The number of ransomware and other malware attacks is rising incredibly fast in the healthcare industry, putting human lives as well as critical data at risk.One of the key aspects making healthcare organizations a top target is the value of their data. Commonly, a single stolen credit card number yields an average $2,000 profit and quickly becomes worthless. Healthcare data, however, such as PHI or PII, is extremely valuable on the black market.

A single PHI file, for example, can yield a profit of up to $20,000. This is mainly because it can take weeks or months for a healthcare data breach to be discovered, enabling cyber criminals to extract much more valuable data. Moreover, because healthcare data can contain dates of birth and Social Security numbers, it is much more difficult or even impossible to change, so thieves can take advantage of it fora longer period of time.

Data breaches cost the healthcare industry approximately $5.6 billion every year, according to Becker’s Hospital Review. The Breach Barometer Report: Year in Review additionally found that there was an average of at least one health data breach per day in 2016, attacks that affected more than 27 million patient records.

The continued under investment in cybersecurity has left many so exposed that they are unable to even detect cyber attacks when they occur. While attackers may compromise an organization within a matter of seconds or minutes, it often takes many more weeks – if not months – before the breach is detected, damage is contained and defensive resources are deployed to prevent the same attack from happening again.

As organizations seek to protect their patient information from these growing threats, demand for health informatics professionals who are familiar with the current state of cybersecurity in healthcare is on the rise.

“So, What is Wrong With the Picture?”

The base question to ask is “Who would be interested in hacking patient data?” It is precisely this attitude together with the rat eat which healthcare refreshes its technology that exposes healthcare organizations to a high risk of cyber-attack. The fact that makes the industry appealing to hackers: ransom for money;denial of service for malice and money; stealing confidential data;compromising data; identity theft and compromising devices. The scale of disruption and impact to busy healthcare settings already operating at capacity caused by a cyber-attack needs no explanation. The reality covers the four main domains:

• Leadership: Ownership of the issue
• Culture/Staff responsibility/awareness: Training and awareness of cybersecurity and its related implications
• Policies and procedures: Understanding of business continuity processes and incident response procedures
• General cybersecurity knowledge: Use of fundamental security processes that are currently followed within the organization to mitigate security breaches, e.g., use of USB, on- and off-boarding processes, password policies,organizational asset register,and so on.

The Challenges
The newest cyber vulnerabilities are not necessarily an organization’s biggest cyber threat. Consequently, many common threats continue to be problematic in healthcare, including:

• Malware and ransomware: Cyber criminals use malware and ransomware to shut down individual devices, servers or even entire networks. In some cases, a ransom is then demanded to rectify the encryption.
• Cloud threats: An increasing amount of protected health information is being stored on the cloud. Without proper encryption, this can be a weak spot for the security of healthcare organizations.
• Misleading websites: Clever cyber criminals have created websites with addresses that are similar to reputable sites. Some simply substitute .com for .gov, giving the unwary user the illusion that the websites are the same.
• Phishing attacks: This strategy sends out mass amounts of emails from seemingly reputable sources to obtain sensitive information from the users.
• Encryption blind spots: While encryption is critical for protecting the health data, it can also create blind spots where hackers can hide from the tools meant to detect breaches.
• Employee error: Employees can leave healthcare organizations susceptible to attack through weak passwords, unencrypted devices and other failures of compliance.

Another growing threat in healthcare security is found in medical devices. As pacemakers and other equipment become connected to the internet, they face the same vulnerabilities as other computer systems.

How are Hackers Achieving this, You Would Ask?

Hackers usually access information in one of two ways. They can try‘social hacking’, which means tricking a human being into giving oversensitive information or security credentials which in turn allows access to sensitive information. This could happen by tricking either someone who works directly for the provider, or an outside contractor. An unsophisticated example could be, ‘Hi, I am an IT provider for your company, and I need to carry out some maintenance, could you please provide these sensitive details for me?’. The second way is brute force:directly attacking a security system.

Once Hackers Get Access to The Data, What Do They Do with It?

In some cases, hackers access sensitive data, extract it, and lock it off. They can then sell it back to the company. If the company does not have backups, buying it back is probably the only viable option. The alternative is for them to lose all records of their patients which they will never be able to replace.Another possibility, is hackers stealing data and selling it to the public. The information may be sold to criminal groups on the dark web who wish to use sensitive information for blackmail or fraud purposes.

What Can the Healthcare Industry Do to Mitigate Cyber Threats?

The industry must realize that cybersecurity is human-centric. Gaining insight into the users’ behavior, for example, or the flow of data in and out of the organization improves risk response.

