12
Jun

Healthcare Industry: The New Go-To for Cyber Criminals


February 04, 2019—Cyberattack at Catawba Valley Medical Center in Hickory impacted 20,000 records of patients that include their names, birthdates, social security numbers, and health information [1].
February 20, 2019—Medical files of 15,000 patients from a specialist cardiology department at Cabrini Hospital were compromised by a cybercrime syndicate for a ransom amount [2].
April 17, 2019—Ohio-based health recovery services provider, who is a provider of drug and alcohol addiction services, was a victim of a 3-month-long network breach. During this period, the provider has compromised 20,485 patients’ data [3].
The health care industry is at risk due to increased susceptibility to cyber attacks. With health care staff concerned with patient care and safety, it is unsurprising that there is little time left to focus on cybersecurity. The service motive of health care has now become their weakest link, with intruders and cybercriminals identifying the industry as an easy target and successfully targeting health care organizations over the past few years.

Thales Security U.S. Healthcare Data Breach Statistics [4]

About 77% of health care organizations have experienced a breach in the year 2018 About 48% of health care organizations have been breached previous year About 85% of health care organizations are increasing cybersecurity spending
  1. Medical devices can be accessed easily

Medical devices, such as X-ray equipment, insulin pumps, pacemakers, and more, are necessary infrastructure in everyday modern health care. The critical issue with these devices is that they are designed with one purpose—serving the patient. These devices are not created with security in mind. Though not all devices contain patient’s information or confidential data, they can serve as an entry point to infrastructure that does store confidential, regulated, or sensitive data. Attackers know that medical instruments are the soft targets, and in the worst scenario, attackers can take control of a medical device to prevent health care organizations from providing necessary treatment to their patients via ransomware.

The Fetal Diagnostic Institute of the Pacific was hit by a ransomware attack on June 30, 2018, that compromised the data of 40,800 patients [5].
  1. Patient information is worth a ransom amount

Hospitals have valuable data stored with them, worth a lot to attackers. Attackers target hospital servers, capture data, and restore them for ransom amount. When hospitals collect information from patients, it becomes their responsibility to protect their patients’ records. Compliances, such as GDPR, are now implementing policies demanding security of data by organizations, including health care.

  1. Health care staff hesitates to update technology

Health care is the busiest industry with the constant demand for its services; they often work extended hours too. Health care staff prefers to work in a sleek working style, where security checks do not hinder them. Their usual working style, where they are obliged to complete the tasks while attending the patients politely, gives them limited scope to adopt new technological changes. Lack of software upgrade and being stringent with the previous and outdated security processes makes an easy way for modern attackers to intrude and breach the data. Commonly used software, such as Microsoft Office, Google Chrome, Mozilla Firefox, and your basic operating system, receive updates regularly. If these updates are not performed, then the system becomes vulnerable to cyber attacks.

  1. Lack of education on online risks

Health care staff is trained in computer security but are not really aware of the repercussion of online threats. Due to time constraints and budget limitations, health care does not prioritize education about online risks. The staff is not trained on social engineering, phishing, and another type of common attacks. The staff may easily fall for the attackers who are trying to use the human factor to intrude the network of hospitals and obtain access. Healthcare Industry Cybersecurity Report 2016 has identified that out of 18 sectors, health care stand at 15 as one whose employees are most susceptible to social engineering attacks [7].

  1. A large number of devices used

Modern health care infrastructure deals with thousands of connected medical devices. The activity of these devices is often not tracked, nor is there any control over their usage. Because of the lack of appropriate security measures, these connected devices act as a potential threat for attackers. When one device is breached, the attackers can easily gain access over other devices also.

  1. Patients information has multiple accesses

Private information of patients, including their personal information and payment details, is stored on an open source for the health care staff to access as required. The data are maintained on-site as well as off-site for easy reference. There is no defined and restricted access to the data, based on the job role. Those who deal with patients’ health records need access only to the patients’ diagnosis and those on the back-end emailing the reports need access only to email ids and investigation reports. However, unfortunately, the entire data of a patient is exposed at all levels, making it vulnerable to attacks.

Small health care organizations share equal risk

All health care organizations, either big or small, are at risk from online threats. Large health care enterprises are targeted as they hold a large amount of data. However, small health care units are often targeted to reach larger enterprises. For example, Newkirk Products, Inc., does not deal with health care devices but is a service provider that issues health care ID cards for health insurance plans, including Blue Cross and Blue Shield of Kansas City. Newkirk announced a data breach of 3.47 million patients’ data during mid-2016 [6].

Health care organizations should get ready to increase their spending on cybersecurity. They share the biggest responsibility of securing the patient’s data from getting into the hands of potential hackers. It is, therefore, crucial for them to analyze and make a proper strategy on the budgeting of cybersecurity, and it includes hiring security expertise too. EC-Council’s program, Certified Ethical Hacker (C|EH), is an optimum solution to interrogate vulnerabilities and suggesting measures to deal with them. C|EH benefits both individual and organization as it prepares you with all the five phases of ethical hacking. The program has been accredited by ANSI and is mapped to a NICE framework. It is completely online, and the credential is popular among employers worldwide. You can avail more details about the C|EH program by visiting https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/.

Sources

  1. https://www.wcnc.com/article/tech/names-birthdates-social-security-numbers-part-of-health-care-cyber-attack/275-30bd7853-b5e1-41fd-9575-ddafc1ab39ae
  2. https://www.theage.com.au/national/victoria/crime-syndicate-hacks-15-000-medical-files-at-cabrini-hospital-demands-ransom-20190220-p50z3c.html
  3. https://healthitsecurity.com/tag/healthcare-data-breach
  4. https://dtr-healthcare.thalesesecurity.com/
  5. https://www.healthcareitnews.com/news/ransomware-attack-fetal-diagnostic-lab-breaches-40800-patient-records
  6. https://digitalguardian.com/blog/top-10-biggest-healthcare-data-breaches-all-time
  7. https://www.bankinfosecurity.com/interviews/healthcare-sector-among-most-at-risk-from-social-engineering-i-3370
Editor's Note:
Reviewed by Robert Duhart, Director, Security Architecture at Cardinal Health and Christopher Williams, VP, Cyber Threat Intelligence at Worldpay.
get certified from ec-council
Write for Us