Hospitals Are Critical Infrastructure 'Most at Risk' to ISIS Hackers

isis hackers hospital cybersecurity ransomware
A member of the armed forces outside the Accident and Emergency department of St. Thomas' Hospital, London, November 24, 2014. A cybersecurity expert has warned hospitals may come under attack from hackers and be hard to guard against. REUTERS/Andrew Winning

Thousands of hospitals are at critical risk of cyberattacks from terrorists and other malicious hackers, a cybersecurity expert has warned.

Joshua Corman, director of the Cyber Statecraft Initiative for the non-profit organization Atlantic Council, believes hospitals and healthcare facilities face the biggest threat of all the critical infrastructure due to the ease with which such attacks could be carried out and the high number of lives that would be put at risk.

Speaking at the IP Expo conference in London Wednesday, Corman said: "Of all the hackable things that can cause harm, I am most concerned about hospitals. One of the reasons is they gave statistically about zero security people on staff.

"If I were attacking and wanting to harm people, the most familiar environment to attack and the easiest one that's least defended is the hospital."

Hollywood Presbyterian Medical Center
The Hollywood Presbyterian Medical Center, which was the first known hospital in the United States targeted with a ransomware attack, Los Angeles, February 16. REUTERS/Mario Anzuoni

In stressing the gravity of the issue, Corman cited recent ransomware attacks on hospitals in which hackers took control of computer systems and demanded a fee to release them. Perhaps the most serious incident took place earlier this year at the Hollywood Presbyterian Medical Center in California, which declared an internal emergency after hackers demanding $3.4 million knocked computer systems offline for more than a week.

During the attack, the hospital was forced to send patients to other hospitals and turn ambulances away from its facility. Corman said that hackers who weren't just motivated by money could have potentially caused patient deaths.

"A different set of adversaries that might be more ideological, that might want to inflict harm—and they don't have to be very talented—with very, very little skill, they could do significant damage if they wanted to," Corman said.

Attacks carried out by hackers affiliated with ISIS have been relatively low-level, with groups like the so-called Cyber Caliphate Army (CCA) targeting seemingly arbitrary targets, including a small solar energy company in England, a Japanese dance instructor and a laminate flooring firm based in Wales. In one apparent blunder, the CCA targeted the wrong Google earlier this year.

The amount of resources put towards cybersecurity by healthcare institutions means that such hackers could perform successful attacks against them, according to Corman.

"[Former Anonymous hacker] Junaid Hussain took his hacking skills to ISIS," Corman said. "That's somebody who's not a very good hacker but he would have the means, motive and opportunity to do something like the Hollywood Presbyterian attack.

"So I am so tired of talking about replaceable credit cards and never talking about ensuring medical delivery is reliable, available and defensible."