The red and white webpage with the message that reads “Ooops, your files have been encrypted!” with a digital timer running on the left is something that still scares doctors across the globe. Even weeks after the infamous WannaCry ransomware attack crippled organizations and health care facilities across the world, doctors were still resorting to documenting patient history with a pen and paper. Wannacry was an incredibly sophisticated ransomware attack that made a huge impact, infecting nearly 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. It also reaffirmed the fact that cyberattacks have huge real-world consequences, in this case including canceled outpatient appointments, elective and emergency admissions to hospitals, accident, and emergency room staffing, and even avoidable deaths. WannaCry is just one example and over the next two years, the attacks on the health care sector continued. In fact, the health care sector is the most breached industry in the world. According to HIPAA, between 2014 and September 2019, nearly 198 million health care records were breached. But why? Why is the health care sector attacked so frequently? What motivates criminals? Why do hackers find health care data so lucrative? Why aren’t we able to stop it?
By Augustin Kurian, Sr. Feature Writer, CISO MAG
What makes health care data valuable?
One of the key reasons why health care data is so frequently attacked is because it is good business for criminals. On the black market, personal health information (PHI) fetches more money and is more valuable than financial details or even regular personally identifiable information. In the survey report Health care Cyber Heists in 2019, Carbon Black found the health care sector being targeted because of how lucrative PHI is when compared to other personal data like credit card numbers. It’s said that personal health information is worth three times more than other personal information.
This is because, unlike a credit card or personal details which can be changed whenever the user spots any discrepancies, the personal health history of any person doesn’t change—their illnesses, ailments, surgeries—these remain the same for the most part of one’s life. “Health information never changes, and can be used by cybercriminal groups for extortion or compromise,” asserts the Carbon Black report. Apart from this, with access to one’s medical records, criminals can target victims with scams and frauds that leverage the information in a victim’s medical history. Another use of stolen medical records is to gain access to prescriptions for their own use or resale. There are some reports of criminals creating fake insurance claims to purchase and resell medical equipment. But it gets even scarier.
What makes health care data vulnerable?
Innovation in technology has brought everything under the digital umbrella. Harking back to the Hyponnen Theory, “If you plug something into the electrical grid in the future, you will also plug it into the internet grid” and “whenever an appliance is described as being smart, it is vulnerable.” The rule applies to the health care sector as well. Yury Namestnikov, head of global research and analysis team for global cybersecurity research firm Kaspersky, pointed out at the recent Cyber Security Weekend gathering in Yangon, Myanmar that “76% of devices in health care facilities in the Philippines were infected by malicious code.” Even though most of these devices were not breached by attackers and were a result of employees connecting unsecured USB sticks to these machines, these inherently led to massive vulnerabilities. The capabilities of these malicious codes are alarming. In July, U.S. Department of Homeland Security’s CISA issued a warning about several GE medical machines, including GE Aestiva 7100, 7900, MRI; GE Aespire 7100, 7900, 100, Protiva, Carestation, View; GE Aisys, Aisys CS2 Avance, Amingo, Avance CS2; and GE Carestation 620, 650, 650c. According to CISA, “vulnerability exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could allow an attacker to remotely modify device configuration and silence alarms.” GE released updates for these devices and put forth mitigation methods along with CISA.
The proliferation of IoT devices in the medical field must be credited with the increase in the number of attacks. “The health care of the future is going to look very different from the health care of today. We can begin to expect to see the implementation of many IoT devices into health care and with every device comes extreme risks, not only of the device being hacked and health care data exposed but also a great risk of the hacker gaining control of the IoT device and endangering the patient’s life,” said Dr. Carmit Yadin, CEO of ArcusTeam, an IoT security firm. In October, the FDA identified 11 vulnerabilities in pacemakers and insulin pumps which allowed “anyone to remotely take control of the medical device and change its function, cause a denial of service, or cause information leaks or logical flaws, which may prevent device function,” stated the FDA. Ransomware campaigns and phishing emails are a few of the key threat vectors in the health care industry. According to the report obtained by Egress on data breaches on the Information Commissioner’s Office (ICO) in 2019, nearly 60 percent were caused by human error, where health care suffered the most. A report titled Assessment of Employee Susceptibility to Phishing Attacks at the US Health care Institutions, authored by Dr. William Gordon of Brigham and Women’s Hospital and Harvard Medical School in Boston stated that many U.S. health care organizations remain vulnerable to phishing attacks. William specified that when the researchers sent simulated phishing emails, nearly one in seven of the emails were clicked by employees of health care organizations. The survey also stated the importance of employee awareness of the risks associated with phishing emails. “Cybersecurity is a really important issue for hospitals and health care organizations and it’s only getting more important. One of the biggest risks for them is their own employees and it’s manifested through a phishing attack,” said Gordon.
Application security is also among the key threat vectors for the health care sector. The breach portal of the U.S. Department of Health and Human Services Office for Civil Rights has listed more than 580 breaches (at the time of writing this article) within the last 24 months that are currently under investigation by the Office for Civil Rights, where web application security took up a huge chunk of cyberattacks. According to SecurityScorecard, “The health care industry’s adoption of mobile technologies occurred in response to patient requests. Digital transformation and interoperability led to ad hoc and homegrown application creation. As such, the rapid adoption of new technologies created a patchwork quilt based on functionality rather than security.”
This story first appeared in the January 2020 issue of CISO MAG. To read the full story, click here. Subscribe to CISO MAG
About the Author
Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.