It’s being reported that a hacker or hacker group might have stolen healthcare data for more than half of Norway’s population, according to reports in local press. The attack took place on January 8 and came to light this week when Health South-East RHF, a healthcare organization that manages hospitals in Norway’s southeast region, announced a security breach on its website. IT security experts commented below.
Gary Cox, Director of Western Europe at Infoblox:
“Following last year’s WannaCry attack on the NHS, and the recent incident in which ransomware forced a US hospital to shut down its computer systems, this latest breach illustrates the extent to which healthcare providers have become a prime target for cybercriminals. Indeed, even TV dramas such as the BBC’s Silent Witness are highlighting the monetary and personal risks to organisations that allow personal information to be leaked.
The wealth of sensitive information held by healthcare organisations is immensely valuable to criminals and, as technology becomes more ingrained into core healthcare offerings, there is an increased threat of cyberattacks stealing sensitive patient data, disrupting services, and putting lives at risk.
It’s little surprise, therefore, that 85 percent of healthcare providers have reported an increase in their cybersecurity spending over the past year, with a third investing in DNS security solutions, which can actively disrupt attempts at data exfiltration.
It’s crucial that healthcare IT professionals plan strategically about how they can manage risk within their organisation and respond to active threats to ensure the security and safety of patients and their data.”
Raj Samani, Chief Scientist and Fellow at McAfee:
“Security breaches affecting hospital’s around the globe now seem to be happening with an alarming regularity, due to the high importance of uptime to deliver essential medical services, as well as the wealth of sensitive data held on its networks. Unlike the ransomware attack on Hancock Regional Hospital in Greenfield earlier this week that exploited hospitals’ need to avoid disruption to services, this hack has exposed a massive amount of data that could have significant repercussions on the individuals – exposing them to fraud.
However, despite how it seems the criminals behind these attacks are not invincible. The cybersecurity industry needs to work together to combat the growing rate of cybercrime targeting public services by making threat intelligence sharing compulsory so that they are best equipped to defend against this threat. Once this is in place every attack will lead us a step closer to finding those responsible.”
Paul Farrington, Manager EMEA Solution Architects at CA Veracode:
“With the vast amount of sensitive data that it holds, the healthcare industry is a prime target for cyberattacks. While we’ve seen a shift recently towards targeting hospitals with ransomware to disrupt services, this case shows that the data itself is still of value to cybercriminals.
Despite the number of high profile cyberattacks on healthcare organisations of the last 12 months, results from the State of Software Security report exemplified the clear investments that many healthcare organisations are taking to secure their digital assets. For example, the pass rate for applications from healthcare organisations against OWASP, which lists the most critical vulnerabilities categories in web applications, rose to 30 percent of applications, up from 27.6 the previous year.
However, it is crucial that healthcare organisations continue to invest in their cybersecurity defences. This is the second high profile attack on healthcare organisations of the week, following the ransomware attack on Hancock Regional Hospital in Indiana, making it clear that the healthcare industry is a prominent target. With the clocks ticking on GDPR, a breach like this in the private sector will have severe financial implications for a firm.”
Andy Norton, Director of Threat Intelligence at Lastline:
“This is another wake up call, for organisations planning to be GDPR compliant. The health service was notified on the 8th of January that anomalies in traffic patterns were occurring. They have 72 hours to gauge the impact. Before notifying authorities and effected parties, the actual evidence gathering and notification has taken much longer than the GDPR requirement. Automated Breach prevention is only appropriate security mechanism for GDPR notification requirements.”