23rd September 2016
Indy Dhami, Director of Cybersecurity Consulting
Cyber criminals view healthcare data as a very lucrative business opportunity. Not only is healthcare data related to personal, medical and financial information attractive financially to cybercriminals, it is also considered an easy target. The traditional victims of cyber-attacks in the financial sector have invested heavily in cyber security through implementing people, process and technological controls; the healthcare sector has lagged behind.
Recent attacks and industry data provides chilling statistics: a 2016 Ponemon Institute survey estimated that the cost of breaches for the healthcare industry to be $6.2 billion, with the average cost to an individual organization at $2.2 million with criminal attacks up 125 percent since 2010. It has also been reported that stolen health credentials can sell for $10 each, this is up to 20 times the value of stolen U.S. credit card details.
Notable incidents at healthcare providers include:
- Anthem – 78.8 million healthcare insurance records containing personally identifiable information were stolen by hackers
- Premera Blue Cross – Healthcare insurer lost 11 million records containing personal and clinical data through a targeted cyber-attack.
- UK NHS – The UK National Health Service lost a laptop containing 8 million patient records
More recently there has been a surge in ransomware attacks against hospitals including:
- Ottowa Hospital, Canada
- Lukas Hospital, Germany
- Klinikum Arnsberg Hospital, Germany
- Methodist Hospital in Henderson, Kentucky, USA
- Chino Valley Medical Center, USA
- Desert Valley Hospital, USA
- Medstar Health, USA
- Hollywood Presbyterian Medical Center, USA
- Los Angeles County Health Department, USA
All of the above healthcare organisations have suffered from a variety of malware infections encrypting and blocking access to data until a ransom is paid to release data (often in the form of bitcoins). These types of attacks place a significant strain on any hospitals ability to provide emergency healthcare, but also the ability protect their patients’ financial assets not to mention their own reputation.
The US Federal Bureau of Investigation also issued warnings to healthcare providers stating that they have “observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII), These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data”.
There are a range of criminals involved in such attacks varying from lone hackers to cybercrime gangs to state sponsored agencies. All of whom realise that healthcare organisations are easy prey simply because cyber security has not been taken seriously and people are not generally savvy enough to realise they are opening up the organization to infections by opening documents or clicking dubious links.
As a minimum healthcare organisations should consider:
Developing policies, standards and guidelines – utilizing industry best practices such as the upcoming NIST Cybersecurity guidelines, ISO27001 or the Information Security Forum (ISF) Standard of Good Practice. This should include the safe use of email, internet and mobile devices
Managing access and identities – understand who has access to data and systems and apply appropriate role based access. This is critical to maintaining control over who has access to critical information and systems. Also, include protecting locations where data is physically stored. If a data centre is compromised, it could bring an entire facility to a halt. This should be particularly concerning for any healthcare organisation that relies on IT systems for providing patient care and administrative functions.
Investing in technological controls combined with awareness/behavioural training – Technology controls are vital in developing a holistic security strategy but even more imperative is providing the awareness and behavioural training to employees to identify and understand the risks when dealing with sensitive information and also identify potential dangers. It is imperative to build a strong culture of cybersecurity throughout the organization. An education programme should be sponsored by leadership, engaging, regular, varied and users must be held accountable for taking responsibility for information security.
Developing and embedding an information risk assessment framework – Utilise a framework for assessing and managing your information throughout its lifecycle and the associated risks to it. Frameworks include the recently updated Information Risk Assessment Methodology – IRAM2 by the ISF or the NIST Framework for Improving Critical Infrastructure Cybersecurity. Identifying risks and definingthe appropriate protection to information and information assets that are specific to the organization and the data it holders. Include the analysis of regulations and legislative requirements, and an assessment of current IT architectures, industry trends, and related threats.
Regularly patching, backing up and encrypting data – regularly applying vendor software updates. perform scheduled and secure backups of all critical information and encrypt where needed. Regular backups can an essential part of operational cyber hygiene, if in the event of a cyber-attack or a ransomware outbreak, data and systems can be quickly restored.