Healthcare cybersecurity is critical to individuals and businesses alike. This report includes case studies of well-known cyber attacks and how you might prevent them from occurring in your agency. Read on to learn how you can protect your organization amid a contentious threat landscape.
The privacy of their online data is a concern that most people share, suggests research. But, supply has yet to meet demand when it comes to cybersecurity. Moreover, besides individuals, certain industries are particularly vulnerable to cyber attacks.
The State of Healthcare Cybersecurity
The health care industry has been identified by many to be a primary target. A systematic review of threats related to cybersecurity in healthcare found that the industry lags in securing vital data.
Describing the issues they found in their analysis, researchers at Texas State University mention several measures for implementing security protocols, including, but not limited to, the following:
Defining and delegating cybersecurity duties.
Establishing procedures for upgrading software and mitigating data breaches, like training users to avoid suspicious digital assets.
Implementing cloud-based computing, de-authentication, and Virtual Local Area Networks (VLANs) (Kruse, Frederick, Jacobson & Monticone, 2017).
With development in artificial intelligence, analytics and database systems, medical institutions like hospitals and pharmacies have become increasingly reliant on software to cater to the needs of people and clients. In the middle of 2019, Protenus estimated that hackers had obtained 32 million patient records and 88% of these security breaches were caused by hacking.
According to Malwarebytes, threats to healthcare systems increased by 60%, and the faults were expected to cost the sector a massive $4 billion. Protected Health Information (PHI) is often worth hundreds of dollars in the black market and it is easier to access information. This is because, alongside the patient information, financial information is very much a part of the records of private healthcare institutions. The situation has indeed aggravated over the years.
Goals of the Public Health Sector
The Healthcare and Public Health (HPH) Sector is involved in a variety of health and wellness-related fields. HPH also has clearly-defined goals in the following four (4) areas, as listed in the Healthcare and Public Health Sector-Specific Plan report of 2010:
Service Continuity: Continue providing services during and after a disaster or disruption in supplies.
Workforce Protection: Shield the workforce from the harm caused by a hazard that may negatively affect their safety, health, and functionality.
Physical Asset Protection: Mitigate any risk to physical assets that may arise from a hazard.
Cybersecurity: Mitigate any risk to the cyber assets resulting in a denial or disruption in service.
Threats to Healthcare Cybersecurity
A report by the Healthcare and Public Health Sector Partnership and the Cybersecurity Working Group states that “Since the mid-90s, the cyber arms race has drastically changed the complexity of attacks. Networks now face some of the most complex code ever written. On top of that, attackers no longer have to be highly skilled because many of the best tools have been packaged into simple plug-and-play programs (CSWG, n.d.).”
When the WannaCry virus attacked government systems worldwide, the United Kingdom’s National Healthcare Service (NHS) was sent into a frenzy. Entire laboratories froze and results of blood tests and other scans had to be delayed. Samples had to be transported to functional labs across the world and the backbone of the healthcare sector almost collapsed. Post-2017, it was expected that the cybersecurity system of the healthcare sector would be made more immune to penetrative exploits but then, negligible improvements were seen.
On the contrary, in 2019, an Israeli group devised a malicious software program that could manipulate CT Scan and other such reports to show tumors, which could lead to incorrect treatment and physical complications due to misdiagnosis.
For the purpose of our report, major threats against our current, functional cybersecurity systems are listed below. At the time of this writing, a biological virus known as COVID-19 is overwhelming the entire world and bringing humanity to its knees. Viruses in the technology space aren’t much different and are often deliberately used to take advantage of hapless situations of the connected world. Cornonavirus Malware aside, some of the most dangerous threats plaguing computer systems are:
The WannaCry virus of 2017 is perhaps the best example of Ransomware and the extent of damage it can create. Ransomware is a form of malware which penetrates into a system and threatens to delete, disrupt, steal or publicize data if a certain sum of money is not paid (usually in Bitcoin and other cryptocurrency).
Ransomware generally enters a system in three (3) ways:
Phishing emails with malicious attachments
Entering websites injected with malware
Viewing advertisements containing malware
While the ransomware is inside the system, the computer is rendered unusable and its files inaccessible. A certain time limit is given to the user for making payment lest the entire data and its architecture should be omitted. By the end of 2019, Emisoft concluded that 764 healthcare providers had been preyed by ransomware, including two of the largest healthcare breaches of the year: The Wolverine Solutions Group and EHR Hack which impacted the Columbia Surgical Specialist of Spokane.
Also in 2019, services at two hospitals in Ohio were disrupted by ransomware. Patients in emergency rooms had to be diverted, testing procedures had to be temporarily stopped and the receptionists and doctors had to return to paper records as the entire system fell.
