Healthcare leads in cost of data breaches

Data breaches in healthcare sector costs £5.2 million on average, almost double that of the global average of £3.2 million. Cyber-security experts say the figure is set to rise

Data breaches in healthcare sector costs US$ 6.45 million (£5.2 million) on average, almost double that of the global average of US$ 3.92 million (£3.2 million), according to an IBM report. Healthcare is the most breached industry, confirms research by SecurityScorecard.  

Lack of security in the sector has resulted in a 50 percent increase of data breaches, from June 2017 to May 2019. In the US, breaches on organisations affecting more than 500 individuals have crossed 30 per month in 2019, said the research report. 

Last year, the health records of more than 1.5 million people in Singapore -- including the country’s Prime Minister Lee Hsien Loong -- were stolen in a cyber-attack that targeted the government’s health database. 

According to the Identity Theft Resource Center (ITRC), USA, there were 363 cases of data breaches globally in medical and healthcare organisations in 2018, exposing 9,927,798 documents. These numbers are set to increase globally, according to the SecurityScorecard research.

Size matters 

"The size of an industry network has an impact on the scoring. The larger the network, the more digital assets are available, increasing the vectors of potential exploitation," SecurityScorecard chief research officer Alex Heid told SC Media UK. 

The healthcare industry holds the largest amount of data on one individual, more than any other industry, says the report. In addition, the introduction of mobile technologies in obtaining and assessing patient requests has made the health organisations more vulnerable.

The SecurityScorecard research was based on healthcare companies within the United States, but the findings are applicable globally, particularly when considering the fact that most of the US based companies make use of third party vendors located in foreign countries, explained Heid.

"Application security, possibly more than any other threat vector, remains healthcare’s greatest cyber-security weakness. As more healthcare providers incorporate mobile devices and Internet of Things (IoT) devices, malicious actors will increase their focus on these web application vulnerabilities," the SecurityScorecard report said.

Attack vectors

In July, the US Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) warned that GE anesthesia machines are susceptible to hacking. The alert came after healthcare cybersecurity company CyberMDX flagged the vulnerabilities in certain models.

GE later acknowledged the vulnerabilities, saying it allows "a malicious party" to potentially modify gas composition parameters, modify device time and silence alarms after the initial audible alarm.

More than 75 percent of devices in healthcare facilities in the Philippines were infected by malicious code, reported Kaspersky researchers. More than seven in ten medical devices in that region -- servers, computers, tablets, gadgets, and hospital machines connected to the internet -- had some sort of cyber-security problem, the researchers found. 

"Bangladesh and Thailand were two other Asia Pacific countries that were in the top 15 countries with the most detected infections, logging 58 percent and 44 percent respectively, the report said.

"While in some countries its possible to remediate financial damage caused by malicious actions, healthcare data is far more difficult to change," noted Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center (CyRC).

According to him, the generally open nature of medical facilities makes it difficult to protect physical devices from hacking. 

"For example, a clinician often escorts a patient to a treatment room where the patient may be alone for several minutes. The treatment room may have medical devices of various types, including computers and diagnostic equipment. This window of opportunity could allow malicious individuals access to infect the devices with any types of malware or even to install a service on a device connected to a trusted hospital network," he explained.

Partner problems

Third-party risk is another major problem within the industry, as healthcare providers are expected to share patient data with medical stakeholders such as labs and specialists. These associated businesses often are not fully secured, and malicious actors target them to receive the patient data.

US billing services vendor American Medical Collection Agency (AMCA) suffered a data hack for eight months between August, 2018 and March 2019. At least six clients of AMCA reported that their patient data was compromised by the hack. Quest Diagnostics was the hardest hit, with the data of up to 12 million patients being stolen.

An analysis of medical image storage systems exposed to the public web by Germany-based vulnerability analysis company Greenbone Networks found that almost 600 servers in 52 countries are completely unprotected against unauthorised access, leaving x-ray and scan reports of millions of patients unprotected.

"Hospitals use extensive image archiving systems known as PACS (Picture Archiving and Communication Systems) servers, to store and access these images. It has been known for some time that PACS servers are vulnerable. What was unknown until today is how large and widespread this global data leak actually is," said the Greenbone report.

"The massive amount of datasets, combined with the number of freely accessible PACS systems that were configured in similar ways shows that protecting data still is a major challenge for organisations in all verticals," commented Felix Rosbach, product manager at comforte AG. 

"While it is not always possible to prevent malicious access, sophisticated data protection is a must when processing and storing sensitive information – especially PII and healthcare records. These are core requirements of data privacy regulations like HIPAA and GDPR and here might be fines coming up for this," he said.

Internal risks

Internal risks - malicious or unintentional - have become another major area of concern.

