Following the news of an Anonymous hacker gaining access to Turksih citizens’ hospital information, David Emm, Principal Security Researcher at Kaspersky Lab commented on this news below.
David Emm, Principal Security Researcher at Kaspersky Lab, said:
The news of an Anonymous hacker gaining access to Turkish citizens’ hospital information is another warning to manufactures and developers that medical equipment needs to be secure before being used to care for patients.
There are a range of motives for all kinds of cyber-attack, ranging from financial gain, the desire to make a social or political point, cyber-espionage or even, potentially, cyber-terrorism. In this case, the attackers claim that this is revenge for cyber-attacks against US hospitals by Turkish hackers.
Cybercriminals can exploit software vulnerabilities to steal patients’ data or infect the network with malware. The extent of the breach isn’t yet clear, although there is some suggestion that the hackers have managed to steal patient information, including the HIV status and abortion history of some patients, which could be used to shame an individual or extort money from them. In an attack of this sort, hackers could potentially also alter the data in patients’ electronic health records, turning a healthy person into a sick one or vice versa. They could change some test results or dose strength —seriously damaging patients’ health.
Cyber-security awareness in hospitals has traditionally not been very high. Not only can cyber-security appear cumbersome, it can also seem unnecessary. For one thing, it’s not something that hospitals have traditionally had to worry about. In addition, they might believe they’d never be chosen as targets by cybercriminals. It would help if the government were to introduce strict regulation, based on sound security principles, for IT-systems that control critical infrastructure – including hospitals.
Hospitals, their IT departments and medical equipment suppliers should make sure all the software they use is always up to date. High-end, fully patched security software can block opportunistic malware-for-profit attacks, such as ransomware. But it’s important that security is seen as an ongoing process that can’t simply be fixed by simply deploying an out-of-the-box solution. It must include policies to manage different systems within the organisation and a programme to develop greater security awareness among staff
There’s also the broader challenge of improving the level of security of digital equipment – particularly if it’s used in critical infrastructure and devices – including medical ones. It’s an issue that requires a lot of work from government: it needs to introduce and enforce security standards for producers of equipment and software developers.