Cyber-attacks in the healthcare environment are on the rise, with recent research suggesting that critical healthcare systems could be vulnerable to attack.
In general, the healthcare industry is proving lucrative for cybercriminals because medical data can be used in multiple ways, for example fraud or identify theft. This personal data often contains information regarding a patient’s medical history, which could be used in targeted spear-phishing attacks.
Dangerous attacks – what are the risks?
Cybercriminals have found medical data to be far more valuable than credit card fraud or other online scams. This is because medical information contains everything from a patient’s medical history to their medical prescriptions, and hackers are able to access this data via network-connected medical devices, now standard in hi-tech hospitals. This is opening up new possibilities for attackers to breach a hospital or a pharmaceutical company’s perimeter defences. If a device is connected to the internet and left vulnerable to attack, an attacker could remotely connect to it and use it as gateways for attacking network security.
The danger is that, because most of these devices are not on segregated networks and are directly connected to other medical computers or life-depending medical hardware, attackers could make their way to servers or databases housing sensitive and confidential patient records. Furthermore, whilst accessing medical data is a serious concern, there’s also the risk of tampering with medical equipment that’s keeping patients properly medicated. In this case, it is likely that future cyber-attacks could lead to the loss of human life.
The healthcare security spend – how much is enough?
Despite increasing attacks on healthcare organisations, 10 per cent or less of IT spend is put towards security, leading many recent reports to suggest that healthcare organisations are not taking the security of patients seriously. However, while 10 percent may seem small, healthcare organisations usually have large budgets, which means this could represent a lot more than what a small or medium-sized company would allocate towards security.
What is more of a concern is that, while organisations continue to put pressure on healthcare companies to secure patient data, 87 per cent of healthcare organisations are still leaving data at risk. If, until now, these organisations have focused on investing in quality services, medication and personnel, protecting a patient’s medical data should be met with the same level of interest and involvement. With the number of implantable or internet-connected medical devices, medical organisations need to account for the fact that such devices could also be used to end life, not only protect it, in a cybercriminal’s control.
Securing the data: Keeping the attackers at bay
The majority of healthcare organisations have often been shown to fail basic security practices, such as disabling concurrent login to multiple devices, enforcing strong authentication and even isolating critical devices and medical data storing servers from a direct internet connection. Organisations must start by fixing these shortcomings.
Furthermore, healthcare companies should implement security policies, and invest in Intrusion Detection Systems, access control lists and even regular pen-testing drills for identifying network, software and procedural issues.
Going forward, it is vital for companies to invest in training personnel to correctly identify security threats, as they’re usually the ones most prone to social engineering techniques or spear-phishing attacks. Healthcare professionals that handle medical equipment should be trained and instructed on best security practices and medical devices security, as they could be directly responsible for a potential security breach or patient-related issues caused by mishandling such hardware or software.