Ransomware today accounts for 85 per cent of the malware in the healthcare industry. As the IoT ecosystem expands, so does the attack surface for cyber criminals.

In other words, the more hospitals rely on connected technology in our day-to-day lives, the more vulnerable these become to the cyber threats that are increasingly tailored to exploit vulnerabilities and security design flaws in IoT devices at healthcare facilities.

In a recent blog post, Salwa Rafee, IBM Security Industry Leader (Public Sector) says that new cybersecurity threats are emerging in healthcare almost daily.

“Today, hackers target medical and IoT devices that provide, transmit, and access confidential data because they can exploit the fact that most manufacturers did not consider cybersecurity when designing those devices,” she writes.

All of this increases vulnerability to ransomware. Many healthcare providers are forced into paying to get their data back.

Attackers are getting more sophisticated, organized and less obvious as they attempt to snare staff and administrators with rapidly changing tools.

Therefore, security training and guidance is critical to minimize staff exposure to phishing attacks and malware intrusion, as is reasserting policy and penalties for staff with bad intentions.

Tech giant Microsoft which aims to transform the healthcare sector through effective use of analytics- driven insights decoding the complex data available, is very seriously looking at securing the data.

For David Houlding, Principal Healthcare Programme Manager, Industry Experiences at Microsoft, healthcare is drowning in data. “Every patient brings a record that could span decades, with x-rays, MRIs, and other data that can affect every decision. Providers and payers bring their own collateral to the table. Skills, policies, and certifications are just the start,” he said in a blog post recently.

Global cyber security leader Sophos has also found that the healthcare industry in India is the most vulnerable and weak while implementing cyber security solutions for protecting IT infrastructure.

“The ‘State of Endpoint Security’ in Indian hospital needs more attention and preparedness for handling cyber threats like ransomware and malware attacks,” emphasizes Sunil Sharma, Managing Director Sales at Sophos India and SAARC, adding that more and more advanced cyber threat actors are turning their attention to attacks against the healthcare sector.

The attacks are growing exponentially across the world. In July last year, the personal health data of 1.5 million people, almost a quarter of the Singapore’s population, including the details of the city-state’s Prime Minister Lee Hsien Loong, was hacked. The hackers broke into the government health database in a deliberate, targeted and well-planned attack. The hack compromised patients’ names, identity card (NRIC) number, address, gender, race and dates of birth.

Following the hack, SingHealth temporarily banned staff from accessing the Internet on all 28,000 of its work computers. According to IBM’s Rafee, finding the right security staff also poses many challenges to a healthcare organization. “Security is a competitive field and attracting the right talent with limited resources has proven to be difficult. Expanding your applicant pool to people with more diverse backgrounds is effective,” she advises.

Not just Singapore, Hong Kong’s Department of Health became the next big victim of a cyber attack after its computers were hit by ransomware which left data inaccessible. In the meantime, the fifth annual Healthcare Breach Report published by Bitglass has found that total number of records exposed in the healthcare sector globally rose to 11.5 million in 2018. On average, nearly 40,000 people were affected per breach, which is more than double the average number affected in 2017.

Is there any full-proof remedy against such malicious activities?

Sophos says that healthcare business needs to move from traditional security software like antivirus and deploy sophisticated security solutions. “Given the speed at which IT threats are evolving and becoming more persistent and coordinated, it is a deep concern to see the adoption of the next- generation predictive technologies. While we all do our best to assure the integrity and confidentiality of sensitive data, the methods we use leave us with a staggering number of false positives and logs to manage.

“It is important for organizations to keep up in this dynamic world of IT threats. Organizations need effective anti-ransomware, anti-exploit, and deep learning technology to stay secure,” Sharma emphasizes. Transparency is key. Reporting details of a breach to the public quickly and efficiently is now a requirement. “No organization wants the perception that they don’t disclose information that should be reported timely. I believe the public, and your patients, understand the risk that any organization is likely to be hacked or attacked at some level,” says Rafee.

Healthcare firms have made progress in bolstering their security and reducing the number of breaches over the last few years. “However, the growth in hacking and IT incidents does deserve special attention. As such, healthcare organizations must employ the appropriate technologies and cybersecurity best practices if they want to secure the patient data within their IT systems,” said Rich Campagna, CMO of Bitglass. As you read this, an unauthorized user accessed a “limited number” of employee email accounts at UConn Health (branch of the University of Connecticut), compromising personal data of more than 326,000 patients.

