020 8372 1000

Blog


“Easy Money”. Healthcare industry - a cyber criminal’s favourite target


“Easy Money”. Healthcare industry - a cyber criminal’s favourite target

It is clear from recent cyber security intelligence surveys and experiences, that healthcare has become the sector most targeted by cyber criminals. The data shows that over a very short period, well in excess of 100 million healthcare records, have been compromised from more than 15,000 sources in more than 100 countries.

This development unmasks a truth that cannot be hidden by the healthcare industry. It is the favourite of cyber criminals and has become a prime target of cyber attacks.

The healthcare industry is facing a host of cyber security issues, which has a financial and reputational impact for hospitals and other healthcare institutions. In fact, data in many healthcare institutions is being compromised every single day.

Studies suggest that data breaches have cost the healthcare sector over £5 billion globally. One particular report suggested that nearly 8 out of 10 healthcare institutions were hit with two or more data breaches. Moreover, 45 percent of healthcare institutions were affected with multiple breaches and theft of personal data. The bulk of those breaches were reported as “unauthorised access/disclosure,” while others were reported as “hacking” and “ransom attacks.”

These alarming results can be attributed to the following cyber security risks that the healthcare industry should immediately and adequately address:


Limited spending on cyber security

One of the reasons why the healthcare industry is prone to cyber attacks is the limited budget allocated by healthcare institutions to cyber security investment.

According to Symantec, healthcare organisations are notorious for their limited investments in cyber security. Symantec believes that one of the reasons why the healthcare industry is prone to identity theft is because companies don’t’ spend enough on cyber security investments. ABI Research backs up Symantec’s claims. According to the research organisation, cyber security spending in the healthcare sector has been underwhelming. It estimates that investments in the industry against cyber attacks will only reach £9 billion worldwide by 2020. The ABI says it is under 10 percent of the total spend on critical infrastructure security.


High demand for medical records on the black market

The high demand for patients’ medical records on the black market is fuelling the numerous cyber attacks that has hurt the reputation and finances of healthcare institutions.

Electronic health records (EHR) are far more valuable than financial data. EHRs can command a fee on the black market in excess of £40 for each record. As a comparison, for just £1 you can obtain a National Insurance number or credit card number.

EHRs include names of patients, their birth dates, policy numbers, diagnosis codes and billing information. Fraudsters can use this wealth of data in different ways, such as creating fake IDs to buy medical equipment or medications that can be resold. Some cyber criminals combine a patient number with a false provider and then submit claims with medical insurers.

EHRs are deemed more valuable because they are more difficult to detect. EHR theft takes almost twice as long as normal identity theft to be determined. Unlike stolen credit cards that can be cancelled, medical identity theft is more complex and thus difficult to resolve.

This also means cyber criminals have more time to ‘milk’ the information they got from EHRs.

The high prices that EHRs command on the black market can also be the main reason why cyber attacks on healthcare institutions are rising at an alarming rate. Obviously, hackers can make a lot more money when they target healthcare institutions instead of banks and other financing firms.


Ransomware

Cyber criminals don’t even have to steal data from hospital computers to be able to make a quick profit. Ransomware is a new data security threat that has targeted and victimised a number of hospitals in recent years.

It also pertains to a type of malware that cyber criminals infect on a healthcare organisation’s IT system, preventing the medical teams from accessing certain files or sectors. Usually, the infected components become encrypted and the authorised user is then unable to access them. The hackers will then deliver a message containing instructions for sending payment or ransom in exchange for restored access to the affected system.

What makes ransomware even more complex is that cyber criminals demand that payment be made through bitcoins. Unlike credit cards, bitcoin payments are difficult to trace which aids hackers in eluding authorities.

Aside from the inadequate cyber security programs of hospitals and healthcare institutions, one reason why cyber criminals use ransomware to force these healthcare institutions to pay up, is due to the nature of healthcare operations. Hospital and healthcare providers need speedy access to patient data as well as a functional communications system. Accordingly, these institutions are more likely to pay out instead of letting their operations be affected by this type of cyber attack.


Bring Your Own Device (BYOD) policy

Healthcare organisations are encouraging doctors, nurses, and other medical staff to bring their own devices like tablets, smartphones, and laptops to work. One survey showed that 81 percent of healthcare providers are now allowing their doctors and medical staff members to use their own iPads and other mobile devices at work.

However, 46 percent of those organisations indicated that they are not doing anything to secure those mobile devices. Moreover, 54 percent of them say they have no confidence at all that the employee-owned mobile devices used at work are secure.

Many cyber security experts believe that the BYOD policy can put organisations at risk from cyber attacks.

For one, mobile devices like laptops can be stolen from company offices and expose patient data. There have been many instances of unencrypted laptops stolen from healthcare providers. These devices can contain huge quantities of personal data. One such case of theft resulted in two unencrypted laptops containing data of about 700,000 patient’s records entering into the public (Dark Web) domain.

Of course, mobile devices can also increase the risks of a healthcare organisation to data breaches. A recent study revealed that 66 percent of health apps that send identifying information over the Internet don’t use encryption, while 20 percent don’t have a privacy policy.

As such, healthcare organisations should be stricter when it comes to BYOD policies. For example, they should bar their employees from sharing personal health information through file sharing platforms to minimise risks of identity theft. They must also install third-party solutions on the devices of their employees, and deploy a MDM service to wipe the data on the device should it be stolen.


Employee negligence

Although cyber attacks remain the leading cause of data breaches in the healthcare industry, there are still many security issues that are caused by negligent employees. An employee, for example, may open an email attachment that contains malware and compromise confidential information stored on a computer.

Hospitals and healthcare organisations can minimise the risks of cyber attacks if they have staff who are very much aware that carelessness can put their patients at the mercy of cyber criminals.

Employee training on cyber security is key and can reduce the risk of a cyber attack from 70 to 45 percent according to industry sources and in my personal experience as a Security and GDPR/DPA 2018 Specialist. Investing in various IT security technologies can also help mitigate risks of data theft, ransomware and other types of cybercrime, but healthcare organisations should also focus on their personnel and make them more aware of these cyber attacks.

Furthermore, hospitals, clinics, and other healthcare organisations should be encouraged to educate their staff and train them in handling confidential information, particularly patient data. Employees should also be periodically tested for their level of security knowledge. Further training in handling email safely and undertaking security best practices must be regularly revisited. Some healthcare institutions even work with an external security agency to develop the ability of their personnel to identify phishing emails and other forms of cyber attacks.


Conclusion

What I have discussed are arguably the top cyber security risks facing the healthcare sector today. Suffice to say, if a hospital, clinic, or healthcare provider is able to deal with these risks very well, then it can significantly reduce its chances of being hit with a cyber attack.

At Caretower, we are working with medical practitioners and advising them on all aspects of cyber security and awareness. For more information on how we can support your organisation, contact us here.


Steven Davies
MIET, MBCS, Security & GDPR Specialist



Blog