Healthcare is an attractive target for cyber-crime for three fundamental reasons:
- It is a rich source of valuable personal data.
- The level of cybersecurity defenses has a reputation of being weak.
- The industry relies increasingly on technology and the internet.
The number and range of attacks has made it much harder to secure the industry from multiple threats.
When protected health information (PHI) is stolen the attackers use this information to steal identities and personal medical information, which the attacker can use themselves or sell the information on to others who then obtain for example false prescriptions to be traded or sold illegally.
With billions of people across the world entrusting healthcare organisations to take responsibility for protecting their identities, keeping their medical records secure, it has become crucial for the industry to have the right cybersecurity solution in place to manage the threats and risks.
There are increasing concerns relating to the scale and frequency of cyberattacks on data and on the devices of healthcare professionals. And when there is a breach it can have severe consequences, reduce patient trust, cripple health systems and threaten patient care.
Despite the rising threat, the vast majority of hospitals and physicians are unprepared to handle cybersecurity threats.
The healthcare industry increasingly relies on connected technology to store patient records, manage hospital equipment and facilitate data integration, patient engagement, and clinical support.
Cybersecurity is a patient trust and safety concern for healthcare organisations. There are a number of threats that need to remain front of mind:
- Cybersecurity breaches range from stealing personal information, holding hospital data and systems to ransom, and hijacking medical hardware to mine cryptocurrencies.
- Electronic health records (EHR) and the healthcare infrastructure are all targets.
- The healthcare industry is considered vulnerable due to a historic lack of investment in cybersecurity with a number of recent incidents that highlighted these weaknesses.
- Increased connectivity has exposed medical devices to new cybersecurity vulnerabilities for connected devices.
- Legacy security solutions were created to protect against historic threats, which have been superseded by other tactics and methods from attackers.
In 2019, the two main targets for cyberattacks will be the cloud and user devices.
Operating systems on user devices provide more functionality than ever before, making them ideal for healthcare professionals at work but more vulnerable to attack.
At the same time, healthcare workers want the freedom to be able to move around at work accessing different operating systems, applications, and on any device.
Medical records have a high value in the wrong hands
The criminals demand for patients’ medical records is fuelling the rise in cyberattacks as electronic health records (EHR) are far more valuable than the typical financial data that is targeted for malicious use.
EHRs include names of patients, their birth dates, policy numbers, diagnosis codes, and billing information. This wealth of data can be used by fraudsters in different ways, such as creating fake IDs to buy medical equipment or medications that can be resold.
Often cyber criminals combine a patient number with other information taken maliciously from a victim and then file fraudulent claims with medical insurers.
EHRs are deemed more valuable because their theft takes longer to detect which offers cyber criminals more time to utilise the information they get from EHRs.
Cybersecurity challenges and legacy systems
Ransomware has targeted a number of hospitals in recent years. It is a type of malware that prevents a hospital from accessing files or data until a ransom has been paid, usually in Bitcoin.
Many hospitals continue to use legacy systems and have been slow to patch or update the technology they use to ensure it is protected.
One major reason why computer systems and networks become insecure is because the technology itself has become outdated. Computers that are too old and should have been decommissioned may still be left in service, and it can become difficult to properly secure them.
High-profile ransomware incidents such as WannaCry in May 2017, affected 200,000 computers in 24 hours, which highlights the indiscriminate nature of such attacks.
The attack targeted vulnerabilities in the Microsoft Windows operating system, encrypting data and holding computer systems for ransom.
One of the biggest victims to fall prey to WannaCry was the NHS. In the UK it hit a third of hospital trusts and 8pc of GP practices. Around 1pc of all NHS care was disrupted over the course of a week.
The hack caused more than 19,000 appointments to be cancelled, costing the NHS £20m between 12 May and 19 May and £72m in the subsequent clean-up and upgrades to its IT systems.
At the time of the attacks, the NHS was criticised for using outdated IT systems, including Windows XP, an operating system that could be vulnerable to cyberattacks.
Often the recipient gets an email from what appears to be a genuine address, containing an attachment. When the link is clicked, or the document opened, malware is downloaded to the computer which then encrypts all documents locally, and all connected backup devices and hard drives.
A hospital is a 24 hour, 7-days a week operation, with computer systems and software in constant use across numerous terminals and devices throughout the building.
A hospital’s operating system is typically made up of a number of different endpoints and remote connections connected and managed over the network.
Each device used by staff provides cybercriminals with an entry point into a hospital’s network.
But hospitals and physicians haven’t always managed to keep pace with the threats to cybersecurity.
Cybersecurity cannot be achieved without addressing the human factor, and that many data breaches can be traced back to human fallibility. And even when systems have been designed to minimise risks, a hospital is vulnerable to a single point of failure such as a member of staff using their own personal devices at work or clicking on a link in a phishing email that may open the door to a cybercriminal.
Different technologies and operating systems
With new applications having to work with incumbent systems and devices running on old software, there are vulnerabilities and gaps in security to address.
The healthcare industry as a whole has been slow to invest in and keep pace with new technology, lacking time and resources to educate staff on the "front-line" on how to meet the new types of threats to security.
The priority in the healthcare industry has tended to be on protecting patient privacy, with the roll out of the 2018 GDPR regulations - the consequences of a data breach have focused the industry's efforts.
Compounding the issue is that like many organisations, hospitals don’t have full-time cybersecurity resources or are unaware of what are the signs of a malicious attack.
Many healthcare professionals are so busy dealing with patient care to even notice that they’re under attack. And often there is a resistance of staff to cybersecurity measures that may make systems safer, but might also slow down treating patients.
Security policies and training
In order to be effective with what resources are available it is important to have clear and up-to-date policies and procedures in place for dealing with the risks and to take the time to train staff on how to be suspicious and how to manage an incident.
Cybersecurity cannot be achieved without addressing the human factor, as systems themselves have become harder to penetrate, the hackers have sought out softer targets, the employees themselves.
And even when systems have been designed to minimise risks, an individual employee can undo the best of cybersecurity plans with a click on the wrong website or opening the wrong email.
Hiring a security expert such as Worktools can be invaluable in the fight against cyberattacks. Worktools has specialist knowledge, gained from 15 years of experience in the government Defence & Security sector, and can provide your company with the best defence against the financial loss and reputational damage that is often the result of cybercrime.
Informed staff and a secure system can build the foundation for a strong cybersecurity defence and help to effectively manage an attack if one does occur.
Cybersecurity precautions help organisations to protect their hardware, IT infrastructure, business applications and sensitive data from unauthorised access.
With the Worktools Cybersecurity Plan we've put together a plan to protect your organisation from cyber threats ranging from viruses to data breaches.
Let us help you look after your data, your reputation and legal compliance. As an outside provider, Worktools can do initial security assessments and ensure that everything is secure, both locally and through remote access.Image source: www.freepik.com