Third-Party Risks and Fourth-Party Risks
Due to cost-effective business models, private healthcare institutions often outsource several functions to vendors and third-party service providers. Such services may include catering, payroll and web development which give these organizations access to sensitive information. Often, lack of risk management and secured systems in these companies leads to the breach of data and privacy. Risks further increase when third-parties employ smaller organizations for their jobs.
In 2015, the Australian Red Cross hired Precedent Communications for developing its website and database management. Unfortunately, a Precedent employee backed up the database file containing personal information of blood donors in a public web server. Subsequently, the server was hacked and the record of 550,000 prospective donors was revealed.
However, the biggest hack in this sphere, to date, occurred in 2019 among the American Medical Collection Agency’s business associates and third-party agencies like Vitagene, LifeLabs, Zoll Services, Wolverine Solutions Group, and health administrator Inmediata Health Group. Data of at least 25 million patients (including social security numbers and credit card information) was revealed and sold on the deep web. AMCA finally had to file for bankruptcy protection after having to pay millions to cover for costs incurred to pay the victims.
Unwittingly or not, insiders often pose a major threat to the company due to their access to equipment, email addresses, and in-office accounts. As employees possess a high level of knowledge about the systems of companies, malicious acts can cause severe damage to the entire operating system of a healthcare institution. Insider threats occur as a result of misuse of privilege, lost or stolen assets (Australian Red Cross case), and web application attacks (malware). Ignorance or the lack of regular audit is perhaps the greatest cause of threat coming from staff and personnel.
In February 2019, the UW Medicine breach was caused due to a misconfigured server that made internal documents public. The personal data of about 947,000 patients was accessible for three weeks due to this incident. There have been several other notable cases, like the one in Florida where hospital staff breached into the private data of patients and obtained their information to make fraudulent credit cards. Another one in Texas involved a staff member infiltrating into the hospital’s database with a botnet system.
Internet of Things (IoT) and greater interconnectivity
Due to the greater interconnectivity of devices through the internet, the possibilities to hack and exploit these connections grow rampantly. Recent studies have shown that it is quite possible to hack into wearable and implantable IoT healthcare devices, from insulin pumps to wireless vital monitors to thermometers and temperature sensors to pacemakers. Obsolete operating systems, or those which don’t get updated often, is often a consequence of devices which provide seamless patient care.
Tom Dolan of Forescout Technologies suggested that “A high percentage of devices are connected to (networks), giving healthcare some of the biggest exposures.” He continued, “They rely on those technologies for literally life or death scenarios, a dynamic unique to healthcare. An unfortunate prediction is that there will be more breaches moving forward as Windows 7 becomes more out of date.” Although hacking through such methods is not conventional or common, researchers predict that this will be a primary conduit of cybersecurity exploitation in the future.
Phishing threats and Business Email Compromises (BEC) are linked with insider threats as staff is solely responsible for responding to suspicious emails or transferring money to fraudulent accounts. Through phishing traps, hackers gain access to the official email accounts of hospitals and can further use it to entrap vendors and other institutions.
Distributed Denial of Service (DDoS) attacks are not common but not impossible altogether. In April 2014, the infamous hacktivist group Anonymous carried out an attack on the Boston Children’s Hospital which caused network outages for a week, impacting their online records and database system. The hospital had to spend over three hundred thousand dollars ($300,000 USD) to deal with the damage that had been caused.
It is noteworthy that most of these exploits are packaged and sold online, on the deep web as a service. This enables people with little to no experience or knowledge of hacking to launch exploits against targets for a fee considerably lower than the eventual cost of damage.
Mitigation of Threats
Here are some ways in which the healthcare industry can reduce the threat posed by cyber attacks:
Security Awareness Training
An important step could be to implement a security awareness program to educate employees on the potential cyber threats and the do’s and dont’s of data security. Many federal agencies, like the Centers for Disease Control and Prevention (CDC), have begun implementing such programs. Verizon’s 2019 Data Breach Investigations Report is perhaps the best illustration of why this is so important. The report is based on data analyzed using 41,686 security incidents and 2,013 breaches of data, and shows the following findings:
15% of the incidents involved healthcare organizations.
81% of security incidents within the healthcare sector are the result of miscellaneous errors, including those stemming from privilege misuse and web applications.
59% of the attacks were internal.
Other research shows that around 87% of healthcare workers use non-secure email addresses to share confidential information such as patient health information.
But the improper handling of soft assets is not the only issue. There’s also the challenge of hackers taking advantage of human behavior to obtain sensitive data. For example, a individual with malicious intent may distract hospital personnel to gain access to patient records.