The US Department of Health and Human Services (HHS) reported that organisations paid out more than $28 million in settlement fees in 2018 – an all-time high in healthcare breach enforcement activity. “In October, the US health insurance provider agreed to pay a whopping $16 million and introduce “substantial corrective action” following a series of cyber-attacks that led to the largest US health data breach in history,” said HHS. The Cloud environment has changed the way companies manage, store and share their data, applications and workloads. Along with a wide range of benefits, though, the Cloud infrastructure also introduces a new, fertile and attractive environment for attackers who crave the enormous amount of available computing resources and sensitive data it holds.“

While we consider the cloud to be an organization’s weakest link, threats posed to them via their employee’s mobile and IoT devices are also to be taken seriously as one of many attack vectors from which sensitive data can be stolen or leveraged to launch an attack,” informs Check Point. As cyber attacks grow and hackers aim patients’ data to make quick money, what patients are carefully watching is how well the healthcare providers are prepared to respond, mitigate future threats and move forward.

About the author

Meenakshi Iyer is a New Delhi-based freelance journalist covering health, technology and latest innovations. With more than 15 years of experience, she has worked with top media publications in the country.

The number of ransomware and other malware attacks is rising incredibly fast in the healthcare industry, putting human lives as well as critical data at risk.One of the key aspects making healthcare organizations a top target is the value of their data. Commonly, a single stolen credit card number yields an average $2,000 profit and quickly becomes worthless. Healthcare data, however, such as PHI or PII, is extremely valuable on the black market.

A single PHI file, for example, can yield a profit of up to $20,000. This is mainly because it can take weeks or months for a healthcare data breach to be discovered, enabling cyber criminals to extract much more valuable data. Moreover, because healthcare data can contain dates of birth and Social Security numbers, it is much more difficult or even impossible to change, so thieves can take advantage of it fora longer period of time.

Data breaches cost the healthcare industry approximately $5.6 billion every year, according to Becker’s Hospital Review. The Breach Barometer Report: Year in Review additionally found that there was an average of at least one health data breach per day in 2016, attacks that affected more than 27 million patient records.

The continued under investment in cybersecurity has left many so exposed that they are unable to even detect cyber attacks when they occur. While attackers may compromise an organization within a matter of seconds or minutes, it often takes many more weeks – if not months – before the breach is detected, damage is contained and defensive resources are deployed to prevent the same attack from happening again.

As organizations seek to protect their patient information from these growing threats, demand for health informatics professionals who are familiar with the current state of cybersecurity in healthcare is on the rise.

“So, What is Wrong With the Picture?”

The base question to ask is “Who would be interested in hacking patient data?” It is precisely this attitude together with the rat eat which healthcare refreshes its technology that exposes healthcare organizations to a high risk of cyber-attack. The fact that makes the industry appealing to hackers: ransom for money;denial of service for malice and money; stealing confidential data;compromising data; identity theft and compromising devices. The scale of disruption and impact to busy healthcare settings already operating at capacity caused by a cyber-attack needs no explanation. The reality covers the four main domains:

• Leadership: Ownership of the issue
• Culture/Staff responsibility/awareness: Training and awareness of cybersecurity and its related implications
• Policies and procedures: Understanding of business continuity processes and incident response procedures
• General cybersecurity knowledge: Use of fundamental security processes that are currently followed within the organization to mitigate security breaches, e.g., use of USB, on- and off-boarding processes, password policies,organizational asset register,and so on.

The Challenges
The newest cyber vulnerabilities are not necessarily an organization’s biggest cyber threat. Consequently, many common threats continue to be problematic in healthcare, including:

• Malware and ransomware: Cyber criminals use malware and ransomware to shut down individual devices, servers or even entire networks. In some cases, a ransom is then demanded to rectify the encryption.
• Cloud threats: An increasing amount of protected health information is being stored on the cloud. Without proper encryption, this can be a weak spot for the security of healthcare organizations.
• Misleading websites: Clever cyber criminals have created websites with addresses that are similar to reputable sites. Some simply substitute .com for .gov, giving the unwary user the illusion that the websites are the same.
• Phishing attacks: This strategy sends out mass amounts of emails from seemingly reputable sources to obtain sensitive information from the users.
• Encryption blind spots: While encryption is critical for protecting the health data, it can also create blind spots where hackers can hide from the tools meant to detect breaches.
• Employee error: Employees can leave healthcare organizations susceptible to attack through weak passwords, unencrypted devices and other failures of compliance.

Another growing threat in healthcare security is found in medical devices. As pacemakers and other equipment become connected to the internet, they face the same vulnerabilities as other computer systems.

How are Hackers Achieving this, You Would Ask?

Hackers usually access information in one of two ways. They can try‘social hacking’, which means tricking a human being into giving oversensitive information or security credentials which in turn allows access to sensitive information. This could happen by tricking either someone who works directly for the provider, or an outside contractor. An unsophisticated example could be, ‘Hi, I am an IT provider for your company, and I need to carry out some maintenance, could you please provide these sensitive details for me?’. The second way is brute force:directly attacking a security system.

