news

Healthcare Cyber Attacks on the Rise: ‘They are willing to attack anybody,’ says UW Cybersecurity Instructor

Tiffany Stronghart October 2, 2024
Doctors working in an operating room.

Imagine working in the emergency room of a major hospital, where a severely ill patient has been brought in by ambulance. They’re unconscious, and it’s unclear why they’re so sick. You’ll need to run several tests to see what’s ailing them, and you must do it quickly.

Now imagine that the computer systems connected to the medical devices you need to save your patient have been compromised. The hospital’s entire security system is now at risk. In fact, the machines you need to use on your patient aren’t working because they’ve been taken over by hackers, forcing you to make some difficult decisions.

This scenario is becoming more and more real every day due to security breaches in healthcare facilities.

Cyber attacks against healthcare systems have almost doubled in the past year, according to a recent op-ed in US News. More than 134 million people had their health information exposed or stolen last year, compared with 55 million people the previous year. The average cost of these breaches is more than $10 million per incident.

“We never thought that the healthcare side of things would be attacked,” says Tony Varghese, an instructor in the Master of Science in cybersecurity degree at the Universities of Wisconsin. “I guess we assumed that people would be good. But then we’re finding out that, no, a lot of people don’t care. They’re going to attack anything that’s vulnerable. [In a hospital], your eye is on saving patient lives. You don’t take into consideration that you can be attacked. You assume that no one’s going to attack you because the core mission is so focused on saving lives.”

And that assumption is actually why attacking a hospital is so appealing to some threat actors. It’s unexpected and the stakes are much higher.

“When there’s a healthcare crisis, an emergency, the last thing you want to deal with is [patient] information getting hacked, while you’re literally trying to save their life,” Tony says.

In addition to financial gain, some attackers execute denial of service attacks or act maliciously toward a facility because they are disgruntled with an organization. These attacks will only increase, according to Tony.

“There’s going to be a lot more attacks. Attackers are going to look for new ways to make money. So new targets are popping up all the time.”

Hackers can make money through ransom, selling stolen data to other entities, and by using stolen data to access financial accounts to steal funds. Some of the attacks that happen in healthcare facilities specifically take place through smart devices connected to the Internet of Things (IoT). While these devices were created to help make daily tasks easier, some can be gateways to a serious security breach because they also connect to other items, like a computer system. It’s like those who use their phones to connect to multiple devices, such as their thermostat, security cameras, or other appliances at home. If their phone is stolen or hacked, the thief now has control over multiple aspects of their household.

“Now you have this way to get into a hospital that involves someone’s medical device, like an insulin pump or a cardiac pacemaker,” Tony says. “[If security measures aren’t put in place], they can infiltrate the entire hospital. These gangs have figured out that healthcare companies are susceptible to attack. They are willing to attack anybody; no scruples about putting people in danger.”

Lucas Pralle, who is finishing his master’s in cybersecurity from the Universities of Wisconsin, works in IT for Marshfield Clinic and has been able to apply what he’s learned in his courses directly to his job. Lucas found cybersecurity after working as an educator and volunteering to help students fix problems with their computers. After seeing some of his students fall victim to computer viruses and scams, he knows firsthand the significant danger a security breach poses for a healthcare organization.

“When these attacks happen, because of the digital nature of this stuff, entire operations can grind to a halt, which can be deadly in a healthcare environment,” Lucas says. “And the thing about healthcare that makes it very unique is that these organizations are very complex business operations. You’ve got your laptop, where you’re looking at your email, or you’re looking at the medical records. And you also have an EKG machine hooked up to the network that needs to work or an MRI machine or a helicopter. Or a dispatch for an ambulance. They are very complex organizations.”

Devices connected to Wi-Fi also are a security risk. Some of the simplest or most innocuous things, like smart speakers, can be used for attacks.

“If a hospital gets a Wi-Fi enabled projector just to make presentations, now that becomes a new point of attack,” Tony says. “It might be the weakest link in their whole company or organization. If someone gets in through the projector, they can attack the rest of the network.”

Healthcare facilities are being forced to catch up with security protocols that banks have used for many years. The good news is that the techniques to prevent, mitigate, and respond to attacks are the same.

And with the increase in attacks, hospitals and clinics may have to hire more staff to mitigate them, opening the door to a strong job market for cybersecurity professionals.

Get Degree Guide

Learn more about our 100% online degree and certificate programs.

In the cybersecurity program at the Universities of Wisconsin, students can prepare for these potential threats by learning about security basics, and the technical and management aspects of cybersecurity. Many of the security techniques they learn are similar to those used to prevent financial breaches. Even without a technical background or bachelor’s degree in a computer-related field, students in the program can still thrive.

“People might think that healthcare is somehow different,” Tony says. “You have to use the same security techniques that we’ve learned from past attacks. You want to plug all of the security holes, and these are things that we go over in our courses. All of your protection schemes will work until they don’t. And when they don’t work, then you better have a plan.”

A lot of security is just planning for the worst-case, Tony says, because often, when you’re in the middle of an attack, it’s hard to figure out what to do next. But if your organization has policies, procedures, and guidelines on what to do, the response will be more effective and more efficient.

“By doing the planning, you can respond quickly. You have to have the right teams in place, and they have to be ready to respond. And then at the end of all of the responses, make sure that you figure out the lessons learned. The lessons learned part is what will help prevent future attacks.”

Legal issues may also arise when attacks happen, and most companies will have to follow state and federal laws in reporting the breach.

“If you don’t follow breach notification laws, your company risks getting sued, and there’s reputational damage to your organization,” Tony notes. “So we teach students how to plan an incident response. If you are attacked, you want to be very careful when you try to figure out what happened. agencies like the FBI will follow digital forensics procedures to make sure that they access data without corrupting the evidence. So if you as a system administrator go in and try to figure out what happened, it’s the worst thing you can do sometimes because you may end up compromising the evidence. There may not have been a crime, but you want to treat a breach like a crime scene.”

AI is also a major concern. Though it can be used to detect malicious activity and minimize damage by automatically blocking threats before security breaches occur, it can also be used by attackers.

“On the one hand, AI can make a lot of tedious security tasks doable. But on the other hand, AI opens a huge hole where people can access data and misuse it,” Tony says.

Even productivity programs, like Microsoft Co-Pilot, can be misused. Microsoft launched Co-Pilot several months ago but had to pivot some of its features due to concerns from security professionals.

“Microsoft thought it’d be great if Windows could do screen captures every few seconds,” Tony says. “They had thought that those screenshots captures could be analyzed using AI, to figure out where files and folders were and what you did with them in the past. The problem was that if this data were misused, if someone was able to access this Co-pilot data, they could see what you did. They could find all this patient information, they could find login information, all of it.”

“Microsoft was going to roll this out as this huge boost to productivity. But you don’t ever want to use anything like that in a hospital setting, or in companies that provide services to hospitals, ambulances, 911, emergency services, all of those things,” he adds.

For Lucas, the challenge of thwarting attacks and beefing up security in a healthcare setting is fulfilling.

“I do like being in healthcare because I always want to make sure that, in my life, I want to feel like I’m making a difference. When I’m walking around, when I’m seeing patients, when I’m helping out providers and different staff and things like that, there’s never a day where I go home and I wonder if I did something that mattered, because it’s clear. And that’s exactly where I want to be.”

Are you interested in pursuing a career in cybersecurity? Even if you come from a non-technical background, this program can still be a fit for you. Check out the program’s curriculum or connect with a helpful enrollment adviser at 608-800-6762 or learn@uwex.edu.

Programs: Cybersecurity