The Human Race has been addicted to the process of evolution, and as we all evolve, things surrounding us evolve too. In our quest to achieving communication supremacy, the power of our personal devices bags the first spot. It empowers work lives from anywhere in the world & provides continuous improvement in everything that we do. Whether it is for personal use at home or business use at our place of employment, we rely heavily on our electronic liberators to keep us connected to the rest of the world. Now, imagine all these devices on the planet stop working for a day, a complete technology blackout, sounds scary?
Now, symmetrically visualise this in healthcare, & try to imagine how the new age digital kidnapping makes healthcare highly vulnerable as an industry. Cyberattacks have the power of pushing everything decades back to the era of paper & charting system in the flick of a second. Welcome to the new world of increasing zero-day attacks in healthcare. The game is on, hackers are ramping up medical system breaches and demanding large ransoms, highlighting the susceptibility of an increasingly digitally-focused patient care ecosystem that we are striving to create today. And what’s worse, there is a multi fold increase in cyber attacks on health systems since the start of the COVID-19 pandemic. These cybercrime statistics during this pandemic are both startling plus frightening, where the number of complaints about cyberattacks is up to as many as 4,000 a day, which is a 400% increase from pre-covid era (FBI;Cyber Division).
When it comes to healthcare, a cyberattack is more than mere an attack on the computers & the medical devices; it is an incursion on vulnerable people, where lives are at stake, making lenity an absolute forbidden zone here.
Though the trend is not something new, the healthcare sector is always a sought after target for cybercriminals, the first ever known ransomware attack occurred in 1989, it was AIDS trojan (PC Cyborg Virus) that was released via a floppy disk where the victims needed to send $189 to a P.O. box in Panama to restore access to their systems, even though it was a simple virus but utilised symmetric cryptography.
28 years later, sadly, the healthcare industry still remains a top target for such ransomware attacks. As we realise that ransomware has been around for decades now, what has shape shifted is the heterogeneity of advanced capabilities for spreading, evading detection, encrypting files, and finally coercing users into paying hefty ransoms. The “New-age” ransomware involves a blend of advanced distribution efforts & highly advanced development techniques to make reverse-engineering an absolute nightmare for anyone.
Why healthcare? A Low-risk, high-reward crime.
Hackers find the medical sector particularly enchanting due to the vast amount of personal information they could obtain from a single breach, as there is no sector in the world that handles so much of personal data as the healthcare industry does as a whole.
CyberPeace Institute since the start of the COVID-19 pandemic has analysed data on over 235 cyberattacks (excluding data breaches) against the healthcare sector across 33 countries. While these numbers are just the tip of the iceberg but still they provide us with a fair indicator of the rising negative trend and its implications for access to critical care. Over 10 million records have been thieved, of every type, including social security numbers, patient medical records, financial data, HIV test results, and private details of medical donors. On average, 155,000 records are breached during an attack on this sector, and this number can be much higher, with some incidents reporting the breach of over 3 million patient records.
Long story short, hospitals can be hit real hard by these cyber attacks when their resources are stretched thin & especially during a pandemic like Covid19, when these hospitals couldn’t afford any downtime in their systems. A single speck in the system’s set-up can put millions of patients at risk in a snap.
Where are the vulnerabilities? Lets have a look:
- Medjack: the attackers target the interconnected medical devices in hospitals. These attacks are very hard to detect and even harder to fix. It only takes one medical device to potentially infect/re-infect the rest of the devices in the hospital. These attacks jeopardise the patients by allowing hackers to play with the functionality of critical devices such as implants, exposing a patient’s medical history, and potentially giving entry to the prescription infrastructure of many institutions for all the proscribed activities possible. The first known ransomware attack to affect networked medical devices occurred in May 2017, when the global ransomware attack WannaCry impacted radiological devices in multiple hospitals.
2. The health data rush: In the age of #digitalhealth, data is the new currency. The attackers who target healthcare facilities know that once they gain access through VPN, credentials, or phishing, there’s no way the provider can control access to the information they will bump into. Once the burglary is done, it’s boundless and boundaryless access to dozens, hundreds, or even millions of patient profiles, their records, their medical histories… & what not making it a perfect goldmine to rob & the most ideal condition for blackmailing.
