Male Hacker Using ComputersLast year the dizzying news of a computer hack at MedStar Health, one of the largest medical providers in the Baltimore/Washington area, forced the organization to shut down most of its online operations. 

The exact nature of the attack was suspected as ransomware and MedStar is just one of the the victims in a string of cyberattacks that have hit the health-care industry hard. Here’s what you need to know about how health-care providers became a digital battleground.

Why would cybercriminals go after the health-care industry?

The health-care sector has a lot of information that could be valuable to criminals and that makes them a juicy target.

First, they often have a bunch of personal information that could be used for traditional financial fraud — things like your name, social security number, and payment information. But they also have health insurance information, which can be sold for even more on online black markets because it can be used to commit medical fraud — things like obtaining free medical care or purchasing expensive medical equipment — that often isn’t caught quite as quickly as credit card or bank account fraud.

A particularly aggressive cybercriminal could even find a way to leverage compromising medical information guarded by health-care providers into a blackmail scheme — although that has not become a major avenue for attack yet, according to Ben Johnson, co-founder and chief security strategist at cybersecurity Carbon Black.

However, several U.S. hospitals have also now been hit with ransomware, a type of malicious software that basically lets an attacker hold a computer hostage. Once ransomware gets in a system, it starts quietly using hard-to-break encryption to lock up the information stored there — making information inaccessible to the legitimate user. After the software has finished locking things up, it typically pops up with a message demanding a payoff in a difficult-to-track digital currency like bitcoin in exchange for the digital key needed to get back into the data.

This is a particular type of nightmare scenario for health-care providers because more and more of them rely on electronic medical records to keep things up and running.

“Health care is a bit unique in that up-time is really important,” said Johnson, which means providers may be more likely than other targets to pay quickly so they can get back to work.

Just how vulnerable is the health-care sector to cyberattacks?

Things are not looking good.

According to cybersecurity firm TrendMicro, health care was the sector that was hit hardest by data breaches from 2010 through 2015. Not all of those breaches involved hacks — two-thirds were actually due to the loss or theft of things like laptops, smartphones, or thumb drives — but it still demonstrates a major problem with the way the industry approaches keeping data safe.

“It’s a big environment with a lot of different pieces — and not a lot of investment in cybersecurity,” said Johnson.

Part of the problem is that hospitals and doctors’ offices often need to oversee a mishmash of different types of equipment running different types of software — and they cannot always apply standard security practices, like regular updates, without risking instability because it might break the connections between systems, according to Jay Radcliffe, a senior security consultant at cybersecurity company Rapid7.

The FBI actually warned health-care providers that they needed to increase their digital defenses in April of 2014. “The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely,” said a private notice the FBI distributed to the sector.

In 2015, several big health insurers suffered major breaches. One hack at Anthem, the nation’s second-largest health insurer, left information on up to 80 million people exposed. Another at Premera exposed data on 11 million people, including medical information in some cases.

Also last year a ransomware attack hit Hollywood Presbyterian Hospital in California. Staff was forced to resort to paper record-keeping for a week and divert patients to other hospitals. The hospital eventually paid the attackers roughly $17,000 to get access back to their data.  Two other hospitals in Southern California were also reportedly hit with similar ransomware — as was a Kentucky hospital, which declared an “internal state of emergency” after the attack.

And to make matters worse, the health-care providers are also having to grapple with the problem of securing connected medical devices: A hacked pacemaker or drug pump could have potentially life-threatening consequences for patients, and even other types of networked devices could end up helping a cybercriminal find a furtive way to get access to a hospital’s computer systems.

“That can be the weak spot in your network — and in a lot of cases, a hospital might not even realize it was connected,” said Radcliffe.

What is the health-care sector doing to fix this problem?

The industry has its own groups dedicated to helping coordinate how it responds to cybersecurity threats, including the National Health Information Sharing and Analysis Center, or NHISAC, which was founded in 2010. These sort of efforts are useful because they can help industries work together to help stem the spread of a particular type of threat early.

And there is at least one bright side to all the breaches and hacks in the health-care sector: “They are really waking up to the fact that they are a huge target,” said Johnson.

But, unfortunately, that awareness is just part of the problem. Even once an organization has committed the funds to build up their digital defenses, it can be difficult to plot the best path forward, according to Johnson, because it takes time to figure out which tools to put in place and whom to hire.

The latter part can be difficult for health-care providers because there’s a shortage of security professionals across all industries.

“I’ve literally talked to health-care organizations that have 300 open security positions, and are struggling to fill even a handful of them,” said Johnson.

“It’s going to continue being a rough period of time,” he said.