The year 2017 was the year that cyberattacks made healthcare sick. In the UK, a catastrophic ransomware attack in the form of WannaCry caused havoc across at least 16 health trusts, with hospitals and doctor surgeries being affected. According to research by Accenture , the healthcare industry was one of the worst affected by soaring cybercrime costs. And this was evidenced in a Ponemon and IBM study which showed that the cost of a healthcare breach continues to rise year on year. In the Ponemon 2017 Cost of Data Breach report, in 2017 the cost per capita to healthcare for each breached record was, on average, $380.
Ransomware and other Malware
Malware is a serious problem across all industries, however, in healthcare, a malware infection can mean life or death. Healthcare operates an intricate series of interconnected reporting and services. This interlocking network that communicates information on our behalf to better our health is especially vulnerable to ransomware and other malware attacks. In the aforementioned NHS WannaCry attack, hospitals were forced to close their doors to new patients, and existing patients had treatment interrupted because of an inability to access records. The HHS ‘Wall of Shame’, which lists healthcare data breaches in the U.S., has a total of 288 data breaches affecting almost 4.7 million individuals from the beginning of the year to January 1, 2018. According to Proofpoint, inQ1 2017, there were four times as many ransomware variants detected than in the previous year.
Like all industries, healthcare is at risk from phishing. According to a report by Verizon, around 66% of malware was initiated as an email attachment. Although the WannaCry ransomware was unlikely to have begun its life in an email, much malware continues to be executed via phishing. However, phishing emails and texts are also a threat to personal data, including login credentials.
The National Health Information Sharing and Analysis Center have recently reported that the healthcare industry is at the most risk of fraudulent emails. However, little is being done to combat this, with 98% of healthcare organizations not taking the first steps in helping to prevent phishing by setting in place Domain-based Message Authentication, Reporting & Conformance (DMARC).
Insider threats to hospital resources are a concern across the board and can be carried out by patients as well as staff and can be both malicious and accidental. The 2017 HIMSS Cybersecurity Survey found that Insider threats were deemed to be worrying enough to set up specific programs of protection by 75% of respondents.
Increased use of Cloud computing and online security
Cloud computing is being taken up by healthcare as it offers benefits such as improved access to data and cost efficiency. The use of Cloud computing within healthcare is set to soar by a CAGR of 20.5% to 2020. But Cloud computing brings its own risks. Data within Cloud repositories need to be correctly protected, according to advisories from the likes of OWASP. Protecting data at rest and during transit across web services requires not only robust encryption measures but also appropriate and effective authentication, such as second factor and risk-based.
Internet-enabled healthcare attacks (Internet of Things, IoT devices)
Healthcare has embraced Internet-connect devices in a bid to use health data to improve patient outcomes. Apps like OpenAPS which are an optimized data-driven insulin delivery system and Internet-enabled activity trackers which help in cancer treatment are paving the way for the IoT to improve healthcare. However, the IoT has known security and privacy issues. Many healthcare based IoT devices aggregate personal data which is then stored in a Cloud repository and used to analyze conditions, treatments, etc. Security issues, such as DDoS attacks similar to the massive Mirai Bot of October 2016, which are based on IoT devices, are a potential threat that could disrupt treatment. The protection of personal data to prevent exposure is another. Redundancy issues are also another area of concern, as more hospitals become dependent on Internet-enablement of systems.
The healthcare supply chain – the weakest link?
The supply chain has often been the weakest link in terms of cybersecurity. In healthcare, this is no less true. For example, the TRICARE breach, which resulted in 4.6 million military patient records being exposed was the result of a negligent supplier. Ensuring that all suppliers within the healthcare service operate under the same security policies is challenging, but it is also a requirement of some regulatory frameworks such as the HIPAA Omnibus Rule in the U.S., which extends the act’s requirements to business associates.
Many large breaches come down to the thorny issue of robust and effective authentication. Authentication touches the heart of the human-computer interface and as such is a hard to balance in terms of security and usability. The simple fact is that the growth of phishing, in particular, has led to the humble password being dangerous when used on its own. Instead, authentication such as two-factor and risk-based are becoming more popular as, when correctly implemented, they offer a much higher degree of risk mitigation against even spear phishing.