3.The musty operating systems: The outdated operating systems & black boxes often expose the sensitive health data, making it extremely vulnerable to frequent attacks. Unfortunately, with all the awesomeness we see in medical technologies in recent years, not every facet of the healthcare industry has kept apace. Reasons may range from limited budgets to hesitancy to adopt or learn new systems, but the repercussions are usually dangerous. Hospitals using systems that are dependent on timely system updates often fail to keep all software equipped with the most recent versions. These updates contain bug fixes that keep systems fairly secure. But many times these software becomes end-of-life, and vendors stop providing any updates further. And we all know what happens next…
4. The weakest link: End users, from frontlines to administration, as well as patients who connect their personal devices with the hospital network, can unintentionally/intentionally threaten the cybersecurity of the health facility. These frontlines need to be swift in hospital, as no one has time to access patient’s data with a password of 10 different characters plus asterisks or multi factor authentication in case of emergency. What is required here is a secure network that is quick and easy to access, and a peace of mind that the patient’s data is protected all the time, so that the frontlines can focus on what they are meant to do. I wish it was so straightforward as I wrote, unfortunately, awareness & education in online threats is often a neglected zone.
5. Cyber hygiene; training and awareness: Patients often take the protection of their sensitive data by default, so to keep up with their trust, providers must focus on esoteric as well as broad security issues, as they are responsible, & answerable to their customers/users. According to Cybint, “95% of cybersecurity breaches are due to human error.”Cyber criminals often target employees to creep into the system. So you need to have a complete cybersecurity strategy in place with training included. But before diving straight into the training part of the employees, it’s very important to understand the gaps & then design accordingly. The frontlines are often a busy bunch, so avoid duplication of information & make them aware of the facts that they do not know. Design anything other than boring, but first make them comfortable & tone it in a way that it’s easily understandable minus the tech jargons.
6. Shifted work perimeters: remote work is a new normal for every industry, with healthcare being no exception. The availability of digital technologies has enabled healthcare to function without a pause, be it diagnosis, therapy, or continuous monitoring; our services never stopped. Hospitals ensured that it enabled their employees to access patient resources from almost anywhere to keep critical operations flowing. Sadly, many of these employees are at risk of a device, app, software, or network attack if they use weakly protected personal devices and home networks. As remote work is going to stay & not just as a short-term response to the current pandemic, providers need to make it as a part of their long-term strategy. And to attain that, deployment of threat defences for all remote employees plus making remote working ecosystem secured becomes a top priority for them.
7. The paradox, speed vs security: speed & timely information can really make a huge difference to the clinical outcomes of a patient. So, while it’s crucial for clinicians to have on-time access to the vital information at point-of-care, it’s also important to secure the same information from getting exposed publicly. Usually these security patches create inconvenience by design & there is an urgent need to design a wayout to make security function as a business accelerator & not the other way round. “It’s all about how we are going to survive a faster future where the speed of information is beating the speed of light”.
8. The missing links, cyber experts: ever-seeping technologies and social dynamics is shifting healthcare into hyperdrive, & this pandemic has made it a huge centre of attraction already, unfortunately also drawing in unprecedented security concerns as we discussed. A vast majority of hospitals don’t have full-time cybersecurity employees, a double whammy; lack of awareness compounded by a lack of resources & there are again umpteen reasons for this, the universal problems to be short.
One recent research says; “In practice, a hospital that does not have sufficient resources will struggle to develop cybersecurity capabilities and meet a target level of cybersecurity capabilities. They will almost certainly be the victim of a cyberattack, and following the attack, will likely increase resources for cybersecurity (i.e, a reactive mode) (https://bit.ly/3AUQMfJ)
Does your hospital have a cybersecurity task force or cyber security expert or any other designation related to this domain? Do comment…
9. The deadly hookup, bitcoin + ransomware: cryptocurrency, one of the most talked-about trends today, has triggered the rise in cybercrime. These peer-to-peer transactions enable hackers to demand sums completely online without having to go through wire transfers or physical money transfers, making things easy-peasy to manage…
According to a study by Palo Alto Networks, ransomware attacks have yielded an astonishing 171% increase in ransoms paid between 2019 and 2020. The study found that the average cost of a successful ransomware attack now exceeds $312,000 per incident. Furthermore, the most substantial ransom doubled between 2015 and 2020, rising from $15 million to an exorbitant $30 million. (source:https://pcihipaa.com).
What’s the Reward?
Motivations can vary in ransomware attacks, but the most frequent reason is certainly making a buck. We all know that the healthcare industry possesses information that is of high monetary and intelligence value but what makes them so feeble during a face off with a cyber attack episode is the urgency of accessing the right information. Reasons could vary from saving someone’s life to preventing a shutdown of an entire hospital to averting a national crisis; these grounds could be countless to defend their response to any zero-day attack, where many times the price accompanying is much more than just financial.
