With more and more hospitals and health care facilities moving their infrastructure to Cloud-enabled Internet of Things (IoT) environment including India, hackers find patients’ sensitive health data their next big bet to make quick money. Is there a way out?
In May 2017 when WannaCry ransomware cyber attack took down hospitals across the United Kingdom, causing them to lose access to patient sensitive health data, the world took notice. Hospitals and clinics were forced to turn away patients in large numbers, including those suffering from serious ailments during the cyber attack.
In the last two years, the growing breed of hackers has brought to the fore a seemingly worrisome possibility: What if critical patient data is hacked and healthcare providers are asked to “pay to get a life back” because ransomware can attack life-supporting medical devices?
The threat is real, especially at a time when health care facilities the world over, including in India, are installing Cloud-based Internet of Things (IoT) devices to make sense of critical health data. Billed as the Internet of Medical Things, this network is made up of smart, connected devices that automatically collect, process, and digitally relay information from the physical world through a shared network infrastructure.
When it comes to India, technological advancements are redefining products and enabling customization of services in the healthcare industry across the spectrum. Not just private hospitals but government health care facilities in India are now exploring how to leverage New- Age technologies like Robotics, Blockchain, 3D printing and artificial intelligence.
In such a scenario, Indian hospital needs more attention and preparedness for handling cyber threats like ransomware and malware attacks that may compromise sensitive patients’ data as is happening all over the world. According to global cyber security firm Check Point’s 2019 Security Report, networked medical devices give healthcare professionals the ability to be much more accurate with their treatment regimens, far more efficient in administering care, and way quicker collecting and responding to biomedical information.
With hospitals adopting New-Age technologies to make sense of patients’ data for quick analysis and charting out the future course of treatment, it becomes critical to safeguard the patients’ data.
Ransomware today accounts for 85 per cent of the malware in the healthcare industry. As the IoT ecosystem expands, so does the attack surface for cyber criminals.
In other words, the more hospitals rely on connected technology in our day-to-day lives, the more vulnerable these become to the cyber threats that are increasingly tailored to exploit vulnerabilities and security design flaws in IoT devices at healthcare facilities.
In a recent blog post, Salwa Rafee, IBM Security Industry Leader (Public Sector) says that new cybersecurity threats are emerging in healthcare almost daily.
“Today, hackers target medical and IoT devices that provide, transmit, and access confidential data because they can exploit the fact that most manufacturers did not consider cybersecurity when designing those devices,” she writes.
All of this increases vulnerability to ransomware. Many healthcare providers are forced into paying to get their data back.
Attackers are getting more sophisticated, organized and less obvious as they attempt to snare staff and administrators with rapidly changing tools.
Therefore, security training and guidance is critical to minimize staff exposure to phishing attacks and malware intrusion, as is reasserting policy and penalties for staff with bad intentions.
Tech giant Microsoft which aims to transform the healthcare sector through effective use of analytics- driven insights decoding the complex data available, is very seriously looking at securing the data.
For David Houlding, Principal Healthcare Programme Manager, Industry Experiences at Microsoft, healthcare is drowning in data. “Every patient brings a record that could span decades, with x-rays, MRIs, and other data that can affect every decision. Providers and payers bring their own collateral to the table. Skills, policies, and certifications are just the start,” he said in a blog post recently.
Global cyber security leader Sophos has also found that the healthcare industry in India is the most vulnerable and weak while implementing cyber security solutions for protecting IT infrastructure.
“The ‘State of Endpoint Security’ in Indian hospital needs more attention and preparedness for handling cyber threats like ransomware and malware attacks,” emphasizes Sunil Sharma, Managing Director Sales at Sophos India and SAARC, adding that more and more advanced cyber threat actors are turning their attention to attacks against the healthcare sector.
The attacks are growing exponentially across the world. In July last year, the personal health data of 1.5 million people, almost a quarter of the Singapore’s population, including the details of the city-state’s Prime Minister Lee Hsien Loong, was hacked. The hackers broke into the government health database in a deliberate, targeted and well-planned attack. The hack compromised patients’ names, identity card (NRIC) number, address, gender, race and dates of birth.
Following the hack, SingHealth temporarily banned staff from accessing the Internet on all 28,000 of its work computers. According to IBM’s Rafee, finding the right security staff also poses many challenges to a healthcare organization. “Security is a competitive field and attracting the right talent with limited resources has proven to be difficult. Expanding your applicant pool to people with more diverse backgrounds is effective,” she advises.
Not just Singapore, Hong Kong’s Department of Health became the next big victim of a cyber attack after its computers were hit by ransomware which left data inaccessible. In the meantime, the fifth annual Healthcare Breach Report published by Bitglass has found that total number of records exposed in the healthcare sector globally rose to 11.5 million in 2018. On average, nearly 40,000 people were affected per breach, which is more than double the average number affected in 2017.
Is there any full-proof remedy against such malicious activities?
Sophos says that healthcare business needs to move from traditional security software like antivirus and deploy sophisticated security solutions. “Given the speed at which IT threats are evolving and becoming more persistent and coordinated, it is a deep concern to see the adoption of the next- generation predictive technologies. While we all do our best to assure the integrity and confidentiality of sensitive data, the methods we use leave us with a staggering number of false positives and logs to manage.
“It is important for organizations to keep up in this dynamic world of IT threats. Organizations need effective anti-ransomware, anti-exploit, and deep learning technology to stay secure,” Sharma emphasizes. Transparency is key. Reporting details of a breach to the public quickly and efficiently is now a requirement. “No organization wants the perception that they don’t disclose information that should be reported timely. I believe the public, and your patients, understand the risk that any organization is likely to be hacked or attacked at some level,” says Rafee.
Healthcare firms have made progress in bolstering their security and reducing the number of breaches over the last few years. “However, the growth in hacking and IT incidents does deserve special attention. As such, healthcare organizations must employ the appropriate technologies and cybersecurity best practices if they want to secure the patient data within their IT systems,” said Rich Campagna, CMO of Bitglass. As you read this, an unauthorized user accessed a “limited number” of employee email accounts at UConn Health (branch of the University of Connecticut), compromising personal data of more than 326,000 patients.
The US Department of Health and Human Services (HHS) reported that organisations paid out more than $28 million in settlement fees in 2018 – an all-time high in healthcare breach enforcement activity. “In October, the US health insurance provider agreed to pay a whopping $16 million and introduce “substantial corrective action” following a series of cyber-attacks that led to the largest US health data breach in history,” said HHS. The Cloud environment has changed the way companies manage, store and share their data, applications and workloads. Along with a wide range of benefits, though, the Cloud infrastructure also introduces a new, fertile and attractive environment for attackers who crave the enormous amount of available computing resources and sensitive data it holds.“
While we consider the cloud to be an organization’s weakest link, threats posed to them via their employee’s mobile and IoT devices are also to be taken seriously as one of many attack vectors from which sensitive data can be stolen or leveraged to launch an attack,” informs Check Point. As cyber attacks grow and hackers aim patients’ data to make quick money, what patients are carefully watching is how well the healthcare providers are prepared to respond, mitigate future threats and move forward.
About the author
Meenakshi Iyer is a New Delhi-based freelance journalist covering health, technology and latest innovations. With more than 15 years of experience, she has worked with top media publications in the country.