Hospital IT Systems At Risk for Denial of Service Cyber Attacks
While disruptions with Twitter, Netflix, and Amazon dominated the news coverage during last week’s massive denial of service cyberattack against Dyn, a major domain name system (DNS) host, web-based electronic health record (EHR) vendors were also negatively impacted, according to news reports.
Web-based EHR providers such as athenahealth and Allscripts both experienced periodic outages throughout the day on Friday, October 21, Modern Healthcare reported. A spokesperson for athenahealth clarified in that publication that the company’s customer-facing retail website was down, but that their provider clients experienced normal service.
Despite the minimal impact of this particular attack, in which cybercriminals flood an organization’s servers with data—including data from Internet of Things-connected devices—healthcare security experts warned that many health IT systems are vulnerable to future threats. In fact, previous cyber threats of this nature have impacted organizations such as Hurley Medical Center in Flint, Michigan and Boston Children’s Hospital, which was targeted by a days-long Anonymous denial of service campaign in 2014, Healthcare IT News, reported recently.
Now that such attacks have proven effective, “They may not be every attack, but we’ll see a dozen of them a quarter; we’ll see a couple hundred of them a year,” Martin McKeay a cybersecurity expert was quoted as saying in Healthcare IT News. “Now that people know those are a possibility, they’re going to start pushing in that direction. They’re going to make it happen.”
Michael “Mac” McMillan, CEO and co-founder of CynergisTek, warns that even hospitals with legacy EHR systems that run on their own computers, an average of about 30 percent of their information technology infrastructure is hosted by an outside company and provided over the internet, McMillan told Modern Healthcare.
“Right now there is very little defense,” he said, noting that providers should focus on preparing just as they would for outages caused by other means.