Health is the new wealth. Our physical and mental well-being impacts every aspect of our lives—including our ability to be loving parents, supportive friends and successful professionals. Information about our health is profoundly personal. No one beyond our trusted medical caregivers should have access to our most private details. The sensitive nature of our medical records, however, makes them a coveted target for sophisticated cybercriminals. Growth economies are particularly vulnerable.
Cybercriminals target healthcare for two fundamental reasons: the healthcare industry is a rich source of valuable personal data that commands a high dollar value on the black market, and the healthcare industry’s existing technologies and processes are fraught with vulnerabilities. The exponential growth of personal health data is being generated from an increasing number of connected devices and networks. By the end of 2020, about four billion people will be connected via the Internet of Medical Things (IoMT). According to the INFOSEC Institute, more than 70 percent of IoMT devices lack fundamental security safeguards as applications primarily focus on the features of the software rather than the security of the data. IoMT, therefore, presents cybersecurity experts with unprecedented challenges that require the collaboration of many different stakeholders and care providers within healthcare ecosystems.
This is a growing war. Cyberattacks are increasing in terms of number, scale and level of sophistication. A recent CBI Insights report reveals that, “Since 2017, roughly six billion confidential digital records have been stolen from around the world and counting. Just in the last two years there have been at least three separate data breaches in which at least one billion confidential records were stolen or exposed at once.”1
From a single laptop in a rural village to elite teams of experts sponsored by nefarious governments, cybercriminals can operate from any location with an Internet connection, and they are targeting healthcare organizations in growth economies that have not implemented modern, sophisticated defense systems.
Healthcare communities, cybersecurity professionals and governments must acknowledge these five stark realities as they seek ways to combat the persistent and ubiquitous threat of cyberhackers.
1. Healthcare has a target on its back.
The three main targets of cybercriminals are electronic health records, healthcare infrastructure and individual medical records. Sensitive information has become a very powerful commodity in modern society. Just as gold, diamonds and printed money have attracted thieves for centuries, information has become one of earth’s most valuable assets. The more sensitive, damaging or revealing the information is, the more value it possesses. Details about how healthy, or unhealthy, individuals and groups are can be ransomed for astronomical prices.
In July 2018, ransomware targeted SingHealth, Singapore’s largest healthcare institution, and stole the information of 1.5 million patients, including the profile of the country’s Prime Minister, Lee Hsien Loong—who was identified as a specific target in the attack. These types of ransomware attacks are constantly being perpetrated against healthcare facilities as they struggle to implement comprehensive defense strategies. This trend will only escalate as cybercriminals and healthcare institutions attempt to outsmart and outmaneuver each other as bank robbers and banks have done throughout history.2
2. Hacks can mean life or death.
One of the most concerning current threats to health information privacy is a serious compromise of the integrity and availability of data. Those risks include possible harm to a patient’s safety and health, loss of protected health information (PHI) and unauthorized access to data. In fact, in 2013 The Washington Post reported that the doctors for Vice President Dick Cheney ordered the disabling of the wireless functionality of his heart implant out of fear that it could be hacked by terrorists.3
It’s arguable that cybercrimes in the healthcare industry can have much more drastic consequences to brand equity for institutions than major financial losses. The fear of not being able to access one’s critical health information is a legitimate, and intense, sense of unease. This anxiety is partially what gives the information its value and power. Data security breaches can directly impact the health and well-being of patients, and even result in fatalities. Destroying medical records and hijacking critical pharmaceutical prescriptions can quickly result in casualties and cause death. By stealing information and manipulating public fear, cybercriminals can leverage their stolen assets in unprecedented ways. The reality is these crimes have life-threatening consequences and can be perpetrated from across the world in the middle of the night.
3. Breaches are inevitable and may be internal.
The potential monetary gains for cyberhackers are enormous. Unsurprisingly, more than 70 percent of healthcare industry companies expect a breach from financially-motivated cybercriminals. However, the pervasive image of a lone cyberhacker working from a dark apartment in an anonymous city, or nefarious state-sponsored groups of squinting cyberthieves lined up in rows of bland cubicles, only represents part of the story. Internal employees also pose a great threat to healthcare institutions. Every employee is a human being, and whether or not they are disgruntled, financially distraught or simply unaware of how their behaviors can impact security protocols, there is the potential for corruption. Having the right security clearances, passwords and access to sensitive information may simply be too tempting for internal employees with an ulterior motive.
4. Robust security measures are needed.
The cat-and-mouse chase and confrontations will continue to evolve as cyberhackers continuously seek new ways to penetrate the defenses of healthcare institutions and stakeholders within the healthcare systems—including the manufacturers of connected medical devices. Today’s international and tech-savvy criminals are determined, sophisticated and creative. Healthcare institutions must be even more so. Though the growing awareness of cybersecurity threats have shaken the entire industry, many companies in growth economies have not set up and executed a holistic security framework that provides comprehensive governance and board oversight. Security measures lack an integrated approach that leverages the talents and acumen of not only healthcare professionals, but cybersecurity forces and policymakers at every level of government.
The seamless integration of defense resources is required to combat cybercriminals who pose a dynamic and evolving threat. All stakeholders dealing with health data should shift from passive cyber defenses, to active cyber defenses. Cybersecurity for IoMT must also be a major agenda for next-generation medical devices. Governments and policymakers should provide security guidance and regulatory protocols for medical device manufacturers. The industry must quickly develop and adopt best-practices, frameworks and architectures for ensuring cybersecurity protections across all of IoMT. Hospitals and health systems need to secure medical devices in the same way that banks ensure the security of the credit cards they issue.
Growth economies must respond, and lead, with appropriate security measures and cybersecurity policies.
5. Healthcare can fight back.
Ransomware and cybercrimes can create unimaginable chaos. But businesses, communities and growth economies are not powerless. When working together, they can create a network of systems, assets and protocols that can thwart even the most tenacious hackers. Diligence is key. The healthcare industry must be proactive about preventing cyberattacks before they occur and be smart about responding to them and mitigating damage when they do occur. Though many healthcare institutions have begun to develop effective security strategies, few have implemented a complete plan that addresses preparation, prevention, detection, and response and recovery strategies.
The healthcare industry and associated stakeholders must approach cybersecurity defense strategies with the same level of seriousness and strength that militaries apply to their own defense strategies. For instance, an effective and aggressive defense program would include the use of deception technologies that stop attacks by deceiving the attackers. Also, artificial intelligence (AI) can monitor traffic in and out of each connected device and differentiate between normal and abnormal behavior in real-time—alerting network security professionals when the device is listening to or talking to criminal networks, servers or individuals. AI can proactively block bad actors in real time before they can gain access and inflict damage. Winning cybersecurity strategies intercept and prevent attacks proactively; after all, once a device has been compromised and higher-level servers have been breached, the damage has been done. Lastly, the healthcare industry should consider other innovative defensive measures such as quantum computing, cybersecurity war rooms that provide around-the-clock security operations centers, and a holistic strategy that leverages not only technology but also human behavior and processes.
To learn more about how cybercriminals are holding healthcare institutions hostage, and what the industry can do to protect itself, read this whitepaper.
1 Why Ai, Blockchain, & Enhanced Encryption Are The Future Of Enterprise Data Security
2 Singapore Suffers 'most Serious' Data Breach, Affecting 1.5m Healthcare Patients Including Prime Minister
Eileen Yu - https://www.zdnet.com/article/singapore-suffers-most-serious-data-breach-affecting-1-5m-healthcare-patients-including-prime/
3 Intermountain Healthcare Launches Security Operations Center To Combat Health Data Cyberattacks