Compared to banks or retailers, hospitals and healthcare trusts have always found themselves largely immune to the avarice of cybercriminals. However:
- This has meant that the healthcare industry’s wholehearted commitment to better patient information systems and data confidentiality compliance hasn’t typically included an explicit focus upon data security
- Innovative digital initiatives such as electronic prescriptions, telemedicine and e-health applications, that capitalise on increasingly widespread ultrafast broadband availability and smartphone/tablet usage, bring with them a new wave of security threats
- The cybercriminal industry’s ability to dream up new, devious moneymaking schemes has now brought hospitals and healthcare providers into its sights
Patient data commands privacy and respect. It also plays the most critical possible role in the wellbeing of patients. What’s new is…
How cybercriminals have managed to convert medical records into a goldmine of ill-gotten gains
A worrying spate of attacks in North America shows how they’ve cottoned-on to the sensitivity and value of patient information held by a healthcare provider, and worked out that there is one organisation that will pay them big sums to get their hands on it: the healthcare provider itself.
Cybercriminals can’t find buyers for stolen medical records on the black market, so the idea is to use malware (malicious software) to find where they are stored, scramble them all into encrypted code and give the healthcare provider 72 hours to pay a ransom. Pay and the code is unscrambled; refuse and thousands of records are forever rendered useless.
Called ‘ransomware’, these techniques are simple, effective and - according to the FBI - have proved lucrative to the tune of about $27m (£19m) in six months.
Healthcare-targeted attacks have risen 100% since 2010: Ponemon Institute
A recent report found that the organisational differences between a typical organisation and a typical healthcare organisation create systemic security implications.
- Large hospitals have thousands of workstations used by multiple employees to access confidential patient data. This is a very challenging landscape for keeping users and devices from becoming ‘infected’ by malware. In other kinds of businesses, each user has a dedicated workstation, and access to the most critical data is restricted.
- Healthcare user login to twice as many applications as the average user, exposing them to a larger potential source of incoming attack.
- Twice as many healthcare workstations and other ‘endpoints’ have Flash installed, and three times as many have Java. Flash and Java are widely used industry-standard tools, but can increase the likelihood of exploitation.
- Healthcare customers are more likely to choose Internet Explorer 11 as their internet browser, whereas other users tend to prefer the latest version of Google Chrome. This matters because IE11 has the greatest number of security vulnerabilities that could allow malware to be downloaded without the user even knowing. Older, unsupported browser versions are even worse.
- The Windows operating system is extremely popular in the healthcare sector. Again this is an industry-standard tool, but can represent additional vulnerability if a robust security policy is not closely followed.
So here are five steps to increasing security vigilance in the healthcare sector
1. Patch the easy way
Hackers pick holes in widely used commercial software, which are quickly
‘patched’ by software provides in a seemingly never ending race. But patches have to be installed right away, and that can be tough in an environment with thousands of devices and other endpoints, especially when they are mobile. Apply a policy with clear responsibilities for who does what. Look for automated solutions that reduce human error and mean hundreds of hours a month aren’t spent doing it all manually.
2. Keep a carbon copy
Having your data held to ransom is no longer a nightmare if you have a carbon copy of it all stored safely elsewhere. But how often is data backed up? Monthly, weekly, daily? Is it frequently enough to make a difference to Mrs Gupta’s diabetes treatment, or Mr Rashford’s pathology results? The chances are that you DO backup your data regularly, but that you might be surprised to learn it isn’t a ‘regularly’ as you’d expect it to be.
3. Test for weaknesses
Just like a thorough medical examination, a ‘penetration test’ undertaken by qualified professionals is a proven way to diagnose illness and prescribe a course of treatment. Take extra care checking the credentials and experience of whoever does your penetration testing, and make sure you fully understand any intended or unintended disruption this may cause.
4. Develop a security-aware culture
The stakes are always high in healthcare settings, making them among the most pressurised and politically charged professional environments. Don’t let cybercriminals exploit this! Encourage an acceptance that all users have a responsibility for maintaining security vigilance, and being watchful of unusual behaviour or serious IT misuse. Avoid complacency in hammering home best practice such as not clicking on links or opening attachments in suspicious looking emails or Internet sites.
5. Innovate with security in mind
If you’re concerned about IT security, don’t look at IT as the problem.
Stopping your digital journey might feel like the right way to prevent digital risks, but this is an exaggerated response to a manageable issue. So pursue, rather than pause, the exciting, transformative benefits of technology. But do so with a sober appreciation of the risks you face, and demand that highest standards of data security from your technology partners.