Cyber Security in the Healthcare Industryby Arnold Prakash – Intern
Is your medical data safe?The use of digital technology in the healthcare sector is growing significantly. Acute care hospitals, health insurance companies, private sector enterprises, health agencies, and other healthcare system actors rely on computer systems for a variety of purposes, including the provision of medical care, administrative management, disease prevention, and emergency response. However, due to their digital nature, patients’ digital records pose risks to the privacy and the lives of individuals whose data is included in the records. just like any other devices and software “All medical devices that use software and are connected to hospital and healthcare organizations’ networks have vulnerabilities”.
The purpose of this blog is to raise information security awareness about threats to privacy and security of digital healthcare information. More specifically, this blog will discuss popular hacking techniques used for gaining unauthorized access to medical records, the market for hacked medical data, and the unlawful use of hacked medical data.
Hacking Medical DataThousands of medical records containing patients’ confidential information are compromised every year in around the world. These cyber-attacks result in thefts, unauthorized access, and hacking of digital records. The techniques used by cyber criminals for unlawful access of medical records do not particularly differ from the methods used for committing crimes in other sectors. Below, we will briefly overview four popular hacking techniques used for gaining unauthorized access to medical records, namely, phishing, exploitation of software bugs, distribution of malware, and dictionary attacks.
- Exploitation of software vulnerabilities
- Malware Attack
- Dictionary Attacks
- short passwords;
- passwords that do not use a combination of upper and lower cases, alpha characters, and special symbols
- Passwords that resemble regular everyday words.
Even the most comprehensive information security measures can be bypassed by using phishing, i.e., a fraudulent technique whereby an attacker imitates a trustworthy source with the aim to collect sensitive data from an unsuspecting individual. Phishing attacks are usually committed through sending an email from a familiar source that requests clicking on a specific link or providing authentication credentials.
Many health care systems and equipment use computer software for performing various functions, including life-saving operations. The information security of such systems is of paramount importance not only for patients’ privacy but also for their life. However, information security studies reveal that the health care sector does not use up-to-date information security solutions. The health sector is “10 to 15 years” behind the retail sector when it comes to information security. In a pentest at a well-known hospital, security researchers found 30 security vulnerabilities in various health care systems, including cardiology systems, infusion systems, and MRI machines. Some of the vulnerabilities were well-known to hackers, e.g., the security vulnerability MS08-067, which allows hackers to gain unauthorized access to a network. MS08-067 was used previously by the Conficker worm, malware targeting Microsoft Windows operational system. Just imagine the MRI machine being stuck during testing a patient, how deadly can it be.
Hackers may install malware on networks of health care institutions not only by phishing but also by distributing malicious software in the computer network of a healthcare institution. Malware in computer networks and equipment can be spread either through pre-installation by a manufacturer or by a third-party (e.g., a cyber attacker).
In the healthcare sector, hackers often use ransomware. The use of ransomware is a popular hacking method for extorting money from health organizations.
The major part of computer systems that manage digital medical records use password authentication. Therefore, information security issues associated with improper password use (e.g., weak password composition and irresponsible storage) can cause a significant threat to healthcare computer systems. The term “dictionary attack” refers to a cyber-attack in which the attacker systematically enters every word in a dictionary as a password. The following passwords are susceptible to dictionary attacks:
Why do Hackers target medical data?Medical records stored digitally contain a lot of important and confidential information, such as patients’ id card numbers and bank account numbers, birth dates, addresses, physical descriptions, insurance information, medical conditions etc. Such data can be processed for different unlawful purposes, including falsifying prescriptions and receiving fraudulent tax credits. Unsurprisingly, on the black market, the prices of unlawfully obtained medical records are relatively high. FBI and various security experts report that a single medical record in the “dark Web” is worth much more than person’s credit card information, namely, about USD 10 – 50, due to the fact that the stolen medical information cannot be “blocked.” Hacked health credentials are sold in shadowy specialized online marketplaces that serve communities of scammers and hackers. Due to the illegal nature of such websites, they are not easily available for regular Internet users. In order to gain access to markets for health care records, potential buyers and sellers are often required to pay a fee. Moreover, in order to protect such online marketplaces from being tracked and shut down by law enforcement agencies, black market operators may conceal their activities by using special software which makes the marketplaces invisible for the search engines.
