Healthcare is an attractive area for cyber attackers. Security teams in healthcare organisations are typically smaller and less well-funded than in other sectors, and vast quantities of patient data is generated and accessed. An increased reliance on applications and data during the pandemic explains why cyberattacks have increased by 45 per cent globally since November 2020.
“The largest motivation for cyberattackers is financial gain” says Alastair Williams, Director of Solutions Engineering for EMEA at Skybox Security. “Patient information is incredibly valuable on the dark web. Identity theft is another reason. The more information you have, the more chances you have of being successful with assuming an individual’s identity to register for bank accounts, credit cards or Amazon accounts.”
Blackmail is another motivation. “There can be situations where people have information about their medical history or current medical condition they don’t want in the public domain” Williams explains. “Maybe they’re suffering from an illness that would jeopardise their opportunities, or a celebrity is seeking medical assistance privately.”
Another aspect that must be taken into consideration is espionage. “There may be individuals looking to get a competitive gain with the development of COVID vaccines or types of treatment” Williams says.
Terry Ray, Senior Vice President at Imperva, says there’s a multibillion dollar incentive for countries to manufacture their own vaccine. “People might think doctors and physicians are collaborating enough that everybody knows how everybody’s doing, but there’s still intellectual property at each one of their organisations, containing how they are getting mRNA results from their vaccines. If you’re able to hack into one, and you have all of the intellectual property from these vendors, you can pick and choose and build it yourself, particularly in countries where there may be fewer trade laws and regulations.”
National vaccination programmes are presenting another opportunity for hackers. “Whenever a new iPhone gets released it’s a major target for phishers, getting people to click on a link to see all the new features of iPhone” Ray explains. “Now think about COVID vaccine testing sites, with information on where vaccines are available. People will click on these links.
“My 77-year-old mother-in-law just got her vaccination. To do it she had to go to a website and sign up for a date and time. How is that website secured? What does it know about her? What’s sitting behind her information, that shows why she can get the vaccine instead of somebody else? We’ve seen a major uptick in people trying to get in and be able to gather that information in the last 90 days” Ray says.
There are also attacks designed simply to sow chaos. “There are some hackers that just like to cause problems” Williams says. “The medical industry may be impacted by that. A good example was the WannaCry ransomware attack back in 2017.” WannaCry was a worldwide attack that spread to more than 150 countries, and became the biggest cyberattack the UK’s National Health Service (NHS) had ever experienced. Malware encrypted data on computers belonging to 81 out of 236 NHS trusts across England; as a result thousands of appointments and operations were cancelled. A subsequent investigation found that this could have been prevented.
Ray says organisations should first address what he calls “low hanging fruit”. “The application side is the primary access point for everything that’s going to happen anywhere in the organisation” he says. “It doesn’t matter what EMR or systems you’re using, whether you’ve outsourced or brought things in-house, the majority of your users are going to access patient data through an application, so you’ve got to make sure those are secure. You can’t go low budget – you need a solution that can tell the difference between Terry in Texas and Ivan somewhere in Eastern Europe, tell you that if they both log in with the same credential at the same time that’s a problem.”
Williams says visibility is key, and for this a data-driven approach needs to be adopted. “One way to do that is to take the configuration settings of how a device has been set up, like a network infrastructure component that’s facilitating accessibility to the data that we’re trying to protect, and bring that all together like a jigsaw puzzle.
“Then it’s about being able to ask questions based on what you see, like whether your ingress and egress points are configured security. Once you’ve gone through the process of getting that visibility, you can then analyse these to make sure that they are configured in accordance with an industry best practice, regulatory recommendations or some sort of vendor recommendation around how that device should be securely configured.”
Ray hopes that healthcare organisations can get to the point where data security is a mainstream concern. “The barrier to most people is that they perceive it as being very complex” he says. “Not a lot of security people know anything about protecting databases or file servers, they’ll fully admit it. I would say it’s about education, and it doesn’t have to be complex but you can’t do it manually. In the case of a large hospital system that may have hundreds to thousands of databases, and thousands of people accessing those databases, a small security team that’s supposed to do something manually about all the people that have different rights and roles over the database, will never manage it.”
Instead, security systems should be modernised by implementing automated controls using machine learning and artificial intelligence. Ray adds: “Healthcare has to get its security teams over the hump, to say, this is something we can do, we can solve this problem with technology.”