Usually stolen health records may sell up to 10X or more than stolen credit card numbers on the dark web. And what’s worse is the cost to fix a breach in healthcare, which is almost 3 times compared to other industries averaging $408 per stolen healthcare record versus $148 per stolen non-health record.
IBM’s Cost of a Data Breach Report found that healthcare organisations suffered the highest costs of data breaches for the 11th consecutive year in 2021. This year saw the average cost of a healthcare data breach surge to $9.23 million, a 29.5% increase compared to previous year. Now that’s a smashing number, more than any other industry, with the financial sector being a distant second, chilling at $5.72 million. Furthermore, medical organisations have seen 185% increase in the number of healthcare data breaches this year compared with last year, giving healthcare & it’s leaders a wide room for introspection on cybersecurity strategies & risk mitigation.
The valuation of stolen data & what they do with that?
Look at it this way, when credit card number is stolen, the bank cancels the card, issues a new one, and reimburses the client. However, the static nature of health data prohibits any such reimbursements, e.g. When a patient’s PHI is stolen, the patient cannot change the date of birth or blood type, or any other health and genetic information. Hence, once stolen this health information is widely applicable and valuable for a range of crimes, like identity thefts to medical frauds.
What do they do with your stolen data?
- Patients’ protected health information (PHI) includes health records, health histories, lab test results, and medical bills, etc. A secretly downloaded patient record sells hot on the dark web, & can fetch as much as $1,000 each (source: Experian) whereas the black-market value of medical records stands at $250 (PDF) each (source: Trustwave).
- Financial information like credit card and bank account numbers and security codes can be used to create clone cards for making fraudulent transactions.
- Personally identifying information (PII) such as Social Security numbers, home addresses, full names, dates of birth, and other personally identifiable information can be used in identity theft. Eg. The buyer can apply for loans or credit cards under the victim’s name and also file fraudulent tax returns.
- IPs’ related to medical research and innovation are of very high worth.
- Health insurance credentials are especially valuable in today’s economy because healthcare costs are causing people to seek free medical care with these stolen credentials.
- More & more crimes…
Quoting Dan L. Dodson, CEO at Fortified Health Security “Healthcare data has the only data sets in the world that gets more valuable every day”.
The future of ransomware in healthcare?
Last decade has seen the bounteous extension of artificial intelligence in the health industry turning into the most powerful agents of transformation. Whether it’s about uncovering the leading clinical practices or automating repetitive tasks or offering precision medicine, AI is omnipresent.
These AI technologies are unquestionably offering significant benefits, but what if the same technologies are used against healthcare. With a steady decreasing complexity in implementing AI-based solutions, the usage of AI-based technologies for offensive purposes has begun to creep into the healthcare systems too. These attacks vary from tampering with medical images using adversarial machine learning techniques for false identification of diseases to manipulating medical device readings to alter patient status; the list can be endless.
Once released into the system, these self-learning attacks will not be restrained, nor will it be dependent on orders from anyone. These rouge algorithms will make their own decisions, often while deep inside the health networks and deliver blows stealthily, and virtually without any trace & such AI cyber-attacks will be extremely difficult to stop.
Addressing cybersecurity in healthcare isn’t going to be an easy task; it demands a unified approach, shared vision & collective efforts among all the stakeholders within the healthcare ecosystem backed by sensible regulatory interventions. Healthcare needs to move forward together to make this industry less & less attractive to cybercrime in future, & to achieve this, investments & robust strategies need to be prioritised.
The new digitally enabled healthcare is not just about the best of the clinical care but also about the most trustworthy protection of the patient data. Privacy should be an integral part of the design phase, in order to ward off any architectural weaknesses or flawed business logic at a later stage that might become too costly to handle. With a zero-trust security approach, assume that every user, network, system, device, and piece of data has already been breached.
Cybersecurity is a colossal subject in itself & a whirlwind topic for discussion. What is vital here in healthcare is that we exchange knowledge and discuss potential threats, best practices and mitigation strategies between stakeholders across public and private sectors globally. The right information sharing will facilitate situational awareness and a solid understanding of threats, threat actors, their motivations, tactics, and techniques used, making all of us more prepared & equipped for the future together.
We must talk more & more about it!
Thank you & your thoughts are most welcome.
Dr. Monika Sonu, CEO & Director New Product Development, Healthinnovation Toolbox.