Additionally, the industry should be aware that cybersecurity isn’t just the responsibility of the IT department: everyone should be aware of the risks, from management down to brand-new contract staff.

Healthcare security professionals need to understand the threats they face and the regulations they must comply with, and they must be provided with best practices for strengthening cybersecurity defenses. This means implementing comprehensive security awareness training that educates all people on current threats, red flags to look for in an email message or web link, how to avoid infection, and what to do in case of an active exploit. And since the threat landscape is constantly changing, training should be repeated and updated regularly.

Furthermore, implementing the right cybersecurity measures, such data loss prevention, user behavior analytics, and endpoint security technologies, will further protect an organization’s infrastructure and patient data from ransomware attacks. By creating a system that guards the human point — where people interact with critical business data and intellectual property — and takes into account the intersection of users, data, and networks, the healthcare industry can improve its cyber threat protection.

In Simple Terms: How Do We Improve Cybersecurity?

Due to the significant financial impact of data breaches in healthcare, health informatics and other professionals need to play an important role in ensuring that medical organizations remain secure. Individual healthcare organizations can improve their cybersecurity by implementing the following practices:

• Establish a security culture: Ongoing cybersecurity training and education emphasize that every member of the organization is responsible for protecting patient data, creating a culture of security.
• Protect mobile devices: An increasing number of health care providers are using mobile devices at work. Encryption and other protective measures are critical to ensure that any information on these devices is secure.
• Maintain good computer habits: New employee on boarding should include training on best practices for computer use, including software and operating system maintenance.
• Use a firewall: Anything connected to the internet should have a firewall.
• Install and maintain anti-virus software: Simply installing anti-virus software is not enough. Continuous updates are essential for ensuring health care systems receive the best possible protection at any given time.
• Plan for the unexpected: Files should be backed up regularly for quick and easy data restoration. Organizations must consider storing this backed-up information away from the main system if possible.
• Control access to protected health information: Access to protected information should be granted to only those who need to view or use the data.
• Use strong passwords and change them regularly: The Verizon report found that 63 percent of confirmed data breaches involved taking advantage of passwords that were the default, weak or stolen. Healthcare employees should not only use strong passwords, but ensure they are changed regularly.
• Limit network access: Any software, applications and other additions to existing systems should not be installed by staff without prior consent from the proper organizational authorities.
• Control physical access: Data can also be breached when physical devices are stolen. Computers and other electronics that contain protected information should be kept in locked rooms in secure areas.

How to Defend Against the Growing Threat?
Deterrence, prevention, detection and response all have their place.

Prevention is preferable to detection and reaction. But without data collection, an organization cannot successfully detect or react to anything.

Alerts or alarms should be designed to detect event sequences with potentially negative consequences. Statistical and anomaly detection methods are particularly good for these purposes, as are rule-based detection mechanisms.

Security information and event management or log management tools can augment data collection efforts.

In addition to deploying technology tools to help defend against and detect intrusions, it’s important to formally define roles and responsibilities for incident response. Organizations need to document procedures that specify what the response team should do if there’s an incident and test those procedures periodically.

It’s not just one technology, it is multiple technologies in order to repel these highly sophisticated and organized attacks. That includes deploying SIEM, as well as multi factor authentication to enter critical systems.

The Internet is increasingly a swamp. It’s no longer sufficient to just look at standard security logs. You need integrated security information event management that brings together network logs, users log, application logs and server logs, and looks for non obvious associations.

In Conclusion

To improve cybersecurity in health care, organizations need to hire informatics professionals who not only collect, manage and leverage data, but protect it as well. In addition, health data professionals need to on a continuous basis develop new strategies and best practices to ensure the safety of sensitive health data, protecting both the patient and organization from financial loss and other forms of harm.We know that reaching 100% security against cyber attacks is not realistic but, with a few steps, healthcare organizations can make sure that it’s too complex or unprofitable for threat actors to attack them, which will result in them moving on to another target.

About the author

Kris Seeburn is an enterprise trainer and a member of Advisory Board of The New Security Foundation, Member of The American College of Forensic Examiners & Institute of Forensics Science

Where India stands today?

According to the International Telecommunication Union (ITU), a UN telecommunications agency, India ranked 23rd amongst 165 nations on the Global Cybersecurity Index (GCI) in 2017. GCI ranks nations for their commitment towards cybersecurity using various measures – legal, technical, organizational, capacity building, and cooperation. With the rapid rise in cyber threats, India’s growing investment in protecting its data is absolutely a positive development. Nevertheless, a quick look at the current status on cybersecurity and data protection laws in India highlights the gap we must fill in as we move towards complete digitizing of various infrastructures in the 21st century.