“It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it.”
Security in medical devicesTaking greater cybersecurity measures to protect medical devices is more important now than ever. For more than a decade, healthcare has been the largest target for data breaches. Breaches of data in a healthcare setting can have severe implications, as patients’ lives can be in danger from outdated and unprotected medical devices. For example, if computed tomography (CT) or magnetic resonance imaging (MRI) equipment is tampered with, it could result in incorrect diagnoses or even incorrect or unnecessary medical procedures.
Many medical devices used in hospitals today are legacy devices. These older medical devices are at a higher risk of ransomware attacks and rely on systems that no longer support security patches and updates. Such devices were not built with security in mind, which leads them to be more vulnerable. In fact, medical devices see an average of 6.2 vulnerabilities for each device, and many critical devices such as pacemakers and insulin pumps have been recalled by the US Food and Drug Administration (FDA) because of security issues. In addition, more than 40% of medical devices are too outdated for security updates or patches, while 83% of medical imaging devices are legacy systems that are too outdated to update.
Given that experts are aware that healthcare data is the most commonly breached data type, there should be an effort to combat this security risk. There needs to be a greater understanding of where the threats are coming from and how to stop them. In addition, the knowledge that many of the most critical devices are legacy devices and too old to update is concerning. The ability to update a device could be crucial to ensuring cybersecurity. As such, one way to reduce data breaches in healthcare could be to invest in newer devices.
In addition to providing hospitals with new devices that can receive security updates, another idea is to use predictive technology such as ‘breach likelihood’, which is available in other fields and would provide the probability and consequences of a breach happening based on a device. This kind of technology may provide visibility, which is especially necessary among the legacy medical devices.
Securing Medical DataAs providers build their health IT infrastructure and implement new technologies, it is essential to understand the role of data security and how to keep PHI (Protected Health Information) secure.
A secure yet accessible health IT infrastructure is a fundamental requirement for all healthcare organizations. As providers adopt more digital technologies, including electronic health records, data warehouses, advanced wireless networks, and more mobile devices, they must ensure that their infrastructure runs smoothly without exposing the organization to security vulnerabilities.
Data security issues often arise with HIT infrastructure as organizations begin to make the upgrade from legacy systems, which may include an older operating system that is no longer supported or medical devices that were not originally designed to be connected to the internet. It only takes one unsecured device or network access point for an organization to have its data compromised, including the protected health information (PHI) of patients. A current and secure HIT infrastructure will help providers prevent, detect, and recover from potential data breaches.
HIPAA for HIT infrastructure[HIPPA-Health Insurance Portability and Accountability Act of 1996]
Cybersecurity threats are becoming more elaborate and more difficult to combat. Healthcare providers need their HIT infrastructure to remain HIPAA compliant and while keeping daily operations running smoothly.
Organizations are connecting to health information exchanges, adopting electronic health record technology, deploying mobile strategies, and implementing connected medical devices. All of these actions could potentially expose an entity to online threats and even a HIPAA data breach.
Both “HIPAA physical safeguards” and “HIPAA technical safeguards” will have an important impact on a provider’s HIT infrastructure security. Physical safeguards include the necessary physical security measures, policies, and procedures in place to protect its “electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion,” according to HHS.
These can include facility access controls (i.e., locks on doors and keypad entry) and device and media controls, such as ensuring that laptops and tablets are locked away when not in use. Device security is essential as more smartphones, tablets, and laptops are able to connect to the network. If a device is lost or stolen, an unauthorized party may be able to access sensitive information through the device itself. While physical safeguards are important for securing on-premise devices, the migration from legacy systems to a more virtualized network could decrease the number of physical safeguards necessary at a facility.
Virtualization will bring more data agility and compliance concerns, which will likely lead to cloud security worries. The healthcare cloud is an increasingly popular data storage option, as it is hailed as being more secure and can help entities remove physical storage needs.
