Cyber Security and Healthcare, Uncomfortable Bedfellows?
The duty of a healthcare professional is to treat the patient in front of them. Increasingly, this is assisted by and dependent on advanced technologies and IT systems. To continue to do so, the healthcare industry will need to adopt a more astute cybersecurity stance.
The first high profile cyber security incidents were in fast-moving retail, technology and finance industries. Whilst these have often significant financial and public-relations impacts, they do not directly affect the well-being of individuals. 2015 saw a dramatic shift, with the healthcare industry suffering the greatest number of cyber incidents based on data from IBM’s security services operation, alongside a trend of increasingly targeted adversaries.
IBM identified almost 10 million patient records are available for sale in the ‘dark web’. Healthcare information is sought after because its useful lifetime is longer, and contains more personally identifiable information (PII) than credit cards. This information can subsequently be used for identity, financial and tax frauds, and for extortion attempts. Since it is more difficult to change identity, healthcare data is worth significantly more than credit card information.
Attackers are now directly targeting establishments at the point of care provision. Healthcare providers were subjected to a number of ransomware attacks in 2016, resulting in IT infrastructure and digital patient records being inaccessible until ransoms were paid. Patients were reportedly turned away during the attacks, with direct health impacts and potentially fatal consequences. Unfortunately, due to the value of the data, such attacks are likely to continue. Additionally, McAfee identified that the healthcare environment relies heavily on legacy systems, allowing them to be attacked by relatively unsophisticated methods.
Even as uncomfortable bedfellows, cyber and healthcare could be in bed together for a while.
Dr Wendy Ng, CISSP, CCNP; 30th November 2017