Of all the effects of the global pandemic, one of the least surprising has been a marked increase in cyber crime targeting the healthcare sector. From the attacker’s point of view, especially ransomware criminals, this makes perfect sense: with patient admissions rising due to Covid-19, health systems are under severe pressure, amplifying the effect of any disruption. In the worst-case scenario, network unavailability could cost lives, a pressure point attackers believe will force healthcare managers to pay bigger ransoms without waiting for backups to kick in.
The scale of this increase in attacks is unmistakable. In October 2020, security company Check Point Software reported that hospitals were being singled out by one of the most active ransomware families, Ryuk, which had seen a 71% jump in attacks in the US, and 31% in EMEA. This was sustained throughout November, when 626 organisations were targeted. Given that this figure represents only those incidents recorded by one company, it was no surprise when government agencies, including the FBI and CISA in the US, and the NCSC in the UK, issued a red alert warning to the sector.
One year on: How AI can supercharge the healthcare of the future
While the pandemic has driven recent cyber crime, the targeting of healthcare goes back many years, most infamously the WannaCry ransomware attack of 2017, which badly disrupted hospitals across the world. Although not aimed solely at healthcare, WannaCry served as a proof-of-concept that severely disruptive attacks were possible, arriving at a time when the sector was already struggling to control the issue of data breaches affecting large volumes of Personal Health Information (PHI). This is popular with cyber criminals for several reasons:
- Medical identities and records are the most financially valuable type of personally identifiable information (PII), selling for high prices on dark web markets, where they are used to launch sophisticated identity theft.
- An especially high value attached to the PHI of celebrities and politicians.
- The threat to release data stolen during a ransomware attack is now routinely used to drive up the price of extortion ransoms.
A fundamental issue is that healthcare is hugely data intensive, which results in an ‘attack surface’ that is both vast and constantly growing as medical monitoring expands. According to an analysis by Varonis for its 2021 Data Risk report, this data is often easily accessible with 20% – an average of 11 million PHI files – open to an organisation’s entire workforce. This can be exposed by human error, equipment misconfiguration, a software vulnerability in medical equipment and IT systems, or theft by insiders. Healthcare organisations also make extensive use of third party and agency workers, which makes oversight harder and increase the chances of credential sharing and errors. Then there are established weaknesses such as migrating from insecure legacy equipment, a lack of experienced cyber security staff, under-investment in security, and a dependence on equipment which has not been thoroughly tested for security issues.
Driving healthcare transformation one simple step at a time
New medical devices
Healthcare is experiencing a major expansion in medical data collection as a bewildering array of new types of monitoring device are handed out to patients. Many of these first-generation devices have proved immature in security terms, often in ways that takes specialised testing to uncover. Everyone agrees that these sorts of checks should be carried out during development and that patients and healthcare providers should not become unwitting beta testers. The influence of such medical devices will undoubtedly spur a demand by patients to access their own electronic health records (EHRs), something many healthcare providers are not yet able to offer in a secure way.
In theory, access control offers a solution, particularly as part of an approach that takes account of a broader information security management system (ISMS) framework. While undoubtedly true, healthcare organisations should first analyse their current weaknesses. For example, Varonis reports that many healthcare organisations struggle to control old but still enabled ‘ghost’ accounts, which gives hackers a clear path to bypass such controls. Similarly, 41% of organisations had 1,500 or more Active Directory (AD) accounts protected by passwords set to never expire, a clear breach of basic principles.
Often it’s the simple things that get lost, for example by mandating email security standards such as Domain-based Message Authentication (DMARC) which makes it much harder for attacks to spoof email addresses to impersonate genuine contacts. Likewise, email accounts should be protected not only with rigorous password polices but by using multi-factor authentication by default for all accounts. Access control on data also needs to consider the possibility of internal misuse, another blind spot many healthcare organisations assume is a secondary concern. Third-party agencies must be included in any overhaul of data governance with assurance to ensure standards are being met.
And yet, tighter access control, better network design, and more layers of security software such as encryption and endpoint security only get organisations so far. A comprehensive approach to security must also take account of take account of human behaviour, using technical controls as baselines backed up with a long-term commitment to user training to resist common attacks. Many breaches start with relatively simple social engineering and phishing attacks that often go undetected until it is too late. Defending against such attacks requires more than user training and awareness but without that as a starting point, it is unlikely to succeed.
Large-scale reforms like this are often slow to happen because it represents a change in culture which humans resist. Designing a new culture is never straightforward. Organisational complexity doesn’t help – sometimes even knowing whose job it is to implement certain policies, let alone checking that they have been implemented correctly can turn into a barrier. But as healthcare regulation and governance standards develop, the sector has realised it must face up to the institutional challenge. As an industry, healthcare emerged to help patients with physical problems. In the 21st Century, the same applies to the confidentiality of patients’ digital assets.