Ransomware today accounts for 85 per cent of the malware in the healthcare industry. As the IoT ecosystem expands, so does the attack surface for cyber criminals.

In other words, the more hospitals rely on connected technology in our day-to-day lives, the more vulnerable these become to the cyber threats that are increasingly tailored to exploit vulnerabilities and security design flaws in IoT devices at healthcare facilities.

In a recent blog post, Salwa Rafee, IBM Security Industry Leader (Public Sector) says that new cybersecurity threats are emerging in healthcare almost daily.

“Today, hackers target medical and IoT devices that provide, transmit, and access confidential data because they can exploit the fact that most manufacturers did not consider cybersecurity when designing those devices,” she writes.

All of this increases vulnerability to ransomware. Many healthcare providers are forced into paying to get their data back.

Attackers are getting more sophisticated, organized and less obvious as they attempt to snare staff and administrators with rapidly changing tools.

Therefore, security training and guidance is critical to minimize staff exposure to phishing attacks and malware intrusion, as is reasserting policy and penalties for staff with bad intentions.

Tech giant Microsoft which aims to transform the healthcare sector through effective use of analytics- driven insights decoding the complex data available, is very seriously looking at securing the data.

For David Houlding, Principal Healthcare Programme Manager, Industry Experiences at Microsoft, healthcare is drowning in data. “Every patient brings a record that could span decades, with x-rays, MRIs, and other data that can affect every decision. Providers and payers bring their own collateral to the table. Skills, policies, and certifications are just the start,” he said in a blog post recently.

Global cyber security leader Sophos has also found that the healthcare industry in India is the most vulnerable and weak while implementing cyber security solutions for protecting IT infrastructure.

“The ‘State of Endpoint Security’ in Indian hospital needs more attention and preparedness for handling cyber threats like ransomware and malware attacks,” emphasizes Sunil Sharma, Managing Director Sales at Sophos India and SAARC, adding that more and more advanced cyber threat actors are turning their attention to attacks against the healthcare sector.

The attacks are growing exponentially across the world. In July last year, the personal health data of 1.5 million people, almost a quarter of the Singapore’s population, including the details of the city-state’s Prime Minister Lee Hsien Loong, was hacked. The hackers broke into the government health database in a deliberate, targeted and well-planned attack. The hack compromised patients’ names, identity card (NRIC) number, address, gender, race and dates of birth.

Following the hack, SingHealth temporarily banned staff from accessing the Internet on all 28,000 of its work computers. According to IBM’s Rafee, finding the right security staff also poses many challenges to a healthcare organization. “Security is a competitive field and attracting the right talent with limited resources has proven to be difficult. Expanding your applicant pool to people with more diverse backgrounds is effective,” she advises.

Not just Singapore, Hong Kong’s Department of Health became the next big victim of a cyber attack after its computers were hit by ransomware which left data inaccessible. In the meantime, the fifth annual Healthcare Breach Report published by Bitglass has found that total number of records exposed in the healthcare sector globally rose to 11.5 million in 2018. On average, nearly 40,000 people were affected per breach, which is more than double the average number affected in 2017.

Is there any full-proof remedy against such malicious activities?

Sophos says that healthcare business needs to move from traditional security software like antivirus and deploy sophisticated security solutions. “Given the speed at which IT threats are evolving and becoming more persistent and coordinated, it is a deep concern to see the adoption of the next- generation predictive technologies. While we all do our best to assure the integrity and confidentiality of sensitive data, the methods we use leave us with a staggering number of false positives and logs to manage.

“It is important for organizations to keep up in this dynamic world of IT threats. Organizations need effective anti-ransomware, anti-exploit, and deep learning technology to stay secure,” Sharma emphasizes. Transparency is key. Reporting details of a breach to the public quickly and efficiently is now a requirement. “No organization wants the perception that they don’t disclose information that should be reported timely. I believe the public, and your patients, understand the risk that any organization is likely to be hacked or attacked at some level,” says Rafee.