For instance, it was last in 2000 when the legal provisions related to cybersecurity were formulated in the Information Technology Act (ITA) when the nature of threats revolved only around viral or malware attacks. The ITA was later amended in 2008 and now deals with cyber crimes such as hacking, tampering, data or identity theft, cheating, phishing, etc. Sections 43 and 63–74 provide provisions for civil and criminal prosecution in case of different cyber offenses. The ITA requires entities holding private data of users to maintain specified security standards and provides provisions to users for airing grievances in case of the data breach.

India established its first cybersecurity policy – the National Cyber Security Policy (NCSP), in 2013, after much mayhem caused by Edward Snowden’s allegations of NSA snooping on India. The policy designated CERT-In (Indian Computer Emergency Response Team), a national nodal agency to respond to and analyze incidents of cybersecurity breaches. CERT-In provides alerts of cybersecurity incidents, conducts emergency measures for handling such incidents, coordinates necessary response activities and issues guidelines, etc., regarding cybersecurity measures. In the case of a data breach, an organization holding confidential user data must report to CERT-In promptly.

Also Read:
Cyber4Healthcare: An Issue of Today & Tomorrow
DISHA – Need of the hour

Healthcare specific provisions

While the above-mentioned regulations provide a general legal cybersecurity framework for all the organizations, no separate provisions are in place viz a viz the healthcare sector. India decided to fill in this gap last year when the Ministry of Health and Family Affair, the Government of India proposed the Digital Information Security in Healthcare Act (DISHA) and placed it in public domain on 21 March 2018 for comments by various stakeholders. DISHA aims to ensure reliability, data privacy, confidentiality, and security of digital health data. The act, applicable to entire India except for Jammu and Kashmir, establishes eHealth Authorities and Health Information Exchanges at the state and national levels while also outlining the guidelines on standardizing/ regulating the processes related to the collection, storing, transmission and use of digital health data (DHD) in India.

Accordingly, DHD means any electronic record of health-related information

• concerning the physical or mental health of a person
• on any health service provided to an individual
• on a donation of any body part of any bodily substance
• derived from testing or examination of a body part or bodily substance
• collected during providing health services
• relating to details of the clinical establishment accessed by a person

DISHA also specifies the rights of the owner of digital health data, outlines the purposes for which DHD can be collected and explicitly mentions all clinical establishments holding DHD to be duty-bound in maintaining privacy and confidentiality of the patient’s data. Importantly, DISHA touches upon what constitutes a breach of digital health data, compensation in the event of one happening and what punishments an individual or a company might face if convicted of a cybercrime.

Marching ahead

The breach of data far more often in the healthcare sector compared to other sectors highlights the value of information stored in digital health records. It is, therefore, important that cybersecurity takes precedence for all the healthcare providers. Proactive measures include identifying likely targets, securing and updating systems in a timely manner, constant monitoring for malware or security breaches and reinforcing good user behavior among the employees. Similarly, the response to data breach incidents needs to be swift to minimize the extent of damage when a cybercrime occurs. Like the adage, ‘prevention is better than cure’, the healthcare providers also have a necessary task ahead of themselves to up their security measures in accordance with the current legal framework, before a patient’s data or the trust gets compromised.

About the author

Dr. Urvashi (Raheja) Bhattacharyya is a Senior Research Analyst at StudyMode. She indulges in machine-learning methods during office hours and enjoys writing about healthcare and education in her free time.

Introduction

The famous Silicon Valley investor Marc Andreessen says, “software is eating the world”. By, which he means that increasingly we are bringing software into systems to increase efficiency, lower down the cost or time involved in the process. Interestingly, humans also do software writing and humans are prone to make mistakes. It is estimated by various experts that 1000 lines of code (KLoC) has approximately 15-50 bugs present. Bugs here mean mistakes made by the software programmer while writing the software code. Bugs often result in some kind of malfunction or wrong output. Some of these bugs can lead to exploit by a third party making the larger system vulnerable or as we call hackable. As long as humans will write software, bugs will be there.

In a typical software company as bugs are discovered, new code is written to fix these bugs. The new code might further result into new bugs hence the cycle continues. At the consumer end, we keep receiving software updates over the air, as we use our phone / laptops or other devices, which are many times an attempt of the software company to overcome the past mistakes.

