In healthcare, cyber security is critical. Ram Vaidhyanathan, IT Security and Cyber Risk Analyst, ManageEngine, explores the impact of cyber threats on the healthcare industry and shares his tips for better protection
According to the International Monetary Fund, the global GDP was close to £66 trillion at the end of 2018. Assuming that 10 percent of this value was spent on healthcare, as it was in 2015, that would make the world’s healthcare market worth £6.6 trillion. And assuming a three percent spend rate on this figure, the healthcare industry likely spent around £198 billion on IT in 2018.
IT spending in healthcare will grow at a fairly fast clip in the years to come as investments in value-based care, patient engagement services, connected medical devices, multi-cloud environments, data analytics, and mobile applications gain ground. And as emphasis is given to preventive healthcare on top of treatment, IT spending will likely increase even faster to keep up with the growing list of services healthcare organisations provide.
All of this means increased personalisation for each patient and better productivity among healthcare staff. But at the same time, these improvements will increase the attack surface for healthcare organisations and the potential risk of cyber attacks.
Why would cyber criminals want to target healthcare?
In 2017 the NHS fell victim to the devastating WannaCry ransomware attack which shut down hundreds of thousands of computers across the organisation, demanding payment for decrypting seized data. A third of hospital trusts and 8 percent of GP practices were affected and 19,000 patient appointments were cancelled. Beyond disruptions to service and the cost of the clean-up operations and IT security upgrades, healthcare organisations must also consider the risk to patients’ personal data.
Electronic health records (EHRs) are thought to be more valuable than stolen financial data on the dark web. This is because each EHR may contain rich information including the patient’s name, gender, medical history, progress notes, prescription details, test results, radiology images, and insurance data. A cyber criminal could use this information to commit identity theft, buy medical equipment or drugs, or file fictional insurance claims.
A typical cyberattack at a hospital
A hacker could use numerous techniques to intrude into a hospital’s network. However, it might be useful to look at a scenario that follows a typical hacker’s modus operandi.
A front-end employee at a hospital gets a spear phishing email from a cyber criminal disguised as the hospital’s head of operations. The email demands that the employee open an attached Word document, fill out some details about patient profiles, and send it back urgently. The employee yields to this without thinking twice as everything looks legitimate.
However, the moment the employee opens the Word document, malware starts downloading onto the employee’s machine without their knowledge. The malware allows the attackers to obtain this employee’s account credentials, through which they can access all the applications this employee has access to. From there, the attacker can lurk and move laterally in the network. They can sniff out particular servers, including domain controllers, that store all authentication information; many cyber criminals do this using a port-scanning technique, which lets them know which applications run on a machine. Finally, the attacker gains privileged access to the EHR database.
Or imagine a scenario in which a criminal is disguised as a janitor with a fake ID, gains the trust of security staff over a week, and then simply has one of the security guards let them into the chief of medicine’s room which “needs to be cleaned” at 12:30am, when the chief is usually not around. Once inside, the hacker gains access to the complete EHR database by logging on to the network using the chief’s password, which was obtained via dictionary attack from a remote location. By using the chief’s office, the hacker makes the database access appear legitimate rather than criminal. A similar incident was depicted in the 1993 movie The Fugitive, but it’s not that far-fetched, even in 2019.
How to stop cyber attacks in healthcare
Here are five ways healthcare organisations can defend against cyber crime:
- Educate employees about cyber security: All healthcare staff, including doctors, should frequently be trained on cyber security best practices. The weak links during any attack are often employees, and it’s usually through them that criminals gain an initial foothold. Hosting a training program at least once every six months will go a long way in protecting the entire organisation from cyber crime.
- Implement an identity and access management (IAM) program: An effective IAM program would require the IT team to look closely at the different roles and job descriptions in HR’s employee database, figure out which employees need access to what information, and follow the principle of least privilege. For example, a radiologist would never need access to the list of patients for whom prosthetics were fitted.
- Perform comprehensive risk assessments: A risk assessment will help the healthcare institution identify all valuable data assets, prioritise them, and determine the business impact of a breach for every data asset. Using this information, IT can plug any vulnerabilities.
- Monitor threshold-based alerts: Threshold-based alerting lets security personnel know as soon as certain conditions are met. For example, did someone with a doctor’s user account attempt to log in to a server and fail five consecutive times in one minute? Did this account then gain access on the sixth attempt? This could be a potential brute-force attack.
- Look for anomalies: To better protect against threats, companies need to adopt user behaviour analytics (UBA), which looks at patterns of human behaviour and then applies algorithms to detect meaningful anomalies in those patterns. A UBA engine creates a dynamic baseline based on each user’s activity and will monitor for anomalies. This baseline may be updated every day based on the user’s activity.
For example, the chief of medicine may usually log on to the network between 9am and 6pm, and the system would learn that this is their “normal” behaviour. If this user logs on to the network at 12:30am, it would then be treated as an anomaly and an immediate alert would be sent to security personnel.
What can we expect 10 years from now?
Within the next 10 years, doctors may start using artificial intelligence (AI) in every sphere of their work. AI-assisted robotic surgeries, virtual nursing assistants, and precision medicine might become commonplace. It will also become essential for healthcare institutions to invest in cyber security tools that employ general AI and machine learning to protect against cyber crime. While precision medicine predicts how likely it is for a patient to suffer from a particular ailment based on their genetic information, precision cyber security may predict how likely it is for a hospital to suffer from a data breach.