Healthcare firms have made progress in bolstering their security and reducing the number of breaches over the last few years. “However, the growth in hacking and IT incidents does deserve special attention. As such, healthcare organizations must employ the appropriate technologies and cybersecurity best practices if they want to secure the patient data within their IT systems,” said Rich Campagna, CMO of Bitglass. As you read this, an unauthorized user accessed a “limited number” of employee email accounts at UConn Health (branch of the University of Connecticut), compromising personal data of more than 326,000 patients.

The US Department of Health and Human Services (HHS) reported that organisations paid out more than $28 million in settlement fees in 2018 – an all-time high in healthcare breach enforcement activity. “In October, the US health insurance provider agreed to pay a whopping $16 million and introduce “substantial corrective action” following a series of cyber-attacks that led to the largest US health data breach in history,” said HHS. The Cloud environment has changed the way companies manage, store and share their data, applications and workloads. Along with a wide range of benefits, though, the Cloud infrastructure also introduces a new, fertile and attractive environment for attackers who crave the enormous amount of available computing resources and sensitive data it holds.“

While we consider the cloud to be an organization’s weakest link, threats posed to them via their employee’s mobile and IoT devices are also to be taken seriously as one of many attack vectors from which sensitive data can be stolen or leveraged to launch an attack,” informs Check Point. As cyber attacks grow and hackers aim patients’ data to make quick money, what patients are carefully watching is how well the healthcare providers are prepared to respond, mitigate future threats and move forward.

About the author

Meenakshi Iyer is a New Delhi-based freelance journalist covering health, technology and latest innovations. With more than 15 years of experience, she has worked with top media publications in the country.

In a recent healthcare conference, the people were unaware when I spoke about how on October 21, 2013, the former US Vice President Dick Cheney’s doctors disabled his pacemaker’s wireless capabilities to thwart possible assassination attempts. To this, everyone had an issue on accountability. It remains unanswered that who would be liable, the doctor, hospital, company which provided pacemaker or the insurance company. Amidst all this, nobody was concerned about the patient as none present there questioned it. Maybe we are awaiting a major catastrophe to happen to put our minds to work. It is our endeavor to equip the healthcare community to this aspect of digital health.

Cybersecurity is a major concern for patient safety and healthcare infrastructure. The health records, data, hospital information system and individual medical devices are all targets. The vulnerability is in technology and lack of awareness of staff. There are many examples to quote wherein hospitals have become the victim of attacks. A recent audit of a corporate hospital in Delhi by our team revealed that 80% of equipment is vulnerable to cyber attack, thus, risking the patients. Healthcare providers are not sensitized to issue as required hence this magazine is dedicated to Cybersecurity. We have named it Cyber4Healthcare and even launched a training program in the healthcare domain to update knowledge of this extremely important topic. There is an immediate necessity that we invest in staff and equipment to make our systems robust enough to protect them from cyber-attacks.

We at InnovatioCuris always strive to sensitize the healthcare providers with new technologies and our next issue would focus on IoMT or connected healthcare which is overtaking the segment rapidly. However, we should always keep in mind that we are master of technologies and not the other way around. Can humane touch be replaced by technology? The trend nowadays is that we are leaving human ingenuity behind and are being heavily dependent on technology. There is a need to understand the benefits and challenges of newer devices, technology, and thinking. Let us consider how we can balance traditional to modern approach in today’s world and get the best of both worlds. Let our readers share their experiences by writing for the magazine to benefit all.

Ransomware epidemic is spreading in healthcare like wildfire due to its increasing digitalization which is and will attract more attention of hackers.

The healthcare industry has been a victim of various cyber attacks in the last few years. According to recent studies, healthcare has outnumbered financial services and become the most cyber attacked industry. The latest in cyber-attack is ransomware wherein the hacker encrypts the data and threatens to publish it until the ransom is paid in form of bitcoins. In US alone, healthcare industry was the victim of 88 per cent of all ransomware attacks across industries last year.

The recent case of WannaCry ransomware crippled the IT systems of NHS, UK. And after hitting NHS, it spread globally targeting more than 99 nations. The hackers demanded payment of £300 – £600 to unlock systems and have earned about £55,000 in ransom.

