Cybersecurity: Essential for Your Health
A year ago, I embarked on an academic journey with the task of developing a course that would bridge two rapidly evolving fields: data science and cybersecurity. My background in automotive cybersecurity and log analysis provided a solid foundation, but I quickly realized that creating a truly impactful course required more than just technical knowledge. I needed to tap into the deep well of experience held by industry veterans. What began as a search for curriculum advice soon evolved into a profound exploration of the cybersecurity community itself.
As I reached out to experts, I encountered two unexpected revelations: the incredible warmth and generosity of those willing to mentor a newcomer, and the fierce passion they held for the critical nature of their work. This welcoming embrace into the world of digital guardians paved the way for a course that would transcend traditional textbook theories.
One expert encapsulated the urgency of cybersecurity by paraphrasing Leon Trotsky and substituting “war” with “cybersecurity: “You may not be interested in cybersecurity, but cybersecurity is interested in you.” This statement resonated deeply with me, so I asked for an example to illustrate his point. He was more than happy to oblige.
“Take healthcare, for instance,” he began. “It’s a service that touches all of us, yet it’s one of the top three targets for cyberattacks.” I was taken aback by this revelation and naturally asked for more details. With a knowing smile, he began to elaborate, revealing the intricate vulnerabilities that make cybersecurity in healthcare not just important, but critical.
“Let me explain,” he continued. “Cybersecurity in healthcare is a complex domain, especially as the industry increasingly relies on digital systems, electronic health records (EHRs), and interconnected devices. The main concerns and challenges include safeguarding patient data, protecting healthcare infrastructure from cyberattacks, and ensuring the privacy and security of sensitive information.”
He then provided a stark example: the WannaCry ransomware attack of 2017, which infected over 200,000 computers globally, including critical systems in the UK’s National Health Service. This attack caused widespread disruption and highlighted severe vulnerabilities in outdated software.
Another example involved an attack on community health clinics. In an official report to the United States Securities and Exchange Commission, Community Health Systems disclosed that their network of 206 hospitals across 28 states was subjected to a cyberattack between April and June 2014. The breach compromised the sensitive personal information of 4.5 million patients, including Social Security numbers. The FBI attributed the attack to a group based in China and issued a widespread advisory to the industry, urging companies to enhance their network security and adhere to legal protocols to assist in preventing future attacks.
“These are compelling stories,” he said, “but for your teaching, you need structure. Let’s start with the key areas of concern in healthcare cybersecurity.”
“Let’s revisit what Data Breaches and Ransomware entail. Data breaches involve unauthorized access to sensitive information, jeopardizing privacy, security, and trust for individuals and organizations alike. Ransomware, on the other hand, locks down essential data by encrypting it, forcing victims to pay a ransom for its release while severely disrupting operations and compromising data integrity.
Data Breaches and Ransomware: Healthcare organizations have become prime targets for cybercriminals due to the high value of medical data. Ransomware attacks, where attackers encrypt patient information and demand payment for its release, have been particularly devastating. These breaches compromise sensitive personal health information (PHI), causing significant harm to patients and substantial financial losses for the affected organizations. Each year, over half a million records are reported to be sold on the dark web, but how many more go unreported? The true scale of this illicit trade remains unknown. Another driver of data breaches is blackmail. Attackers often threaten to publish or sell the stolen data if they are not paid, promising to delete it upon payment — a promise that is rarely kept.
Let’s review another case of cyberattacks: targeting medical devices.
Medical Device Security: A medical device hijack, commonly referred to as “medjack,” involves the malicious hacking of devices such as pacemakers, insulin pumps, or imaging systems. These attacks typically exploit outdated software and weak security protocols, posing significant risks to patient safety. With many medical devices now connected to the internet or internal networks, the potential for hacking — and the resulting life-threatening consequences — has grown substantially. Securing these devices against unauthorized access and tampering is a formidable challenge. Since these devices perform critical functions, their operating systems are often not updated regularly, leaving them vulnerable to cyber threats for extended periods. Research has shown that these devices can be remotely manipulated and potentially turned into lethal weapons.
To mitigate these risks, stringent regulations and best practices have been put in place, and it is crucial that students fully grasp and apply them. Although adhering to these standards can complicate and extend the development process, it is indispensable for ensuring the safety and security of medical devices. My recommendation is to integrate cybersecurity considerations from the outset and maintain a focus on them throughout the entire development lifecycle.
Understanding the Risks and Regulations: Understanding the risks and regulations in healthcare cybersecurity requires a solid grasp of the various technology systems at play. Information Technology (IT) encompasses the computing infrastructure used for data storage, processing, and communication. Operational Technology (OT) involves the hardware and software that monitor and control physical devices, such as medical machines. The Internet of Things (IoT) includes interconnected devices that collect and exchange data, like wearable health trackers, while the Industrial Internet of Things (IIoT) focuses on industrial applications, including smart factories and medical device networks.
