Rajesh Maurya, Country Manager, India & SAARC, Fortinet warns against cyberattack in hospitals and how imperative it is to take steps against such an occurence
Our healthcare systems, from EHR to medical devices, are more vulnerable than many of us realise. And the stakes are too high to ignore.
Even within the healthcare industry, few people realise just how vulnerable many of our systems are to cyber-attack. We talk about protected health information (PHI) and HIPAA compliance, we worry about penalties, but few organisations see themselves as targets for the sophisticated attacks that have wreaked havoc for the likes of Sony. We’re just hospitals, insurance companies, and doctors’ offices, right?
The reality though is that the black market for patient data is up to twenty times more valuable than that for credit card data often stolen in retail breaches. Healthcare data is detailed, rich and full of information that cyber-criminals can use for identity theft and fraud. More importantly, it takes far longer for patients to know their information has been compromised – it can take up to a year or more for someone to realise their patient data has been compromised. When a credit card is stolen, algorithms in the
financial industry pick up unusual activity very quickly and systems often automatically provide protection. Similar kind of protections simply don’t yet exist in healthcare.
Attacks on big retailers, banks and media companies make headlines, but the high stakes and big payoffs mean that we’re too close to a wave of healthcare-related cyber-crime for which most organisations and consumers are unprepared. Unfortunately, this is just the tip of the iceberg. There are, in fact, three primary vectors of a healthcare cyber-attack.
Traditional cyberattacks
These are the types of attacks that happen to all institutions, even if some are more likely to make headlines than others. Malware, phishing schemes, trojans, ransomware – they’re all out there, but the healthcare industry is particularly vulnerable because it lacks the built-in protections and underlying security mindset of other industries. These types of malicious software, whether deployed through targeted attacks, compromised websites, spam, infected mobile devices, or otherwise, cannot only expose sensitive data but create distracting and expensive IT headaches. A 2012 Ponemon Institute study found that data breaches cost the average healthcare organisation roughly $2.4 million over the previous two-year period.
These attacks aren’t terribly new, but their sophistication is and the ability to expose patient data is of real concern. Cyber-criminals have developed entire malware platforms that can be customised to attack healthcare organisations. The resulting HIPAA violations can incur substantial monetary penalties, not only for medical practices but their business associates as well.
Connected medical devices
Today, everything from heart monitors to IV pumps can be networked, automatically interfacing with EHR systems and providing real-time alerts to healthcare providers. From the perspectives of patient care and operational efficiency, this is a good thing. From a security perspective, it’s a potential nightmare.
Most of these devices, as well as MRI machines, CT scanners and countless other diagnostic machines were never designed with security in mind. Many diagnostic systems use off-the-shelf operating systems like Microsoft Windows while other devices use purpose-built software designed to collect data – not keep it safe. Too many of these devices are eminently hackable and, once compromised, can provide hackers with unfettered access to the clinical data systems within which they interface.
And it isn’t just patient data that’s vulnerable through connected devices. Cyberterrorists could potentially manipulate machines to intentionally harm patients or shut down critical systems in hospitals. As early as 2011, one researcher demonstrated how an insulin pump could be hacked to deliver a lethal dose of insulin.
Personal and home health devices
Device proliferation isn’t just occurring in hospitals. An increasing number of home health devices, mobile apps, wearables and more are collecting and transmitting personal health information. Not only do these devices and apps potentially expose patient data (or at least fail to adequately protect it), but also often interface directly with EHR and clinical data systems. When everything from a home glucose monitor to an iPhone app can become part of the attack surface, it should become clear just how badly exposed healthcare institutions are. As with clinical devices, most of these new patient care modalities are designed for convenience and innovative functionality rather than security.
Anthem breach – A wakeup call for serious action
Patient data sits in countless systems in hospitals, medical practices, insurance companies and even HR databases. These systems include legacy software, purpose-built hardware, troubled insurance exchanges and more. Those in healthcare IT knew that it was just a matter of time before a large scale breach hit a major insurer or hospital group. But the attack on Anthem known for their Blue Cross insurance brands appears to be particularly egregious. What is perhaps of even greater concern, though, is the apparent completeness of the compromise. Anthem noted on a special website dedicated to the breach http://www.anthemfacts.com that all lines of Anthem Business were impacted and all plans and brands of Anthem insurance were affected.
With so much money involved and high-value data shared in a healthcare network the Anthem breach may be the largest to date, but unfortunately, won’t be the last. More than any breach we heard about in 2014, this needs to be a wakeup call for serious action on cybersecurity, especially in the healthcare industry.
The time to address healthcare security is not when medical record breaches like the Anthem start making headlines. The time is now. The healthcare industry as a whole needs to be proactive and begin deploying systems with security baked in, protected at both the network and application levels. The stakes are simply too high to wait.
