so many that it ranked as the top-targeted industry in the first three months of the year.

The spike marked a continued shift away from attacks on the financial, professional and administrative services industries as hackers seek to take advantage of health organizations' aging and complex IT systems, which are difficult to secure quickly, according to Rapid7.

Right on the heels of Rapid7's research, the Internet of Things security firm Pwnie Express is going live Wednesday morning with an unrelated survey containing more troubling news: In a poll of more than 500 security professionals, 51 percent of them said the health-care and public-health sectors were the least prepared for cyberattacks. The pros said the industry was the most vulnerable among the country's 16 critical infrastructure sectors - and 85 percent of them said a major cyberattack on critical infrastructure was likely in the next five years.

Health organizations "have a lot of work to do" to secure their systems, said Rebekah Brown, Rapid7's head of threat intelligence.

"Given everything we know about how the health-care sector operates and some of the legacy systems they use, they are probably more vulnerable than other sectors based on the systems they use alone," she told me.

The health-care sector makes an appealing target for hackers for a few reasons, according to Brown. For one, hospitals and insurers keep troves of data that are easy for a cybercriminal to monetize - such as billing and insurance information. The biggest risks to most patients are identity theft and fraud.

But personal health records carry a different kind of value for more sophisticated attackers. Information about someone's personal or family health history could be used for blackmail or phishing, or help an adversary masquerade as someone else. State-sponsored attackers could use such details for intelligence purposes, according to Brown.

"Any information they can get on someone they've targeted is useful little pieces that become valuable, even if they're not monetizable," she said.

Hospitals are vulnerable in part because they often rely on equipment that's built to last 15 to 20 years, meaning it runs older software that's trickier to update than, say, a typical office computer. And with so many hospital devices interconnected, it's hard to tell how an update to one will affect other equipment in the system.

The problem extends from MRI machines to the devices nurses wear on their wrists that remind workers to wash their hands, said Todd DeSisto, chief executive of Pwnie Express. "Those are great in terms of productivity enhancements, but you're also more exposed because they're all connected to the Internet," he told me.

DeSisto also said the health-care and energy sectors are particularly at risk because of the range of devices they use. "The IoT [Internet of Things] penetration is higher in those environments because these are sophisticated pieces of equipment," he said. "There's lots of different kinds of attack points.They're ripe targets."

We've seen this in practice. Just last month, the cybersecurity company Symantec revealed that an attack group called Orangeworm was targeting the health-care industry and had infected malware on X-ray and MRI machines. Orangeworm was also observed meddling in machines used to help patients fill out consent forms, according to Symantec.

Brown said it was important to note that the spike in attacks on the health-care sector didn't necessarily mean a spike in successful attacks - indeed, plenty of attempts failed. But health organizations should take note of the growing threat and respond carefully, she said.

"The fact that they're still trying, that they don't just fail and give up, shows that this is a true interest," Brown said. "And they seem determined to see what they can do."