These systems often do not synchronize seamlessly, and when IT, OT, IoT, and IIoT are not properly aligned, gaps can emerge. These gaps create attack vectors that can be exploited, leading to significant security vulnerabilities — vulnerabilities for which no one wants to take responsibility. Unfortunately, in the event of a breach, the burden of blame may fall on you. Furthermore, applying the regulations across all these components can be a daunting task, as each system may have its own set of requirements.
Insider Threats: Healthcare organizations must remain vigilant against insider threats, whether arising from malicious intent or simply human error. Employees with access to sensitive data can inadvertently or deliberately cause significant breaches. Given that healthcare is one of the largest employment sectors, with a wide range of job roles and responsibilities, it is hard to monitor every individual perfectly. As a result, more than half of data breaches are caused by insiders. This challenge is further complicated by the fact that many devices are shared among multiple employees, not all of whom adhere to basic security protocols, creating an ideal environment for bad actors.
Modern technology has also enabled remote and even offshore work, such as radiologists in India diagnosing medical images from the U.S. This arrangement offers significant benefits, allowing healthcare providers in the U.S. to have skilled professionals available during nighttime hours (which aligns with midday in India due to the time difference) while also reducing costs. However, this setup introduces a clear risk — how can we ensure that sensitive data isn’t being leaked somewhere along the way?”
“It all makes sense,” I thought, “you could easily develop an entire course on this issue alone.” However, he wanted to continue discussing telemedicine security.
“Telemedicine Security: The rise of telemedicine, particularly during the COVID-19 pandemic, has introduced new cybersecurity challenges. Ensuring secure communication channels and implementing robust authentication measures are essential to safeguard patient consultations and data. However, the uncertainty surrounding where and how these applications will be used introduces additional risks. A compromised device, for instance, could allow malicious actors to access sensitive information. Moreover, if a device is lost and lacks a strong password, the risk of data breaches becomes even greater.”
I took a deep breath, and he continued.
“Supply Chain Vulnerabilities: Healthcare organizations rely heavily on various vendors and third-party services, making them vulnerable to cybersecurity weaknesses within these partners. Such vulnerabilities can compromise the entire healthcare ecosystem. Ensuring that all suppliers adhere to strict cybersecurity standards is crucial. However, the complexity of this supply chain is daunting. In the medical field, where there is no margin for error, every supplier must maintain the highest professional standards. Unfortunately, it’s rare to find a single provider that meets all these requirements. Additionally, many suppliers are based in countries like China, raising additional concerns. Each company implements its own security measures — some of which conflict with others or are outdated — making this attack vector particularly risky.”
I began to realize that the intricate nature of the healthcare system makes it a prime target for cybersecurity attacks, particularly those aimed at valuable medical data.
“High Value of Medical Data: Medical data, including patient records, clinical trial information, and genetic data, is highly valuable to cybercriminals. Unlike financial data, which can often be quickly nullified (e.g., by canceling a credit card), medical data is permanent and can be used for identity theft, blackmail, and other malicious activities. The black market value of medical data is significantly higher than that of financial data, making healthcare organizations prime targets for cyberattacks.
For the three V’s of Big Data — Volume, Variety, and Velocity — we can add a fourth V: Value. However, it’s important not to overlook the significance of the original three.
Complexity and Volume of Data: Healthcare organizations generate and store vast amounts of data, including EHRs, lab results, imaging data, and treatment histories. This data is often dispersed across various systems, making it challenging to secure comprehensively. The complexity of medical data, with its numerous formats and sources, increases the difficulty of implementing uniform security measures.
Moreover, given the unique structure of the healthcare industry, data sharing can be crucial for gaining a comprehensive understanding of ongoing trends. However, this practice also introduces significant cybersecurity challenges.
Data Sharing: The healthcare industry increasingly emphasizes interoperability, allowing for seamless data sharing between different providers, hospitals, and even across borders. While this enhances patient care, it also introduces new vulnerabilities as data moves through different systems and networks. Ensuring that data remains secure during transfers and that only authorized entities have access is critical.”
I recognized the significance of the situation, and he quickly noticed the expression of realization on my face.
“This is just the beginning,” the expert said. “There’s much more to explore. Since you’re focusing on data, let’s dive into the challenges of securing medical data.
Challenges in Securing Medical Devices: In the healthcare sector, there are many heavy-duty devices such as CT, MRI, etc. These devices are under constant attack. Just to put things in perspective, over a thousand cybersecurity attacks are reported annually on CT devices alone, despite there being fewer than thirty-five thousand of these devices worldwide. This alarming statistic suggests that nearly every CT device is likely targeted each year. And this is just one example — similar risks apply to other medical devices as well. You must understand that such an attack might be a death sentence for any business in the healthcare sector.”
