cybersecurity in, no, FOR healthcare
one more need that calls for solutions
March 2022
by Cristina Hortala
Since the advent of the first computer system and the world wide web, information technology has continued to transform healthcare (mostly) for the better. Unfortunately not only healthcare systems, health technology manufacturers, and their investors have recognized the value of health data: so have cybercriminals.
Increasingly, organizations that depend on this data need to protect themselves from individuals who use technology to commit malicious activities on their systems and networks, with the intention of stealing sensitive data and generating profit. The threat has become so pervasive that platforms have appeared selling Ransomware as a Service (RaaS), enabling virtually anyone to launch a ransomware attack against their chosen target.
We believe that for Hospitals, Clinics, and other healthcare organizations, the existing solutions are not enough. There is a need for specific healthcare cybersecurity companies. Not just cybersecurity in healthcare, but cybersecurity for healthcare.
Supporting fact #1: health data is the most valuable data
According to a TrustWave report, a Protected Health Information (PHI) record may be worth up to $250 /record on the black market, compared to a mere $5.40 for the next highest value record (payment card). Not only that but PHI records are low-risk high-reward targets, as historically there is little chance of the culprit getting caught. Criminal groups operate across several different jurisdictions, which means they often act with impunity.
Why is PHI so attractive? There are two main reasons that differentiate them from a simple payment card or social security number:
- Longer shelf life: once there is a breach it usually takes time for the organization to identify what information has been stolen and what people it affects. This means they can exploit that information for longer.
- Multiple uses for PHI: A PHI contains lots of different information, starting with social security and health insurance numbers, as well as biometric identifiers. This enables criminals to purchase prescriptions (and then resell them on the black market), receive treatment, make fake medical claims, launder data, extortion, etc.
Supporting fact #2: hospitals get attacked all the time
In a 2021 survey conducted in 597 health delivery organizations, 42% admitted to having suffered two ransomware attacks in the last few years. This means that in two separate occasions, a malware software infected their system and files, rendering them inaccessible until a ransom was paid. While this was happening, the organization was forced to go back to pen and paper, affecting its ability to conduct medical processes and procedures, and ultimately consuming its funds.
Furthermore, the lack of access to hospital internal networks means that most medical devices cannot be accessed, resulting in:
- Longer hospital stays for patients.
- Delays and complications in medical procedures.
- Patients being transferred to other healthcare facilities.
Supporting fact #3: life saving devices are not like office computers
There are intrinsic differences between the devices that need protection. While you can shut down systems to stop a cybersecurity attack in (for example) a venture capital firm (ouch!), networked devices in a hospital must keep working. You simply cannot turn off a life-saving medical device. And in the event of the hospital’s system and files becoming inaccessible, every medical procedure would be slowed down or canceled altogether putting multiple patients’ lives at risk.
So, what should healthcare organizations and cybersecurity companies do?
The industry overall needs a big shift. There is a need to change from traditional reactive cybersecurity to a more proactive and predictive approach, the key being prevention. This directly translates into adopting measures such as:
- Identify any possible breach threat to create a breach-likelihood prediction, and put mitigation strategies in place.
- Periodically perform threat hunting within networks, to identify previously undetected breaches.
- Deploy non-traditional network sensors such as honeypots, to determine how well the security measures are working.
In addition, there are at least four main goals for cybersecurity companies and healthcare organizations to work on:
Transparency
Current information about cyberattacks (both ransomware incidents and data breaches) isn’t accurate due to under-reporting and lack of documentation of the attacks by the healthcare companies. In an effort to protect their organization’s reputation, most attacks go unreported, which means that it is nearly impossible to obtain a full view of the extent of cyberattacks in the healthcare sector.
This lack of trustworthy information forces cybersecurity experts to access and aggregate data only from what ransomware operators publish or leak, in order to develop a partial view of the threat and be able to conceive an effective protection plan. But this plan will have a high risk of being inherently flawed.
It is vital that organizations are more transparent, to improve both the understanding of the threat and the ability to take appropriate action to reduce it.
Medical device security
Medical devices need a whole different solution than the one used for hospital management. An attacker might not take over a medical device directly, but if this device relies on a single point of connectivity and the ransomware takes over the command server for the devices, all of them could stop working, compromising patient safety. Just for context, an average hospital room has between 15 and 20 medical devices the patient and medical staff rely on to receive and give the best care possible. Moreover, research shows that 83% of imaging devices still run on legacy systems too old to receive software updates, which makes them more vulnerable.
Personal medical devices are also at risk. The consequences could be deadly if an attacker hacked into a cardiac pacemaker or an insulin pump (in fact a man called Jerome Raddlciff hacked into his own insulin pump at an RSA Security Conference to shine a light on this concerning issue). Each medical device has its unique code that cannot be accessed through the cloud, so the responsibility for securing the device falls on the manufacturer.
Securing medical devices is a priority for both the manufacturers that provide them, as well as the healthcare delivery organizations that use them.
Software as a Medical Device (SaMD) including those leveraging machine learning models also need special attention, as the mechanisms needed to protect these algorithms are different from the ones used to protect PHIs or more traditional medical devices.
For this purpose, two separate technologies have been developed: Homomorphic encryption (HE) and federated learning (FL). Both of them are considered Privacy Enhancing Technologies (PET), but their modus operandi is quite different:
- HE encrypts the data while allowing the AI system to use it.
- FL decentralizes the data, distributing the machine learning to local devices so one single hack doesn’t expose it all.
However, these technologies also come with major challenges:
- Computing with HE data is much slower than computing with unencrypted data.
- FL requires strong processors on the edge devices, and fast and reliable connectivity between said servers (where the learning is happening) and the core data centers (where the AI system resides).
So while the technology to protect AI systems exists and can be applied, it isn’t fully practical yet, as advances in processors are still needed to overcome the technology’s limitations.
Prevention of accidental or malicious insider threats
Very often, cybercriminals get into the healthcare organizations system by exploiting healthcare organizations’ main vulnerability: humans. In fact, up to 57% of cyberattacks begin with trusted insiders. Cybercriminals typically do it by convincing someone to take one of three common actions:
- open a malicious attachment;
- click on a malicious link;
- view an advertisement that contains malware (also known as malvertising).
These tactics, techniques and procedures change and evolve constantly, making it increasingly difficult for security experts to design strategies to prevent the exploitation of such vulnerabilities. To top that off, hospitals share PHI with more than 1500 insurers, each of which can become a vulnerable point of entry.
Sometimes the best strategy is simply education. Better solutions to effectively train a hospital’s staff on behaviors to enhance cybersecurity prevention could meaningfully reduce risks.
Training of designated security teams
The ever-tight hospital budgets mean there are often limited resources for dedicated cybersecurity teams. Often in smaller organizations, operation managers are the ones maintaining the systems instead of IT administrators, and we heard them complain about the challenge of finding staff members who can understand and take charge of responding to cyberattacks. There appears to be a shortage of trained professionals that understand both how connected medical systems and devices work, and how to protect them.
The encounter of cybersecurity and medical expertise is also rare when we turn to startups.
While there are some companies that have reached the market, like ClearData or Fortified Health, not many more are emerging. While we often meet or read about a new cybersecurity startup that offers protection to many different industries (including healthcare), very rarely do we find one whose main focus is healthcare. Yet, we think the opportunity exists for more companies to be born — and address, for example, one or more of the needs and goals we outlined above.
Are you the founder of one such elusive venture? If so, please, don’t hesitate to come see us :)
Cristina Hortala — Visiting Analyst Intern, ‘22