"The risk of a human being exploited via social engineering is always higher than the risk of a technical exploit, as social engineering allows the attacker to disable/bypass security controls through simple trickery and deception," said Heid.

Such an attack would usually be a targeted spear- phishing email sent to employees of a company with the purpose of obtaining credentials or deploying malware. All they need to do is click the link in the email.

Several instances of wanton data theft by insiders have been coming to light recently. The latest was at Wrightington, Wigan and Leigh NHS Foundation Trust, UK, where the details of more than 2,000 patients -- including their blood results, medication and discharge letters -- were accessed. The breach took place over 18 months.

"The investigation into this breach revealed that there was no reason to suspect that any of the data was used in malicious activities. However, taking into consideration that cyber-security threat from people who are already on your network; employees, customers, and suppliers accounts for 80 percent of security incidents it is critical that healthcare organisations take the necessary steps to secure their systems from even the most trusted insider," said Robert Ramsden-Board,EMEA vice president at Securonix.

"The employee who has inappropriately accessed your record is a member of our staff who has legitimate access to our electronic health record system; for example, a medical professional or clinical administrator," announced the NHS trust.

"Unfortunately during this investigation poor computer etiquette was also identified and therefore we are unable to validate the specific individual concerned," it added.

Poor penalties

Legal action and conviction have been worryingly low when compared to the booming number of data breaches.

The US indicted two Iranian hackers in 2018 for attacking the computer networks of hospitals and other targets in 43 states, which severely disrupted the working of a heart hospital in Kansas and of a major diagnostic blood testing business.

AMCA and Quest Diagnostics are facing a lawsuit in the US over lax security practices which lead to the widespread data breach. The case is seeking more than US$5 million (£4 million) in damages caused by the breach.

In the European region, a notable legal action was by the Austrian Data Protection Authority, which penalised a healthcare business for non-compliance with information obligations and for not appointing a data protection officer. 

Heid noted that he did not come across any other significant indictments in the US region during the research by SecurityScorecard. The onus on security eventually falls on the end user, note cyber-security experts.

"With the rise of cyber-security concerns in medical care, patients are well advised to review any statements listing care provided and compare them against the actual care received. If any discrepancy is discovered, immediately raise the issue to the provider," said Mackey of Synopsys.

"Additionally, if anyone proactively reaches out to a patient following care, it’s worthwhile to contact the facility directly. While some providers are proactively soliciting feedback on the level of care received and others may be seeking payment for services rendered, in all cases if there is any doubt as to the legitimacy of the communications, contact the provider directly," he added.

Safeguards

Most of the medical data breaches arise due to poor visibility, noted Eoin Keary, CEO and cofounder of edgescan.

"A fundamental aspect of cyber-security is the visibility of assets owned by an organisation. Continuous asset profiling and vulnerability management is key to detecting such simple errors," he said. 

That has been the case with the unsecured x-ray and scan reports databases, said Rehan Bashir, managing security consultant at Synopsys.

"There are still doctor’s offices that have their main servers open to the internet, with insecure Windows server remote desktop protocol (RDP) port 3389 open for easy access. This allows doctors and their staff to access the office network to retrieve patient healthcare data remotely and conveniently," he said. 

"In many instances these offices do not even use secure virtual private networks (VPNs) for remote access. It has also been observed that easy-to-guess passwords were being used and shared among office staff members for convenience. Such remote access methods are an open invitation for malicious users to compromise the confidentiality and integrity of patient healthcare data."

Large healthcare facilities can afford to have a dedicated IT staff to manage their systems and to implement security controls, but smaller providers generally don’t and thus are more vulnerable to healthcare data breaches, Bashir said. 

"A once-off penetration test does not work anymore, due to the rate of change in contemporary system development and deployment," observed edgescan’s Keary.

"A penetration test is a snapshot of a point-in-time, which can change immediately after the assessment is done. Anything with an IP/Internet exposure is ripe for attack and needs to be monitored and assessed on a regular basis. It is also worth considering using encryption techniques to store such sensitive data where possible, but many medical devices do not have such a capability," he said.

Not protecting such data-at-rest appropriately is certainly a compliance issue e.g. HIPPA & GDPR require such controls, he added. 

Being compliant is important, but that does not guarantee complete security, Bashir pointed out.

"Security and compliance requirements play a vital role in providing security guidance and accountability. However, meeting compliance standards don’t mean your data is "secure" and often leads to a false sense of security. Technical implementation of recommended security requirements within compliance documentation is necessary, but it’s also simply a baseline," he said.

"It is absolutely necessary to go above and beyond the compliance paper exercises and implement technical security controls and continuous monitoring," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews