Patient data is a critical aspect of modern health care. From billing to efficiently diagnosing illness and offering just-in-time care, information about patients flows across the industry and practices. Patient data is valuable for providing care, but it’s also valuable to another, less savoury contingent: cybercriminals.
The reason cybercriminals are interested in patient data is because it’s worth money. According to some reports, medical data is 10 to 20 times more lucrative than credit card or banking details. Stealing patient information leads to identity theft and extortion, and it can also be sold on the dark web to further fund criminal activities.
The problem is that health care doesn’t have such a great track record when it comes to protecting patient data. The Office of the Australian Information Commissioner’s most recent Notifiable Data Breaches Report for the July–December 2020 period makes sobering reading for healthcare professionals, particularly those engaged in protecting patient data.
During the reporting period, there were 539 breaches, an increase of 5% from the 512 notifications received from January to June 2020. It also found the healthcare sector was the highest reporting industry sector, responsible for 23% of all breaches. By comparison, the next highest reporting sector was finance, at 15%.
Malicious-threat actors are responsible for 58% of all breaches, but human error comes a close second, at 38%. That’s up from 18% in the previous reporting period.
Where it gets blurry is that malicious-threat actors can use human error to gain access to data. The most common attacks generally take advantage of misconfigured IT devices, which allow threat actors into an environment, or through the mishandling of data where staff incorrectly expose patient or healthcare data.
Human error and hackers — two ways into valuable data
When it comes to criminals hacking their way into healthcare systems, the usual technical methods for doing so are through systems that aren’t up to date. Health care is notorious for hanging onto old versions of software, and this is made worse by clinical hardware systems that use out-of-date software that’s no longer supported.
Outdated software and unsupported hardware mean security patches aren’t applied, meaning that vulnerabilities can be discovered and exploited as a way onto the network and into systems where personally identifiable information (PII), or healthcare data is kept.
In the case of old hardware — there’s no easy way to secure it except for making sure it’s not connected to the network. However, this can be impractical for most healthcare organisations. When dealing with old hardware that isn’t being patched anymore, the best solution is to secure these systems in isolated networks and actively monitor the systems and their networks for threats using active detection and response tooling.
But technical hacking isn’t the only way threat actors find their way in. Social engineering remains the pre-eminent way for hackers to get access to a computer and from there onto the network (Verizon, 2021 Data Breach Investigation Report).
Social engineering is a psychological attack. In one of these attacks, the victim is tricked into doing something they should not do. This could include providing credentials and passwords, or it could be by clicking on a link in an email that then downloads malware onto the user’s computer.
Once malicious malware is in place, the threat actor has the power to do just about anything they want. They can nose around the network looking for patient data, or they can encrypt patient data and then ask for a ransom to decrypt it. Worse, they can also extort the victim healthcare company by stealing data and then threatening to leak it publicly.
The OAIC report tells healthcare that it needs to get its house in order when it comes to protecting patient data. Employees need cybersecurity training to spot social engineering attempts, and the IT department needs to make sure software is patched, or if it can’t be, then it’s at least isolated and actively monitored for malicious activity. Without these efforts, health care will retain its ignominious distinction as being the most-breached sector in Australia.
And it’s not just healthcare companies that will suffer. Patients will suffer too.
Some actions to take:
- Nearly all attacks exploit inadequate cybersecurity controls such as unpatched systems and applications, so make it priority number one to patch.
- When using old hardware, secure these systems in isolated networks for security monitoring using active detection and response tooling.
- Restrict administrative privileges to ensure users are only using standard user accounts with the minimal number of permissions needed for their role. Standard users don’t need to be local administrators. Ensure highly privileged users have separate accounts for administrator tasks that can only be used on a limited number of systems.
- Offline, daily backups. Given the destruction caused by ransomware, it’s essential to run daily backups that are not connected to the main IT network. Also ensure that disaster recovery plans are tested and practised in case systems need to be rebuilt from previous backups.