Healthcare is an attractive area for cyber attackers. Security teams in healthcare organizations are typically smaller and less well-funded than in other sectors, and vast quantities of patient data are generated and accessed. An increased reliance on applications and data during the pandemic is why cyberattacks have increased globally by 45% since November 2020.
“The largest motivation for cyber attackers is financial gain,” says Alastair Williams, Director of Solutions Engineering for EMEA at Skybox Security. “Patient information is incredibly valuable on the dark web.”
Identity theft is another reason. The more information you have, the more chances you have of being successful with assuming an individual’s identity to register for bank accounts, credit cards, or Amazon accounts.”
Blackmail is another motivation. “There can be situations where people have information about their medical history or current medical condition they don’t want in the public domain,” Williams explains. “Maybe they’re suffering from an illness that would jeopardize their opportunities or a celebrity is seeking medical assistance privately.”
Another aspect that must be taken into consideration is espionage. “There may be individuals looking to get a competitive gain with the development of COVID vaccines or types of treatment,” Williams says.
Terry Ray, Senior Vice President at Imperva, says there’s a multibillion-dollar incentive for countries to manufacture their own vaccine. “People might think doctors and physicians are collaborating enough that everybody knows how everybody is doing, but there’s still intellectual property at each one of their organizations, containing information on how they are getting mRNA results from their vaccines. If you’re able to hack into one, and you have all of the intellectual property from these vendors, you can pick and choose and build it yourself, particularly in countries where there may be fewer trade laws and regulations.”
National vaccination programs are presenting another opportunity for hackers. “Whenever a new iPhone gets released it’s a major target for phishers, getting people to click on a link to see all the new features of the iPhone,” Ray explains. Now think about COVID-19 vaccine testing sites, with information where vaccines are available. People will click on these links.
“My 77-year-old mother-in-law just got her vaccination. To do it, she had to go to a website and sign up for a date and time. How is that website secured? What does it know about her? What’s sitting behind her information that shows why she can’t get the vaccine instead of somebody else? We’ve seen a major uptick in people trying to get in and be able to gather that information in the last 90 days,” Ray says.
There are also attacks designed simply to sow chaos. “There are some hackers that just like to cause problems,” Williams says. “The medical industry may be impacted by that. A good example was the WannaCry ransomware attack back in 2019.” WannaCry was a worldwide attack that spread to more than 150 countries and became the biggest cyberattack in the UK’s National Health Service (NHS) had ever experienced. Malware encrypted data on computers belonging to 81 out of 236 NHS trusts across England, as a result thousands of appointments and operations were canceled. A subsequent investigation found that this could have been prevented.
Ray says organizations should first address what he calls “low hanging fruit.” The application side is the primary access point for everything that’s going to happen anywhere in the organization,” he says. “It doesn’t matter what EMR or systems you’re using, whether you’ve outsourced or bought things in-house, the majority of your users are going to access patient data through an application, so you’ve got to make sure those are secure. You can’t go low budget – you need a solution that can tell you the difference between Terry in Texas and Ivan somewhere in Eastern Europe and tell you that if they both log in with the same credential at the same time, that’s a problem.”
Williams says visibility is the key, and for this, a data-driven approach needs to be adopted. “One way to do that is to take the configuration settings of how a device has been set up, like a network infrastructure component that’s facilitating accessibility to the data that we’re trying to protect and bring that together all like a jigsaw puzzle.”
“Then, it’s about being able to ask questions based on what you see, like whether your ingress and egress points are configured securely. Once you’ve gone through the process of getting that visibility, you can then analyze these to make sure that they are configured with accordance with an industry best practice, regulatory recommendations, or some sort of vendor recommendation around how that device should be securely configured.”
Ray hopes that healthcare organizations can get to the point where data security is a mainstream concern. “The barrier to most people is that they perceive data security as being very complex,” he says. “Not a lot of security people know anything about protecting databases or file servers; they’ll fully admit it. I would say it’s about education, and it doesn’t have to be complex, but you can’t do it manually. In the case of a large hospital system that may have hundreds to thousands of databases, and thousands of people accessing those databases, a small security team that’s supposed to do something manually about all the people that have different roles over the database, will never manage it.”
Instead, security systems should be modernized by implementing automated controls using machine learning and artificial intelligence. Ray adds: “Healthcare has to get its security teams over the hump to realize this is something they can do – they can solve this problem with technology.”