Ransomware has indeed become a lucrative revenue source for hackers due to which the number of attacks is predicted to quadruple by 2020. Medical records have 10-20 times more value than the credit card data in the internet black market. Ransomware epidemic is spreading in healthcare like wildfire due to its increasing digitalization which is and will attract more attention of hackers. Also, the vulnerability of the health data tends the organizations to pay the ransom to get the data back to maintain privacy and confidentiality of patient data.

Even after so many cases of cyber attacks compromising millions of electronic health records each year, the healthcare industry is inadequately prepared to prevent and resolve these attacks. Whether it is India or US, cyber security is always discussed in forums and budget is allocated for the same but is not put to proper use. Cyber attacks happen due to outdated security infrastructure or employee negligence.

Hospitals and insurance companies have been the main targets of hackers. But, a new vulnerability is catching everyone’s attention i.e. medical devices. The next nightmare in ransomware attacks could be hacking of medical devices such as insulin pumps, pacemakers, defibrillators, implants etc.

Disfunctioning of medical devices can be catastrophic. Just imagine, hackers take control of one’s pacemaker and ask for ransom or else they would manipulate the device which could be fatal. This kind of attack has been showcased in the very famous TV show Homeland wherein the Vice President dies due to hackers remotely disable his pacemaker.

Just like the serial, the former US Vice President Dick Cheney’s doctors disabled his pacemaker’s wireless functionality due to fear of possible assassination attempts as revealed by him during an interview in 2013. This clearly showcases that medical devices can be the next target for hackers.

Regulators such as FDA are increasingly getting concerned about medical device security and have issued warning. In 2015, for the first time FDA issued safety notice to hospitals which strongly discouraged hospitals to use an infusion pump which was found to be vulnerable to cyber attacks. But it has been observed that FDA did not force the company to fix the devices being used in the hospitals and didn’t investigate other insulin pump models. This shows that FDA needs to be more stringent towards medical device security. The vulnerability of infusion pump was pointed out by a white hat hacker Billy Rios during his hospital stay.

Few of the medical device companies/providers have been proactive in strengthening their device security such as Johnson & Johnson in Oct 2016 warned 114,000 diabetic patients about a security lax that a hacker could exploit in one of its insulin pumps (J&J Animas OneTouch Ping). The hackers can disable or alter the dosage which could be fatal. J&J suggested ways to the patients for mitigating risk.

There have been no documented cases of medical device hacking till date but demonstrations have been conducted in research environment. One such example is of Barnaby Jack who succeeded in hacking an insulin pump and demonstrated giving off lethal dose of insulin without the pump alerting the user. Another example is that of St Jude Medical’s implantable devices such as pacemakers, defibrillators, and resynchronization devices. The radio frequency (RF) enabled St. Jude medical implantable cardiac device and corresponding Merlin@home Transmitter enables transmitting and receiving patient data stored on the device to the physician to monitor his health. But FDA reviewed the device and confirmed about cybersecurity vulnerabilities, if exploited, could be fatal.

Also, researchers at TrapX Security analysed three hospitals for medical device hacking. The deception technology was installed which utilized emulated medical devices in the hospitals. These emulated devices attract and trap hackers so that TrapX could trace the hackers activity. These fake medical devices such as Radiation Oncology system, LINAC , Fluoroscopy, PACS and Xray system appeared real to the hackers and TrapX could monitor hacker’s activity.

According to TrapX, these hospitals utilized older version of Windows that made it vulnerable and most medical devices did not have additional endpoint security software which made the attack undetectable. It was also noticed that the main goal of hackers was to steal medical records not to manipulate the device.

Another research at University of South Alabama showcased how they hacked pacemaker and killed a medical simulator called iStan. The $100,000 medical dummy comes equipped with robotics that mimic the human cardiovascular, respiratory, and neurological systems. The researchers could speed the heart rate up or could slow it down. Not only pacemaker, researchers could manipulate an insulin pump or a number of things that would cause life-threatening injuries or death. This clearly illustrates why medical device security is important.

