Dull Instruments: Why Hospitals Keep Getting Hacked

Surgical Instruments
Image courtesy of Library of Congress.

In-brief: Why are hospitals in the cross hairs for cyber criminals? The Security Ledger speaks with Kevin Fu of The University of Michigan. Fu said that hospitals face a number of challenges, as more (insecure) devices become connected to the Internet. Individual facilities – especially small hospitals – often lack the expertise and tools needed to manage their risk. 

The healthcare sector has the unfortunate distinction of being “ground zero” for cyber criminals in 2015 and 2016. As the retail industry and companies like Target and Home Depot can tell you, that’s not a fun place to be.

But why hospitals and clinics? Are hackers merely drawn by the lure of patient health data, which can fetch a hefty price from would-be identity thieves? Or is it the case that hospitals are merely targets of opportunity – the biggest, least secure guys on the block?

To better understand the problem, Security Ledger sat down with Kevin Fu, a professor at The University of Michigan and an expert in healthcare security and the security of medical devices.

Kevin said that, while the “sky is not falling” in healthcare security, hospitals and other healthcare organizations do face a long list of challenges. Among them: so-called “emergent properties” that arise when you combine different, insecure systems. Hospitals often lack adequate budget to hire expert staff to identify and address security weaknesses and attacks.

Fu is a professor of computer science and engineering at The University of Michigan

“From what I’m hearing, in the near term, most of these problems are breaking down open doors. You accidentally left open a port, somebody gets in from remote and doesn’t even realize it’s a hospital. Someone clicks on a link – classic social engineering – and you get ransomware,” he said.

Hospitals – especially small facilities – often fall below the security “poverty line,” Fu said, unable to acquire expensive talent and relegated to using affordable, but inadequate tools to help them manage security. While large hospitals might have multiple tools for doing security analytics and log analysis, Fu talked about small facility that was using email to stay on top of the output of its security tools.

“I can’t even imagine how hard it must be to get your job done using these dull tools,” Fu said.

The healthcare industry needs to find a way to address security as part of their procurement process and direct more resources toward security, he said. Currently, investments in security are not billable events and so hospitals tend to put them behind revenue generating activities (like treating patients).

“It’s not the hospitals’ fault. They were given these dull tools because nobody manufactures sharp tools for hospitals,” Fu said.

It’s a fascinating conversation. Check it out on Soundcloud, below.

Also: some of you have asked after the music I use to start and wrap every podcast. It’s the song “Baxton” by the band Joe-Less Shoe and you can buy it here.


  1. Pingback: More Hospitals Felled By Ransomware | The Security Ledger

  2. Ironic that Sutton’s Law (“Because that’s where the money is”) is used so much in the medical training of doctors to focus on the most likely causes first. Clearly it applies to why hospitals keep getting targeted.

  3. “But why hospitals and clinics? Are hackers merely drawn by the lure of patient health data, which can fetch a hefty price from would-be identity thieves?”

    Why would identity thieves want medical data when consumer data with affixed credit card data is located on retail servers, ie target/home depot. Hacked medical data is being sold to US database companies for direct marketing.

    Atty Joseph H. Malley
    Dallas Texas
    Linkedin: Joseph H Malley

  4. Pingback: Chronic Condition: Study Finds Medical Device Flaws Go Unfixed | The Security Ledger | The Security Ledger