In the healthcare industry, biometrics are being increasingly used for access control to drugs and patient records. However, as seen in the UK NHS WannaCry attack, some hospitals that used biometric drug access were unable to access the drugs, and override keys had to be used.
Legacy apps holding you back
In a survey, 90% of hospitals admitted to running legacy applications to preserve patient data. Legacy applications can leave gaping holes for the cybercriminal to take advantage of. This is perfectly evidenced by the WannaCry attack. Most infected machines were running un-patched older versions of Windows such as XP and 7 – WannaCry exploiting a vulnerability in the operating system. Penetration testing is an important activity to do on a regular basis to find vulnerabilities in your infrastructure.
Somebody else’s problem – becoming security aware
Security is a problem for everyone in an organization. In healthcare, this extends across all disciplines, suppliers, and even patients. As we increasingly use IoT devices, this sense of security needs to pervade every touch point in the life cycle of patient data. Fostering a culture of security is essential to ensure that privacy and security of patient data and the devices used in the service is taken seriously. In the UK government’s National Data Guardian’s recent paper, “Your Data: Better Security, Better Choice, Better Care,” there are a number of recommendations in improving security across healthcare organizations. One of the main takeaways being that security is about “people and processes” as much as it is about technology. Building security awareness programs throughout the healthcare organization and beyond will create a foundation stone for a more ‘healthy’ system, especially in a time of technological changes.
Poor healthcare funding affecting security
One thing that many healthcare services throughout the world are up against is poor funding and staffing issues. Programs of security awareness and improvements in technology all cost money for training and implementation. But healthcare should not be a luxury. To build a fair and fit society that works for us all, we have to build a fair and fit healthcare system. Ensuring that system is secured is a fundamental remit to ensure the best service possible. Allowing a cybercriminal element to disrupt that service impacts everyone within a society. When creating a successful healthcare service, funding for security should never take a back seat.
- Infosec Institute, WannaCry, The Aftermath: How WannaCry Could Have Been WannaSmile: http://resources.pentestingexpertsinstitute.com/wannacry-aftermath-wannacry-wannasmile/
- Accenture, 2017 Cost of Cybercrime Study: https://www.accenture.com/t20170926T072837Z__w__/us-en/_acnmedia/PDF-61/Accenture-2017-CostCyberCrimeStudy.pdf
- IBM, Ponemon 2017 Cost of Data Breach: https://www.ibm.com/security/data-breach
- HHS, Breach Portal: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- Proofpoint, Quarterly Threat Report Q1 2017: https://www.proofpoint.com/sites/default/files/pfpt-us-tr-q117-threat-report.pdf
- Verizon, Data Breach Investigations Report 2017: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
- Business Wire, Press Release: https://www.businesswire.com/news/home/20171128005546/en/Fifty-Seven-Percent-Email-%E2%80%9CFrom%E2%80%9D-Healthcare-Industry-Fraudulent
- HIMSS, 2017 HIMSS Cybersecurity Survey: http://www.himss.org/sites/himssorg/files/2017-HIMSS-Cybersecurity-Survey-Final-Report.pdf
- MarketsandMarkets: https://www.marketsandmarkets.com/PressReleases/cloud-computing-healthcare.asp
- Infosec Institute, OWASP 2017 Top 10 vs. 2013 Top 10: http://resources.pentestingexpertsinstitute.com/owasp-2017-top-10-vs-2013-top-10/#gref
- Medidata, Press release: https://www.mdsol.com/en/newsroom/press-release/medidata-collaborates-leading-new-york-cancer-center-expand-use-mhealth
- Reuters, Records of 4.9 mln stolen from car in Texas data breach: https://www.reuters.com/article/us-data-breach-texas/records-of-4-9-mln-stolen-from-car-in-texas-data-breach-idUSTRE78S5JG20110929
- Infosec Institute, Government Views On Opting Out – Health Data and Security in The UK: http://resources.pentestingexpertsinstitute.com/government-views-opting-health-data-security-uk/