I took a deep breath and said, “I assume your students have a background in programming. Let’s explore this issue together.” He responded, and I nodded in agreement.
“Legacy Systems: Many healthcare organizations still rely on outdated or legacy systems that were not designed to withstand modern cybersecurity threats. These systems often lack advanced security features, making them more susceptible to attacks. Upgrading or replacing these systems can be costly and complex, but it’s crucial for protecting medical data. Quality assurance for these systems is particularly challenging, as test coverage must be far more extensive than standard, given the zero tolerance for failure in real-time operations. An unresolved bug in such a system could have dire consequences, potentially leading to patient harm or even death. For example, between late 2015 and early 2016, three U.S. hospitals fell victim to ransomware attacks that exploited vulnerabilities in the outdated Windows XP operating system. Critical medical devices, including X-ray machines and radiology systems, were compromised, highlighting the severe risks involved — this is not just a matter of cybersecurity, but of life and death.
The risks go beyond merely collecting bad data — cyberattacks can have devastating consequences. Misuse of CT machines, for example, can lead to dangerous levels of radiation exposure and even cause flash burns. Similarly, improper use of MRI equipment can result in serious harm.”
I was in shock for a second, then he continued to talk about data integrity.
Data Integrity: “Beyond breaches, cyberattacks can also target the integrity of medical data. Altered or corrupted data can lead to misdiagnoses, incorrect treatments, and potentially fatal outcomes. Ensuring data integrity through checksums, cryptographic hashes, and real-time monitoring is crucial for maintaining trust in healthcare systems.”
We took a sip of our coffee, and he began discussing another critical issue.
“Third-Party Access and Cloud Storage: Many healthcare providers use third-party services for data storage, analytics, or other functions. While cloud storage offers flexibility and scalability, it also introduces risks if the service provider doesn’t adhere to stringent cybersecurity standards. Contractual agreements, regular audits, and clear data governance policies are necessary to manage these risks. Additionally, third-party access — such as by pharmacies, test facilities, and insurance companies — introduces further complexities, as they are regulated by their cybersecurity officers, over whom the primary organization has limited control. In some sense, this generalizes the supply chain problem.
This leads us to our next subject.
Data Privacy Regulations: Different regions have distinct regulations governing the privacy and security of medical data, such as HIPAA in the U.S. and GDPR in Europe. Ensuring compliance across multiple jurisdictions adds significant complexity. Non-compliance can result in severe consequences, including hefty fines, legal action, and loss of patient trust. In some instances, regulatory requirements like data anonymization may conflict with the need for comprehensive patient care, creating challenges that require careful navigation. My strongest advice is to consider these regulations before collecting even the first piece of data. Trust me, preparing data to meet these regulations can be a nightmare, but without this groundwork, progress becomes impossible.”
“It’s even worse than you might think,” he said. “Every organization has its own set of regulations, and often, these regulations conflict with one another. To make matters worse, they change faster than you can keep up. If a conflict arises, the blame almost always falls on you. Who else could it be? On top of that, inspections and enforcement actions are continually carried out, making it nearly impossible to align with regulations properly. Your constraints are strict — everything must be easy to use and affordable. This chaotic mix creates a perfect environment for cyberattacks. We saw such an incident in August 2023 at a hospital in Jerusalem. Following the cyberattack, patients were unable to receive treatment. Remember, these are life-and-death issues, and this could happen at any hospital worldwide.”
“You must understand,” he continued, “the world is changing rapidly. People are using their devices everywhere, outsourcing is becoming more prevalent, and medical databases are growing more sophisticated. Additionally, while generative AI (GenAI) can be a powerful tool for defense, it can also be exploited by malicious actors. We must incorporate data science-based methods into our defense mechanisms. Moreover, you are training the next generation of data scientists, and they must be prepared for these challenges, whether they work for a cybersecurity firm or lead one. This is why I believe the course you are teaching is of critical importance.”
He paused for a second and then continued.
“Cybersecurity by Design: Cybersecurity must be integrated by design, meaning it should be considered from the very first stage of development through to the final implementation. This approach ensures that security measures are embedded into every aspect of the process, minimizing vulnerabilities and strengthening the overall system. By proactively addressing cybersecurity from the outset, organizations can better protect sensitive data and critical operations, rather than attempting to add security as an afterthought.”
He then added, “I’ve focused on medical issues because they often don’t receive the attention they deserve. However, other sectors in the industry also warrant discussion. Let’s save that for our next meeting.”
I left that meeting with a profound sense of responsibility and gratitude, fully realizing the significance of the course I was creating. This newfound understanding inspired me as I built the curriculum. It was a great honor when he agreed to join as a guest lecturer, and his session turned out to be nothing short of captivating.
So, how was the course? The students later told me it was their best course that semester. I suppose I did something right.