With the advent of IoT, where devices are connected via internet should focus on cyber security. Industrial experts are realizing that cyber security is prime priority for all the devices connected to the internet.

Devices such as wearables, smart bed, smart emergency system, etc. are all lagging behind in cyber security. Apart from medical devices, surgical robots are not being scrutinized for cyber security. Just imagine, surgical robots been hacked which could lead to life threatening situation of the patient. One such demonstration has been showcased by researchers at University of Washington in 2015. They hacked a tele-operated surgical robot, Raven II. The experiment demonstrated three types of attacks that made telesurgery vulnerable with this robot. The researchers demonstrated how they took complete control over the robot and disrupted the operation.

All of this sounds scary but it can be prevented if we are well prepared. It is important to understand that not only regulators like FDA need not address the challenge of cyber security but also the medical device vendors and providers should take shared responsibility. It has been observed that providers point the device manufacturers to be accountable for cyber security for responding to vulnerabilities and providing fixes for the same.

On the other hand, the device vendors hold providers responsible for their negligence and having outdated network  protection. To be safe from such attacks, organisations should review their cyber defence strategies and budget. Also, employee training and awareness needs to be tackled to avoid falling for opening phishing mails and change passwords regularly.

It has also been observed that providers such as middle scale hospitals, clinics or laboratories have often overlooked cyber security as priority as they believe not much data is present with them and only the big organisations are in trouble. Which is not true, as hackers are aware of the precious financial and patient data these clinics hold and are aiming at clinics or small hospitals also to get the data. So, they should also focus on medical device security.

The next big thing in helping fight against cybersecurity is artificial intelligence (AI). According to some analysts, the advantage of using AI is it can help predict cyber attack before it happens with the use of behaviour analysis. It alerts security team on any behaviour deviation or authentication failures while accessing records. AI not only helps in detecting threats quickly but it is also cost efficient compared to the money paid by companies in ransom. It does not replace security tools but acts as an additional layer of security. AI can also help in analysing employee behaviour for avoiding any internal security breach. AI can help in bridging the shortage of skilled cyber security professionals also. According to Centre for Cyber Safety and Education, there is a shortfall of 1.8 million cyber security professionals by 2022 worldwide. Companies such as IBM are already investing in AI system Watson for cyber security.

Also start-ups such as Cognetyx are providing cognitive cyber surveillance solution to healthcare organizations. Use of AI for cyber security in other areas has been showcased, for example, the Las Vegas city officials and UK government to monitor their Public Services Network and protect their records from security threats. Whereas, the successful implementation of AI in healthcare cyber security is yet to happen.

The next wave of medical device cyber attacks can be prevented by collaborative approach and commitment from all the stakeholders. Not only the healthcare organizations should make sure their security practices and strategies are updated but the government should also help in skill development of cyber security professionals and encourage more research on medical device security by providing medical device at low cost. Since medical devices are expensive and require license, it makes it difficult for researchers to explore this area. At the end, we should not forget that we have to stay a step ahead of hackers to be a hard target for them.

Want to write for InnoHEALTH? send us your article at  magazine@innovatiocuris.com

Read all the issues of InnoHEALTH magazine:
InnoHEALTH Volume 1 Issue 1 (July to September 2016) – https://goo.gl/iWAwN2 
InnoHEALTH Volume 1 Issue 2 (October to December 2016) – https://goo.gl/4GGMJz 
InnoHEALTH Volume 2 Issue 1 (January to March 2017) – https://goo.gl/DEyKnw 
InnoHEALTH Volume 2 Issue 2 (April to June 2017) – https://goo.gl/Nv3eev
InnoHEALTH Volume 2 Issue 3 (July to September 2017) – https://goo.gl/MCVjd6

Connect with InnovatioCuris on:
Facebook: https://www.facebook.com/innovatiocuris
Twitter: https://twitter.com/innovatiocuris
Linkedin: https://www.linkedin.com/groups/7043791
Stay update about IC by visiting: www.innovatiocuris.com