and financial) damage to a number of healthcare organizations of varying size.
Since then, ransomware has exponentially increased as a threat to the healthcare industry – largely due to the industry’s increasing use and reliance on EHR (electronic health records), which now account for more than 80 per cent of paper-based records. EHRs are a prime target for malicious ‘black hat’ hackers who can sell personal data like this for nearly $70 a pop on the lucrative black market.
Ransomware attacks still account for 85 per cent of all malware in healthcare, with more than 70 per cent of attacks confirming data disclosure. And while ransomware has the power to bring any organization to an abrupt and abrasive halt, healthcare organizations have significantly more to lose than those in other sectors: As well as the lost revenue, there is the risk to life and litigation resulting from delayed patient care – which is why ransomware remains the most important security concern for healthcare organizations today.
EHR, however, is not the only vulnerable technology stack within the medical arena. The increasing automation and sharing of personal data via systems and mobile devices has also put patient privacy and safety at considerable risk – driven by the accessibility of wearable and implantable devices, as the Internet of Medical Things (IoMT) started transforming healthcare.
There are now 3.7million medical devices in use, either connected to or monitoring patients to inform healthcare decisions. With the IoT healthcare market predicted (Allied Market Research) to reach $136.8billion by 2021, it has never been more essential for the issue of inadequately secured IoT devices to be immediately addressed. Otherwise, routine devices such as pacemakers, insulin pumps and monitors – all of them connected to the internet – could be as vulnerable as computers. In fact, IoT devices tend to have weaker security protections than computer, are not as easily patched or updated and there are no controls tracking who has handled the device or when.
Of course, having a range of third-party providers for all these different technologies, means there are even more 0-day vulnerabilities and a need for even more levels of security.
Earlier this year, the US Department of Homeland Security took unprecedented steps to issue a warning for a set of critical-rated vulnerabilities in Medtronic defibrillators.
The government-issued alert warned that the tiny wireless cardio-defibrillators, which are implanted in patients’ chests to steady irregular heartbeats, were at severe risk of manipulation. Homeland Security revealed that the device’s proprietary radio communications protocol (Conexus) wasn’t encrypted nor did it require authentication, leaving it open to manipulation with radio-intercepting hardware.
They gave the alert a 9.3 out of 10 rating, describing it as requiring “low skill level” to reprogramme the defibrillator’s firmware and run any command on the device.
Just a few months ago, a team of Israeli researchers similarly highlighted the security vulnerabilities in PACS (the picture archiving and communication system), and how hackers tampering with CTs or MRIs could aid in insurance fraud, ransomware, cyberterrorism and even murder.
The team of researchers were able to add and remove malignant growths within the scans – successfully deceiving both radiologists and the artificial intelligence algorithms they were using to aid diagnosis, and potentially affecting the treatment plans for serious and fatal diseases.
The healthcare industry is rightly becoming more and more hyper-connected across device types which is giving patients a better service. The problem is that, with such a variety of SME to MNC third party providers and the sure number of new and legacy devices potentially needing updates/maintenance, we are left with a spectrum of unencrypted vulnerabilities. And, once one workstation/device is infected, we see a systemic proliferation across the network.
There are, therefore, a number of aspects that need to be taken into account to help prevent these sorts of attacks becoming the norm.
Firstly, there’s a level of education needed across industry as there’s an evidence disconnect between the providers who focus on patient care first and foremost and the IT professionals tasked with implementing cybersecurity strategies. Our medical professions need to acknowledge the potential risk of these digital systems and build plans to evaluate providers on risk and how to mitigate.
Operationally, regular updates for devices are essential, and evaluation of new and current providers should take this into account. Since a lot of the devices – especially legacy systems – might not have real end-point-protection, implementing department firewalls or other forms of segmentation are key. Periodic scans should be basic practice, as should training for end users and patients.
Lastly, and perhaps most importantly, the issue should be embraced as the responsibility of industry to develop standards which will ensure the increasing advancement and innovation of technology within healthcare.