Cost savings, stronger disaster recovery, and a more scalable platform for internal requirements were top reasons healthcare organizations said they were moving to the cloud. The move to the cloud and virtualized machines emphasizes the need for comprehensive and current HIPAA technical safeguards.
Healthcare providers must consider access control, audit controls, integrity controls, transmission security, and authentication. Essentially, entities need to monitor how data is transferred, stored, and accessed at all times.
How to stay safe from Hackers?
- Ensure Staff is Properly Trained on Healthcare Cyber Security Protocols.
In most situations, the weakest cyber security link in your medical practice will be the user. Ensuring that your staff knows all proper measures to take (and enforcing these measures) makes the organization as a whole more secure.
- Don’t Put Off Software Updates
You are busy, and you do not like the idea of taking your computer system offline to conduct basic software updates. However, neglecting to get the latest version of your now outdated software leaves your devices much more vulnerable to attack. Any security patches that come with the update will be unavailable to you.
Hackers take advantage of people’s complacency and can sneak into antiquated systems more easily than systems that have the latest protection.
- Control Access to Protected Patient Data
You’ve undoubtedly seen news accounts of patients whose private information was stolen by hackers. These sensitive details are protected by the Health Insurance Portability and Accountability. If you fail to keep this data secure, the results can be disastrous. Hackers use confidential patient details to commit identity theft, take funds from bank accounts, and otherwise cause a great deal of chaos.
- Don’t Use the Same Password for Everything
Using easily guessed passwords or the same password for all platforms significantly increases vulnerabilities. Human nature will motivate your employees to use just one simple password to access their information, but this is a big mistake.
It can be tempting to set up one password to check your email, access your bank, and favorite online store as well as the see patient records, but convenience and ease of logging in instead of following patient security requirements have no place in a modern office’s computer systems. All a criminal need is to discover one working password, and then apply it to all the other accounts that the victim uses. The convenience of one password leads to a catastrophic theft of data. Criminals can cause even more mischief if they get into the system and actually change information in patient files.
- Store Passwords in a Secure Place
Instruct your team to never include passwords in a shared document or email. They should use a proven password storing system instead. Instead of writing a password on a sticky note and hiding it in a desk drawer, it will be more effective if each user uses a password based on a phrase. For example, a member of your team could use a phrase such as “Every morning I check email while the coffee brews” and use the first letter of each word to make the password “emIcewtcb” with one uppercase letter. Including numbers and other characters helps make the password even more secure.
- Perform Risk Assessments on a Regular Basis
Not knowing where your vulnerabilities are makes it much harder to protect yourself against attack. You won’t have a clear understanding of your organization’s security issues if you fail to conduct risk assessments on a regular basis.
Thinking you are secure is your enemy here. Your own IT team can perform the risk assessment, or you can work with more objective individuals by hiring an outside firm to take care of this task.
- Maintain a Layered Defense System
Have layered security protocols in place, so even if an attacker breaks through one layer, they still won’t be able to access the protected data, and your practice might be able to identify the attack before it’s too late. Just as you have multiple locking doors to protect your property, building and equipment, you should have many layers of defense against electronic intrusions. That way, even if a weakness appears in one aspect of your defense system, there will be enough coverage.
So, in addition to using strong passwords and forcing workers to change them periodically, you can use physical security in the form of locked doors, security guards, and surveillance equipment. Antivirus software, a robust firewall, and whitelisting of approved applications all contribute to the overall security of your institution.
- Have a Plan to Prevent (and Recover From) Data Breaches
In the unfortunate event of an attack, your practice needs to know what the next steps are. Having a plan in place will help you move forward after an attack. For example, your IT team should regularly review your healthcare cyber security protection to ensure you are always following the latest protocols.
This also means avoiding the practice of automatically allowing software updates before checking out any possible repercussions. And when you do assess an update, it’s best to try it out on a quarantined test computer to ensure a patch or update won’t negatively affect all the computers in your system. To be ready for the aftermath of a successful intrusion, key members of your team should develop a plan for getting the system back up and running, confident that the cloud-based backup of your data will be clean and safe to use.