A lone computer hacker or an organized crime group looks at these software updates (sometimes called patches) very curiously as for them this could be a chance of hitting the jackpot! They reverse engineer it and try to understand the bug, that the patch is trying to cover. Very often systems are not updated with latest updates. Leading to most system having a known vulnerability, which the hacker can take advantage after understanding it well. Hackers further can create a simple script (programming code snippet) to some sophisticated software, which can then take advantage of the vulnerable system. We often call such a program as malware, as it is built with bad intention.

Today, as we talk it has become from a hobby crime to organized crime! Software companies regularly receive communication from bounty hunters about exposing their critical software bugs and in exchange not to do so, hackers want to charge them bounty money. Some software companies have gone further and engaged these bounty hunters to reduce security risks in their software.

In some cases the hacker is not interested in the bounty money (hence they do not inform the software maker) but rather interested in exploiting the bug. Sometimes, the bug is not known to the software maker or anyone else in the world and can be converted into a lethal attack. Such attacks are known as a zero day attack! As prior knowledge of such a vulnerability does not exist. Hence, most software security solutions, like anti virus software do not work on them. Further selling the knowledge of exploit as lethal software is now called as a cyber weapon. Nation states are now engaged in buying or building such software to infect systems of enemy states. Hence, we have come very far in the business of software bugs, where the enemy could be a lone developer, an organized crime group or a Nation state.

How is software eating the health sector and the threats linked to it?

In the above section we discussed in general, how the exploitation of software is increasingly becoming a serious business. While, we have seen many examples in last 30 years from a hobby software programmer to Nation states taking advantage of the software driven vulnerabilities. We would like to share some examples closer to the health sector.

1. Malware affecting data systems

Hospital information systems and similar information systems as part of the healthcare delivery have become very commonplace and one of the core component of the system. As pointed out in the introductory section, organized crime groups are now looking to exploit software bugs for commercial purposes. One of the ingenious way that they have developed is a malware known as ransomware . Ransomware is a malicious computer program which when executed on a system encrypts the data with very strong encryption making it unusable for hospitals or any other care provider to access patient records or other vital information. It then demands a ransom inform of bitcoins (a crypto currency) in order for the victim to have the key to decrypt the vital information. In recent incidents of ransomware infection, some hospitals in USA have even demanded millions of dollars as ransom and some have even paid.

The mitigation strategy for countering ransomware for any organization would be a strong backup of data. Also, creating awareness among the employees on sources of malware and reducing the chances of accidental infection of the workplace systems.

The long-term solution of tackling such organized crime is a better international legal framework, which allows international prosecution and cooperation among law enforcement agencies.

2. Denial of service attacks on ehealth services

In 2007 there was a distributed denial of service attack that took place in Estonia. A statue of the Russian soldier was removed from the Tallinn Square, capital of the country. Which sparked a response from sympathizers from Russia and it brought down the Estonian economy for three days. Estonia being one of the most advance countries when it comes to take up of e governance services, ehealth being one of them. The entire attack costed less than 50,000 US dollars. That was the first Denial of service attack the world saw at the level of a nation state.

The basic premise behind such an attack is that you have a service (e-service) to be provided to citizens over Internet like their own health records for example. The provider would have some finite amount of bandwidth and computing power at the backend of the service correlating to the average load on the service. In a distributed denial of service attack, the attacker uses compromised computing devices (commonly known as a bot) to access the Internet service. The botnet, which is a collection of such bots could be having thousands or millions of such devices that simultaneously access the service. The service provider is not able to distinguish the normal traffic from the bot traffic and often the server crashes under the heavy load. For a normal user trying to access the service, the service is unavailable because of the finite resources of the server being exhausted by the bot traffic. Hence, it is called a denial of service attack.

Hence, when a city, state or a nation is considering providing an eservice to citizens it could witness such attacks. One strategy to mitigate such attacks is to have tracking of the server traffic for any anomalies and having redundancy available in the system. This is achieved many times by putting the service on a cloud, which can tolerate such traffic fluctuations.

3. Data leak and breaches

Many health systems or systems require some kind of authentication mechanism to log in to the system in order to access the service. Many a times these are text password based systems behind which, important patient profile or health records information is stored. The largest of the companies like that of Google, Microsoft etc have seen attacks where the attacker is able to leak the passwords of millions of their customers. Such scenarios result in massive breach of data privacy and compromise for customers.

Good security practices, proper encryption of data and regular updates of the system are some of the key considerations for avoiding such instances. Nowadays, two-factor authentication has become a standard practice for making the authentication systems more robust. However, still some user awareness is needed to opt for better security practices whenever possible.

