By Wayne Loveless
The sector will always be an ideal target for cybercriminals, and steps are needed in order to protect information
One thousand dollars. That is the current potential value for a patient healthcare record on the robust and largely unpoliced Dark Web black market. With the mean size of data breaches in the healthcare industry at roughly 20,500 records, this adds up to a profitable segment of cyber theft. In fact, it is the most profitable sector for cyber threat actors to focus their energy and efforts on.
With incidents rapidly rising, and the healthcare industry’s seemingly slow adoption of cyber security principles and operations, the sector is a prime target and will continue to be so until systemic changes are made to how entities protect their patients’ most critical data.
Why do hackers want your medical records? Quite simply because they are the broadest, most comprehensive sets of information available today. Access to a complete record provides all the demographic information, financial data, and personal health information to use as potential leverage that a threat actor could want.
In no other industry do people put as much trust as they do with medical services. Yet there still is a lack of concerted effort to secure patient data
Hospitals and service providers are always looking at the cutting-edge of medical science, seeking out the latest and greatest in medical care to secure new patients and retain patients in the long term. Overlooking the potential disaster from not securing their critical data, hospitals and service providers generally integrate a host of systems from third party vendors, customer relationship management (CRM) applications, cloud services, mobile health applications, medical devices, and all manner of supporting infrastructure. These technologies are generally enabled with internet addressable services, offering attackers a broad spectrum of potential threat vectors to compromise patient records.
The sheer number of potential avenues of attack make cyber security a daunting task. As an example, a typical patient room in a modern hospital will have a multitude of IoT devices. The bed is likely Internet Protocol (IP) enabled and connected to the hospital network. It will be connected to a third-party supplier and may also have an interface with the hospital electronic health record (EHR) system to display patient data. Most of the medical devices and test equipment wheeled in and out of the room will also be IP enabled and connected to a third-party network for updates and management.
Given the rapidly expanding threat environment and the high desirability of illegally obtaining records and data, in addition to threats to the operations of medical entities, it is time to rethink the obligation of the service provider in terms of securing patient records and data.
In no other industry do people put as much faith and trust as they do with their physicians and medical services. Yet outside of some of the highly regulated environments of the US with HIPAA and the EU with GDPR, there still is a lack of concerted effort to improve the overall security of patient data.
According to EY’s recent Global Information Security Survey (GISS) study, only 17 percent of healthcare providers having any representation for cyber security within the boardroom members.
In order to improve this situation, governments of all levels need to get more involved. A mix of regulatory functions and collaboration are all needed to help move the needle on cyber readiness. They should establish a baseline for securing patient data, and ensure that a smart and dynamic regulatory environment is established that balances patient care with security.
Government entities can play a strategic role in supporting information sharing between providers, security agencies and among the community, rather than just being a regulator.
Leveraging emerging technologies and defensive capabilities is always the first place that many entities go when seeking to improve cyber readiness. There are a number of emerging technologies that harness the power of artificial intelligence and machine learning and that can understand IoT protocols to help ferret out cyber threats in the network.
However, in most cases in the medical community, cyber threats did not break through the front lines of security, but rather slide in through a side door thanks to unwitting staff, employees, and executives working as an involuntary intermediary for cyber threat actors.
Only 17 percent of healthcare providers having any representation for cyber security within the boardroom
Malicious attachments and web borne malware through targeted phishing campaigns are still the delivery method of choice, and people continue to be the weakest link in the chain for cyber security worldwide. With the medical community in particular, there are so many different side channels and means for threat actors to gain access to the network, exceptional efforts should be made to help maintain a high level of awareness and continued vigilance for cyber-attacks.
Lastly, the need to improve processes – specifically in the areas of asset, change management, and periodic review and updates of system configuration and security –can be the least expensive, yet most effective protection against cyber threats.
Nearly all of the most recent attacks have used exploits for systems that are well known and use services and protocols in the network that should have been disabled by default. Yet basic cyber hygiene has taken a back seat, while overworked and understaffed IT teams attempt to keep all of the technology focused on patient delivery and operations running smoothly.
Taking the needed strategic pause to take systems offline and conduct patching and updates and migrations is often difficult if not impossible in the high demand 24/7/365 operating construct of a functioning hospital.
Yet, without sound processes for building more secure software, and providing better network security, cyber threat actors will continue to find success in accessing and causing havoc in the industry.