Who has access to your patients’ health records and protection? Is it securely held?
In May 2017, a major hospital breach led to 16 hospitals shutting down in the UK whilst in 2016, US Healthcare facilities were the victims of one Cyber attack per month over a period of 12 months. Healthcare organisations are the topmost vulnerable entities for cyber threats as they are the most entrusted entities when it comes to holding personal identifiable information (PII), which consists of patient’s name, date and place of birth, medical records, and social security details. The issue with most hospitals is that they are data-rich yet they do not have the strong control sets the financial industry possesses. This makes them more liable to such attacks.
How is healthcare data susceptible?
Hospitals, health plans, research laboratories all manage a particular and unique digitisation system as well as systems interconnectivity. Patients’ health can be affected in many ways such as, by having critical medical devices turned off — just one example of an indirect action aiming at disruptive care.
Patients’ health records can be affected in diverse ways as well seeing that records have now been converted electronically into Electronic Health Records (EHRs). This process can negatively impact patients’ health, leading to compromise the organisation’s integrity when altered or destroyed, especially when it comes to blood groups and medical history.
Benefits in the form of “intellectual property” such as experimental surgery procedures, test and studies results, information or drug formulas, could also be stolen or damaged. Theft of data could lead to years of work disappearing as well as any funds invested in it not to mention misleading researchers and possible cause of harm on patients.
The reputation of a medical facility and its staff should be a benefit and should at no cost be ignored. Patients need to be ensured that they are putting their health in the trust of professionals and that the facility is safe. A cyber attack can harm the credibility and the accreditation of the institution if it is brought to the fore and disclosed in public. Furthermore, if the attacker uses the identity of specific medical staff to perform the attack through impersonation or credential theft, not only can the staff member’s reputation be harmed but also their career.
How can various attacks take place?
A massive cyber attack on a facility can be planned depending on the cost and gains ratio. Thus, in the case of EHR theft, the choice of the target facility falls on the number of EHRs available and the difficulty to access them. This way a high profit is generated with the least effort possible. However, this would be classified as an untargeted attack as there is no specific target involved. Targeted attacks are also possible and could generate a higher profit if the adversaries have the right objectives and the adequate means to mobilise their resources to get to them. For instance, blackmailing a specific target by using information from his or her EHR could generate higher gains than simply selling a random EHR on the market. While restricting security breaches may be enough to prevent untargeted attacks, a more advanced security policy is needed to effectively counteract targeted attacks.
One of the most popular types of cyber attacks mainly targeting hospitals is ransomware. Experts estimated that in 2015 the number of ransomware attacks amounted to 1,000 per day, which is 25% more than the year before. Hackers can gain access through diverse methods: physical presence on site and the use of USBs on location, theft of staff’s mobile devices and even phishing or malicious emails. If a medical facility employs around 50,000 staff members, what is the possibility of one of them opening a malicious email? Once hackers gain access to the Information System (IS), they can deploy a special virus that clogs the system whilst encrypting all the data it contains. Once this happens, the system becomes totally inaccessible and unusable until all ransom is paid. It is also significant to note that ransom requested is usually in Bitcoin, thus making the payment impossible to trace. The virus, in the meantime, remains in the system and does not allow anyone to use it.
Time-sensitivity renders hospitals easy targets for hacking as without quick access to patients’ health records, patients’ care maybe delayed. This could result in serious consequences on their health and even their death.
Another common attack is the classical information theft and this can be more dangerous than ransomware as well as more profitable for hackers despite it being more complicated and more time-consuming. When stealing as much medical data as possible, hackers use the dark web and illegal markets to put up for sale anything from credit cards to social security numbers as well as EHRs. What could be done with information contained in a health record? The list is endless: getting a loan, filing insurance claims, and opening a credit card are just a few possibilities.
What can be done to mitigate such attacks?
It is to be kept in mind that the world of interconnectivity and digitalisation is expanding and advancing even further, thus the exposure of assets will keep growing. Cyber attack opportunities will become numerous and as adversaries become more skilled, cyber threats in medical institutions will multiply and become more intricate.
CyberSift can provide you with “Intelligence Augmentation” services to increase your team’s abilities, efficiency and time for a resolution. The CyberSift anomaly engine scrutinises large amounts of data and highlights those alerts that are out of the ordinary, allowing security teams to focus on what is truly significant. CyberSift is a log-based platform, making it extremely flexible when integrating with your current infrastructure. CyberSift can generate or ingest logs from a wide variety of sources, such as: Syslog sources , TAP / SPAN ports , Windows Event Viewer , OSSEC , SNORT , OpenVAS , CyberSift Local Agent , Splunk , and Packet capture supporting DNS and HTTP.
CyberSift engine ingests data and adds several benefits: anomaly -based detection that does not rely on signatures, hyper-alerting on signature-based alerts adding information from external threat feeds, and rule-based alerts.
