Looming cyberthreat to healthcare

Large volumes of sensitive health data are generated during the interactions of individuals with healthcare providers. This information includes patient records, lab results, medical images, and other sensitive and confidential information like status and progression of serious illnesses. It is imperative to keep this data secret and protected from unauthorised access and theft, for an indefinite time. This is accompanied by a paradoxical need of making this data available to the right people, experts, and other concerned parties for fairly legitimate reasons. An exposed password can be changed, and compromised credentials altered but compromised medical data like a patient’s blood group or medical disability cannot be changed at any time.

Modern healthcare depends heavily on medical devices such as x-rays, insulin pumps and defibrillators. However, these new devices open-up more entry points for attacks for those in charge of online security and patient data protection. Medical devices have a specific function, such as monitoring heart rates or delivering medications. They were not built with security in mind. Although the devices themselves may not really contain the medical data that hackers are after, they can be utilised to launch an attack on a server that does hold valuable sensitive information. In a worst-case scenario, a medical device can be completely taken over by hackers, preventing healthcare organisations from providing vital life-saving treatment to patients.

Healthcare IT systems include a large number and variety of legacy devices, which have been used on locally connected networks. They also typically lack a sophisticated security model and lend to easy exploitation when connected to the internet.

Recently, the healthcare industry has become the prime targets of cyber criminals. Some examples of the types of attacks that have targeted hospitals and healthcare industry include:

1. Ransomware attacks, in which hackers use malware to encrypt data on hospital systems and demand a ransom in exchange for the decryption key. These attacks can disrupt the operation of hospitals, making it difficult or impossible to access patient records and other vital information.

2. Malware attacks, in which hackers use malicious software to gain access to hospital systems and steal sensitive data, such as patient records or financial information.

3. Phishing attacks, in which hackers send emails or other messages to hospital employees in an attempt to trick them into divulging login credentials or other sensitive information.

4. Denial of Service (DoS) attacks, in which hackers flood a hospital’s systems with traffic, making it difficult or impossible for the hospital to provide services to patients.

5. Physical attacks, in which hackers physically access hospital systems and install malware or steal data.

Some recent examples cyber-attacks:

1. In Singapore’s worst cyber-attack, hackers have stolen the personal particulars of 1.5 million patients. Out of these 1,60,000 people, outpatient prescriptions of a large number of people including Prime Minister Lee Hsien Loong and a few ministers were stolen as well.

2. The WannaCry cyber-attack crippled the UK National Health Service between 12 May and 19 May and more than 19,000 appointments were cancelled as 2,00,000 computers were locked out. It cost the NHS a total of £92m in the handling and subsequent cleanup and upgrades to its IT systems.

3. November 2019 in France, operations at all five sites of the Rouen University Hospital-Charles at Nicolle were disrupted by a ransomware attack, affecting 6,000 of the hospital’s computers, all IT systems were shut down leading to widespread service disruption.

4. October 2019, an attack against the DCH Health System in Alabama crippled three of its medical centers and Patients had to be referred to other providers.

5. In the beginning of May, a new “Snake” ransomware hit Fresenius Group, Europe’s largest private hospital operator. This attack disrupted the company’s major operation except for patient care.

6. In the latest incident on April 21, Ransomware infection at Parkview Medical Center in Pueblo County, Colorado, rendered the hospital’s ability to store patient information inoperable.

7. The Blackbaud breach in May 2020, in which a hacker accessed the systems of a major provider of software to educational institutions, non-profits, and healthcare organisations. The breach exposed the personal data of millions of individuals.

8. The attack on Universal Health Services in September 2020, in which hackers used ransomware to disrupt the operations of one of the largest hospital chains in the United States. The attack caused widespread disruption and resulted in the temporary shutdown of some hospitals.

Implications of such attacks

A security incident could have a devastating impact, potentially impacting: Productivity, Reputation and Revenue but consequences of a breach for the medical systems are much more dire as compared to any other organization. Connected medical devices today range from Wi-Fi enabled infusion pumps to smart MRI machines. This has tremendously increased the attack surface of devices sharing information. There are huge security concerns including privacy risks and potential violation of privacy regulations, apart from the possibility of imminent harm.

Possibilities are unthinkable, stolen, or modified patient data can put a stop to critical procedures like dialysis or surgeries, devices locked out due to ransomware attack can even cause death.

Safeguards

It has to be kept in mind that if you are an institution dealing with COVID-19 research, any press coverage will lead to increased interest from malicious cyber adversaries. It is time to urgently take stock of critical systems and prioritise patching of known vulnerabilities, especially in internet connected systems. Access credentials, especially for important accounts and generally for all other accounts, need to be protected by using complex passphrases and multifactor authentication. Any account showing unusual or anomalous activity should be immediately suspended and examined. Involve cyber security experts to actively scan applications, devices, systems, and networks to detect any breach. Share threat intelligence with other similar institutions in your sector and immediately report every cyber-attack to CERT-IN and other authorities. Also develop a cyber crisis response plan which includes shifting to manual systems and quick disaster recovery.

Security Standards

It is the duty of a healthcare establishment, or any other entity which has generated and collected digital health data to protect the privacy, confidentiality, and security of the digital health data of the owner. Such establishment, or any other entity should take all necessary physical, administrative and technical measures (as prescribed or specified in law), to ensure that the digital health data collected, stored and transmitted by them, is secured and protected against access, use or disclosure not permitted under law, and against accidental or intentional destruction, loss or damage.

The Information Technology (Reasonable Security practices and procedures and sensitive personal data or information) Rules, 2011(SDPI Rules) prescribe the Reasonable Security Practices and Procedures, i.e., the International Standard IS/ISO/IEC 27001 on “Information Technology – Security Techniques – Information Security Management System – Requirements”, or in case of any industry association or an entity formed by such an association, whose members are self-regulating by following other than IS/ISO/IEC codes of best practices for data protection), shall get its codes of best practices duly approved and notified by the Central Government for effective implementation.

The National Institute of Standards and Technology (NIST), in its effort to help health care organisations protect patients’ personal health information has recently updated its cybersecurity guidance for the healthcare industry which is designed to help the industry maintain the confidentiality, integrity and availability of electronic Protected Health Information, or ePHI.

The audit of reasonable security practices and procedures shall be carried out by an auditor at least once a year or as and when the body corporate or a person on its behalf undertake significant upgradation of its process and computer resource.

In the event of an information security breach, such entity or a person on its behalf shall be required to demonstrate that they have implemented security control measures as per their documented information security programme and information security policies.

Conclusion

Hospitals and healthcare institutions need to run 24*7, and so do their IT systems. Given the criticality of the data and procedures they hold, both in terms of confidentiality and severity of consequences to human life, are in dire need of protection from cyberattacks.

The cybersecurity posture of healthcare institutions and information systems needs to be immediately hardened. While maintaining cyber hygiene can be an effective stop gap measure, like sanitisation and social distancing in a pandemic, deeper institutional, policy and design changes are imperative.

Access to patient records is a gold mine for cybercriminals, as they often contain information such as date of birth, insurance, and health provider information, as well as genetic and health data information that cannot be easily altered, unlike passwords.

Healthcare connected devices and databases need an immediate cybersecurity overhaul. Worldwide, this sector would be spending very large sums on securing its critical life support and patient management systems in the near future. Care has to be taken that a 360-degree approach, right from device supply chain sanitisation to user awareness, capacity building and incident monitoring as well as crisis response are evolved in a comprehensive way. A cyber breach in healthcare is literally a life and death question, it is time that the preventive and curative principles of public health are put in use for the cyber world too.