Once Hackers Get Access to The Data, What Do They Do with It?

In some cases, hackers access sensitive data, extract it, and lock it off. They can then sell it back to the company. If the company does not have backups, buying it back is probably the only viable option. The alternative is for them to lose all records of their patients which they will never be able to replace.Another possibility, is hackers stealing data and selling it to the public. The information may be sold to criminal groups on the dark web who wish to use sensitive information for blackmail or fraud purposes.

What Can the Healthcare Industry Do to Mitigate Cyber Threats?

The industry must realize that cybersecurity is human-centric. Gaining insight into the users’ behavior, for example, or the flow of data in and out of the organization improves risk response.

Additionally, the industry should be aware that cybersecurity isn’t just the responsibility of the IT department: everyone should be aware of the risks, from management down to brand-new contract staff.

Healthcare security professionals need to understand the threats they face and the regulations they must comply with, and they must be provided with best practices for strengthening cybersecurity defenses. This means implementing comprehensive security awareness training that educates all people on current threats, red flags to look for in an email message or web link, how to avoid infection, and what to do in case of an active exploit. And since the threat landscape is constantly changing, training should be repeated and updated regularly.

Furthermore, implementing the right cybersecurity measures, such data loss prevention, user behavior analytics, and endpoint security technologies, will further protect an organization’s infrastructure and patient data from ransomware attacks. By creating a system that guards the human point — where people interact with critical business data and intellectual property — and takes into account the intersection of users, data, and networks, the healthcare industry can improve its cyber threat protection.

In Simple Terms: How Do We Improve Cybersecurity?

Due to the significant financial impact of data breaches in healthcare, health informatics and other professionals need to play an important role in ensuring that medical organizations remain secure. Individual healthcare organizations can improve their cybersecurity by implementing the following practices:

• Establish a security culture: Ongoing cybersecurity training and education emphasize that every member of the organization is responsible for protecting patient data, creating a culture of security.
• Protect mobile devices: An increasing number of health care providers are using mobile devices at work. Encryption and other protective measures are critical to ensure that any information on these devices is secure.
• Maintain good computer habits: New employee on boarding should include training on best practices for computer use, including software and operating system maintenance.
• Use a firewall: Anything connected to the internet should have a firewall.
• Install and maintain anti-virus software: Simply installing anti-virus software is not enough. Continuous updates are essential for ensuring health care systems receive the best possible protection at any given time.
• Plan for the unexpected: Files should be backed up regularly for quick and easy data restoration. Organizations must consider storing this backed-up information away from the main system if possible.
• Control access to protected health information: Access to protected information should be granted to only those who need to view or use the data.
• Use strong passwords and change them regularly: The Verizon report found that 63 percent of confirmed data breaches involved taking advantage of passwords that were the default, weak or stolen. Healthcare employees should not only use strong passwords, but ensure they are changed regularly.
• Limit network access: Any software, applications and other additions to existing systems should not be installed by staff without prior consent from the proper organizational authorities.
• Control physical access: Data can also be breached when physical devices are stolen. Computers and other electronics that contain protected information should be kept in locked rooms in secure areas.

How to Defend Against the Growing Threat?
Deterrence, prevention, detection and response all have their place.

Prevention is preferable to detection and reaction. But without data collection, an organization cannot successfully detect or react to anything.

Alerts or alarms should be designed to detect event sequences with potentially negative consequences. Statistical and anomaly detection methods are particularly good for these purposes, as are rule-based detection mechanisms.

Security information and event management or log management tools can augment data collection efforts.

In addition to deploying technology tools to help defend against and detect intrusions, it’s important to formally define roles and responsibilities for incident response. Organizations need to document procedures that specify what the response team should do if there’s an incident and test those procedures periodically.

It’s not just one technology, it is multiple technologies in order to repel these highly sophisticated and organized attacks. That includes deploying SIEM, as well as multi factor authentication to enter critical systems.

The Internet is increasingly a swamp. It’s no longer sufficient to just look at standard security logs. You need integrated security information event management that brings together network logs, users log, application logs and server logs, and looks for non obvious associations.

In Conclusion

To improve cybersecurity in health care, organizations need to hire informatics professionals who not only collect, manage and leverage data, but protect it as well. In addition, health data professionals need to on a continuous basis develop new strategies and best practices to ensure the safety of sensitive health data, protecting both the patient and organization from financial loss and other forms of harm.We know that reaching 100% security against cyber attacks is not realistic but, with a few steps, healthcare organizations can make sure that it’s too complex or unprofitable for threat actors to attack them, which will result in them moving on to another target.

About the author

Kris Seeburn is an enterprise trainer and a member of Advisory Board of The New Security Foundation, Member of The American College of Forensic Examiners & Institute of Forensics Science