4. Hacking medical devices and health system

If we look at the building blocks of the health systems, where information technology is deeply integrated. We have already covered the health information systems, eservices and patient interface of authentication into the services. However, increasingly we hear about Internet of Things (IoT) devices in the health sector domain. Which means the integration of Internet services into traditional medical devices or new age devices, which have also connectivity. For example, a thermometer which can send the temperature data to your phone or a stethoscope which can record the patient breathing sound and upload in a server for finding patterns of lung diseases. These are powerful use cases and provide great opportunity to clinicians and care providers, where they have greater computation power available to them and they are able to do more with less. However, these IoT devices are prone to the same kind of attacks as any other communication device or a software program. They can be compromised to show wrong values and totally messing up the diagnosis. There are already such instances. One such instance not related to health sector but important is of the Stuxnet. Stuxnet was designed for the SCADA systems of Iranian nuclear program by USA and Israel in order to delay their nuclear program.

5. Stealing identity information

As mentioned in the point 3, about data leaks and breaches at the system level. One problem, which can arise from such an attack, is a further more damaging attack that is stealing of identity information. In India, mobile phones to receive an sms message containing one time password is increasingly becoming a standard practise because of being cost effective, simple and secure. Any such application, which you may install on your phone, can also get access to the sms and other features of your phone. Meaning the incoming sms or calls can also be stolen by this application to complete the transaction on your behalf. As increasingly we have to prove ourselves using biometrics or passwords to online systems. It is possible for the attackers to steal these credentials and access our records without our knowledge. Hence, any third party applications that we install on our devices (especially phone) , we need to be very careful about the type of access control they have on our devices.

6. Implantable medical devices with communication interfaces:

In 2007, the former US Vice President, Dick Cheney’s implanted pacemaker’s wireless communication was disabled fearing a terrorist attack. This sounds like science fiction to many but incident has already happened ten years back! Many of the medical devices are built with a communication interface and it is quite normal for a typical pacemaker or other such devices to have a Bluetooth or a similar communication technology based interface for remote diagnosis and other purposes. While, the communication ability of such a device was planned for looking at the state of the pacemaker it was not designed with keeping security in mind. Hence, it is possible that someone can connect to a critical device like pacemaker and shuts it down remotely.

One more reason that such exploits are possible increasingly as computing is becoming cheaper. What seems strong security today might not be strong tomorrow. However, an implantable device might stay in the patient’s body for tens of years. Hence, we need to have a long-term view on the communication interfaces and their capabilities on such devices. We need to make considerations on control and information capabilities of these interfaces. Misuse of control capabilities can lead to even death and misuse of information capabilities can lead to breach of patient privacy.

Way forward: why Internet is the new breeding ground for crime?

The law of the land governs the Internet in every country and hence the legal regime globally is very fragmented. However, a user of Internet does not see any borders or walls and so is the criminal. They build their criminal businesses where they do not fear strict government action and often for paltry sums the user or the national law enforcement agencies do not pursue the criminal cases cross border.

On top of it newer crypto currencies like Bitcoins, makes it easy to make such transaction in an anonymous manner. Dark net marketplaces provide a breeding ground for criminals to conduct illegal transactions of billions of dollars without getting caught. So, the three important components, weak legal enforcement, anonymous currency and secret marketplaces are enabling the cyber crime to flourish. If we want to slow it down, we will need greater international collaboration among lawmakers and user awareness at all levels.

Reference:
(i) https://www.wsj.com/articles/SB10001424053111903480904576512250915629460
(ii) http://labs.sogeti.com/how-many-defects-are-too-many/
(iii) https://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net/transcript?language=en
(iv) https://hackerone.com
(v) https://en.wikipedia.org/wiki/Zero-day_(computing)
(vi) https://en.wikipedia.org/wiki/Cyberweapon
(vii) https://en.wikipedia.org/wiki/Ransomware
(viii) https://en.wikipedia.org/wiki/Bitcoin
(ix) http://www.csoonline.com/article/3033160/security/ransomware-takes-hollywood-hospital-offline-36m-demanded-by-attackers.html
(x) https://www.theguardian.com/technology/2016/feb/17/los-angeles-hospital-hacked-ransom-bitcoin-hollywood-presbyterian-medical-center
(xi) http://innovatiocuris.com/looming-danger-of-ransomware/
(xii) http://www.bbc.com/news/technology-24608435

Want to write for InnoHEALTH? send us your article at  magazine@innovatiocuris.com