After May 2017’s WannaCry cyber attack, which cost the NHS an estimated £92m and also affected other countries across the globe, both governments and authorities alike pledged to ramp up cybersecurity across the sector. Unfortunately, though, the healthcare industry is one that remains plagued by threat.
Israeli researchers have created a virus that is able to add tumours into MRI and CT scans, while in the first three quarters of 2019, the number of threat detections across the healthcare sector rose by 60% compared to 2018 in its entirety.
In the healthcare sector, there’s a great deal at stake, with access to patient records, tampering with appointments and impacting on connected devices just a few of the industry’s major concerns. As Adam Kujawa, director of Malwarebytes Labs, says, “We should be arming healthcare now with extensive security measures because…ransomware is looking to penetrate healthcare organisations from several different angles.”
So why is the industry such a target, what are its specific challenges, and what does the sector need to do to overcome these?
Why is healthcare a target?
In a report published by cybersecurity firm Carbon Black earlier this year, the company’s chief cybersecurity officer, Tom Kellermann, summed up the sector’s appeal to hackers quite succinctly. “What’s at stake is insurance fraud, identify theft, the corruption of the integrity of data that can lead to malpractice,” he said. “It’s the corruption of sensitive life-saving systems or robotics surgery systems that can lead to deaths. What’s at stake is the irrecoverable destruction of healthcare data that’s digitized and people having to start from scratch.”
- You may like: Cybersecurity: is there a skills gap?
And this healthcare data is of huge value to cyber criminals. The Carbon Black report claims that our personal health information is worth three times more than personal identifying information like credit card numbers or addresses – and can be used by fraudsters in a variety of ways. As well as holding individuals to ransom by threatening to reveal their medical information, criminals may buy personal health information to attempt to file fake claims with insurers, or to create fake IDs in order to buy drugs or medical equipment.
While a financial breach will often include just a single marker, healthcare data will generally include all of an individual’s personally identifiable information. And while healthcare is subject to many of the same breach types and weaknesses as other sectors (like a lack of cybersecurity training amongst staff), it also has its own sector-specific challenges that must be addressed.
What are the cybersecurity challenges specific to healthcare?
Not only is the healthcare sector targeted because of the value of its data, it also has its own quirks and complexities that make it a sitting duck.
Challenge 1: Innovation vs. legacy
The healthcare industry is becoming increasingly complex. The Internet of Things has opened up a wealth of opportunities for the sector, from smart tech that improves cancer care to ingestible sensors that confirm whether a medication is being taken as directed. There are even now industry events covering the topic.
While innovation is a positive step in terms of improved patient care, it comes with challenges. For many healthcare providers, these new technological developments sit alongside legacy applications that house historic data. Often, this will be either because the new vendor wants no responsibility for the quality of older data, or because the migration is deemed too cost-prohibitive or complex.
What this means, though, is that hackers are given an easy in: an unsecured back door that could lead to systemic infection of entire hospital systems.
Challenge 2: Huge numbers of devices
Connected devices are becoming so prevalent in healthcare that it is claimed that the average hospital room is home to between 15 and 20 such solutions – and that a large hospital could be home to up to 8,000 IoT devices.
Security breaches can occur in any of these devices, from pacemakers and MRI scanners to CAT scanners and insulin pumps. In 2017, cybersecurity vulnerabilities were discovered in certain implantable pacemakers, requiring nearly 500,000 people to install a software patch for protection.
“Should healthcare professionals be equipped to take responsibility for their own areas?”
However, a key issue here is in the numbers. With healthcare services now so reliant on so many different connected devices, it can be hard to keep up-to-date with the latest threats to each and every one. Hackers who can access just one device could gain access to reams of personal data as well as to other connected devices – should it be the responsibility of centralised IT teams to manage every single device in use, or should healthcare professionals be equipped to take responsibility for their own areas? Calls for cybersecurity training to be incorporated into medical curriculums suggest that the latter may be beneficial.
Challenge 3: A shortage of full-time cybersecurity employees
While it may make sense for healthcare professionals to take some ownership of the security of their own connected devices, this alone isn’t enough.
In June 2017, the US Health Care Industry Cybersecurity Task Force revealed that three in four hospitals have no dedicated cybersecurity professional, while a report the following year showed that 49% of hospitals have no CISO.
This needs to change. Mitigation strategies and internal cybersecurity training should be led by a central cybersecurity employee or team. But with the ISACA State of Cyber Security Report revealing that 27% of healthcare firms are unable to find suitable candidates to fill cybersecurity roles, there is clearly more work that needs to be done.
What now for the healthcare sector?
These three challenges all require solutions, with responsibilities lying both with the government and healthcare trusts as well as with individual organisations.
As more and more new systems are introduced, the number of legacy applications that will be left to fester – and to entice cyber criminals – will continue to increase. In situations like these, it’s vital that healthcare organisations have a robust retirement strategy in place that identifies levels of vulnerability and details how to deal with them.
The majority of cybersecurity issues within healthcare, however, can be resolved by people. The number of connected devices is on the rise, but healthcare providers are increasingly employing bring your own device (BYOD) policies: one survey claimed that 81% of healthcare organisations allow medical staff to use their own mobile phones, tablets and laptops in the workplace. 46% of those companies, however, are doing nothing to secure these devices.
“Educating staff in everything from email security to handling confidential patient data is a must.”
It’s clear that a large part of the problem lies in staff training. Educating staff in everything from email security to handling confidential patient data is a must, with a cybersecurity training and strategy policy being dictated centrally.
To do this, however, a CISO or similar is required – it should not be the remit of a regular IT team. Without qualified cybersecurity staff, lack of guidance and understanding could mean that medical staff are unaware of their responsibilities, will not know when new security patches need installing, and could notice too late when an attack takes hold.
Establishing a culture of security – one where trained, full-time experts, training, education and sharing come together – can make a big difference to the industry. And with healthcare’s technological side developing at such a rapid rate, it’s something that needs to happen sooner, rather than too late.
It’s clear that the healthcare industry needs quality cybersecurity professionals to secure its future. If you’re looking to make your next move into the healthcare sector, take a look at our latest vacancies.
Image credit: Unsplash
