Cyber-attacks that harvest data have been gaining momentum, increasing in destructiveness and targeting progressively higher-profile organisations. However, this is not a problem limited to consumer-facing corporations. All sectors are struggling with how to combat the sharp increase in cyber-crime. In late 2015 and early 2016, it became clear that healthcare facilities were an easy target for cyber-criminals. More than 113 million patient records have been swiped from hospitals and healthcare facilities across the globe – records that contain everything from personal details to billing information.
The healthcare industry holds far more ‘risky' and ‘valuable' personal data opportunities than many other sectors. A new report from IDC has shown that healthcare data could be five, ten or even 50 times more valuable than other forms of data. The typical data found within our medical records ranges from not only names and birth dates, but insurance details, diagnosis codes and in the US, billing information. Just one way that fraudsters use this data is to create fake IDs to buy medical equipment or drugs that can be resold. Medical identity theft is often not immediately identified by a patient, giving criminals years to ‘milk' such credentials – hence the assertion that medical data is more valuable than credit cards, which tend to be quickly cancelled once fraud is detected.
Cyber-attacks on healthcare are by no means a new phenomenon. In 2007 in the US people were worried that hackers might remotely stop the vice president's heart. Today, hackers are putting an entire hospital full of patients at risk for a ransom of just £12,000.
Demands – from cash to Bitcoin
Ransomware works in a not dissimilar way to real life ransoms. The criminal kidnaps someone of great importance to you and then demands money before you can see the person again. A typical cyber-ransomware attack starts when a person opens an emailed link or attachment. Malicious code then locks the computer — or, worse, an entire network. Victims must pay the hackers for a "key'' to unlock their machines. However, the ransom is not demanded in unmarked notes stuffed into a suitcase and left in a bin in an abandoned part of town. It's demanded in Bitcoin.
One reason hackers are attracted to ransomware is because it can be created with relative ease — do-it-yourself ransomware kits are readily available — and the return on investment can be strong. This is why the demands can seem low. The hackers could have demanded more than £12,000 but the relatively low amount means it's more likely to be paid. So it's no wonder that ransomware attacks are on the rise. And the healthcare industry presents itself as an easy target for cyber-criminals.
Safeguarding the healthcare industry
One fundamental weakness is that the healthcare industry is built on a legacy of archaic electronic security, which protects an increasing amount of online patient data. It's a gold mine for cyber-criminals. Hospitals and healthcare faculties are particularly susceptible because medical equipment will often run on old operating systems that cannot easily be safeguarded. If an employee opens an infected file from a computer that also connects with a patient monitoring station or insulin pump, those devices could also be locked.
Many new medical devices now create data that navigates over the cloud. Today's healthcare devices transmit data from the device straight to patient records stored in the hospital's network. Now imagine if that information was held or locked up thanks to ransomware. Think of not only the disruption to the healthcare system and patient care – but also the healthcare facility's reputation. How quickly would you pay the hacker's demands?
Protecting the future
Compared with many other industries, the healthcare industry has been borderline negligent when it comes to combating threats such as ransomware - despite the life-and-death nature of their operations. Securing the healthcare industry isn't all about budgets. It is also about the hyper-competitive healthcare device space and the need for equipment approval. Those whose primary approval function is to examine how safe a device is for humans are not concerned with cyber-security. But even though a device is safe for humans, it does not mean it is safe to be on the network. In relative terms, this is a very new threat. Add to that the complicated and longwinded nature of approval processes in healthcare and it takes much longer than other industries to move with the times with the latest security measures.
Now regulators, such as the FDA in the US, are offering guidance outlining important steps that medical device manufacturers should take to continually address cyber-security risks. It's a step in the right direction, but by no means a complete solution.
A simple yet effective protocol to reducing data breaches is to educate staff to be more aware of the sophisticated phishing and spear-phishing schemes being used to access sensitive data. This must be carried out across the entire industry and at all levels to have maximum effect. The best defence against a ransomware attack is knowing not to click on links and attachments that cannot be trusted. Detection systems and firewalls can help if a person does click — but once the ransomware is entrenched, if the system does not have good system backup practices, the choices boil down to paying or never regaining control. When lives hang in the balance, can we afford to risk it?
Contributed by Ian Trump, security lead, LOGICnow