All these risks point to the need for a comprehensive education on security awareness that covers both technological and psychological aspects.
Authentication and Verification
Authentication ensures that access to confidential information is only given to those who are allowed access to it and also that information received by healthcare staff is from a trusted source that doesn’t contain malware. It not only helps prevent impersonation but also proves that a person trying to access or send data doesn’t have malicious intent.
Different identity management techniques use one or more of these types of information, offering varying levels of security. The following are the four (4) most common classifications of these techniques:
Single-factor authentication: This is the most basic verification technique used by virtually all web sites and applications. The level of security offered by this technique is often described as “insufficient” when it comes to protecting PHI.
Sometimes referred to as dual factor, two-factor authentication adds an extra layer of security by requiring a user to provide an additional piece of information in addition to their login details. This is normally done by the authentication server sending a one-time, random token to the user’s mobile phone number.
Multi-factor authentication builds upon the two factor approach. Here, a user must provide a minimum of three (3) factors to prove their identity.
SSL and other Secure Internet Protocols: SSL stands for Secure Sockets Layer. It allows a user to authenticate their communications over email and the Web. Of all methods which aim to harden network protection, this one provides the highest level of security.
A firewall is a barrier that is established between the company’s Intranet, or computer network, and unknown external networks. It is essential for achieving healthcare cybersecurity. If someone is accessing an unsecured website from a computer storing health records, a firewall would block the website or at least warn the user of the potential dangers and ask for permission before proceeding.
Different types of firewalls restrict access to a network, including, but not limited to, the following:
Application firewalls:. Also called proxy firewalls, these security measures evaluate the data passing through the network to ensure that it is not being transmitted for malicious purposes. An application firewall could be a software filter, a server plug-in or a piece of hardware.
Circuit-level gateways: These firewalls help identify malicious content by monitoring TCP (transmission control protocol) handshakes to ensure users are connecting to trusted systems. Once a connection is established, hosts can exchange packets without any further filtering.
For further network security, healthcare organizations can use virtual private networks (VPNs) in conjunction with firewalls. VPNs are not displayed publicly, protecting them against potential Wi-Fi hackers.
Security Patch Management
As the name suggests, security patch management involves conducting a thorough and honest assessment of an organization’s level of digital security and patching any vulnerabilities that might give way to bugs and viruses. One way to do this is by using security software. Organizations must purchase such products, which may include antivirus (AV) applications, from only well-reputed companies.
Additionally, it is also important to examine patches distributed freely by other vendors as they can also pose a security threat. These assets must be tested and verified as safe before use. An effective patch management procedure would routinely patch all devices that store a organization’s data. This includes desktops, laptops, smart phones and tablets. Even a wireless network must be examined for security issues, as Wi-Fi, itself, is vulnerable to many kinds of security threats.
Encryption is the process of converting plaintext information into code known as ciphertext. This allows only those who are privy to the information to understand it, protecting the confidentiality of the data.
Two types of data can be encrypted: Data in motion and data at rest. Data in motion is a descriptor for information that is constantly exchanged through mediums like email, instant messaging, SMS and phone calls (Voice over IP). As it relates to healthcare cybersecurity, such data must be encrypted as it can easily be intercepted. Health workers should encrypt private data before sharing it to prevent the identity theft of patients. Vendors are making encryption easily attainable these days. Google Chrome, for example, offers a browser extension that encrypts attachments sent on emails.
By contrast, data at rest refers to information that is stored indefinitely, which may not be accessed for an extended period of time. The protection of this data is equally important. The most common type of hacks occur on databases. Table prefixing, IP blacklisting and blockchain technology are each solutions to the age old challenge of database security.
But long term data storage also applies to desktops, laptops, smart phones and servers. Encrypting the data stored on these devices, on top of restricting access to them, will strengthen the cybersecurity of any healthcare agency. This, along with the use of multiple encryption keys, also prevents a single point of failure that could disrupt the workflow of business.
Given our ever-increasing reliance on online services, cybersecurity has become a priority across all industries. But the possibility of exposure of individual health data means that healthcare cybersecurity should be prioritized in public and private practices. The data security measures outlined in this report is intended to mobilize organizations large and small, to responsibly handle the information trusted in their possession, and to act in their patient’s best interest.
Frederick, B., Jacobson, T., Kruse, C.S., Monticone, D.K. (2017). Cybersecurity in healthcare: A systematic review of modern threats and trends. Technol Health Care. Retrieved from https://content.iospress.com/download/technology-and-health-care/thc1263?id=technology-and-health-care%2Fthc1263