Cyber Security Threats That Smart Hospitals Need to Be Aware Of
Did you know that according to IBM, in 2015, the healthcare industry suffered the most attacks from cybercriminals? Over a 100 million healthcare records were affected in that year alone, and over 8000 devices were compromised across 100 countries. Since then, the numbers have been on a steady climb, and with the emergence of smart hospitals and more connected medical devices, we need to really proceed with caution as the threats have now been quadrupled. Data breaches have cost the healthcare industry as much as $6.2 billion! There’s no denying the fact that cybersecurity is top on the agenda for the CIOs of the global healthcare industry and the statistics do show that they are right in doing so.
Very recently, a massive cyber attack was reported in Singapore in which, personal information and prescription records of about 1.5 million people, including Prime Minister Lee Hsien Loong, were stolen. According to the government officials, this SingHealth cyber attack is “the most serious breach of personal data” that the country has experienced.
Now that we’ve established that there is, indeed a problem, let’s consider the areas which are the most problematic and need to be addressed immediately.
By 2025, it is expected that the smart medical devices market will reach $25 billion. To ensure that the connected devices in the ecosystem are secure, hospitals need to make sure that cybersecurity is a part of their core strategy and not an afterthought. Each device should have an additional layer of identity. The data being transmitted between the devices should be encrypted, and only authorized users should have authenticated access to the devices. Of course, the device manufacturers also have an important role to play in ensuring the security of these devices.
As more and more hospitals adopt cloud for the flexibility, scalability, and maintainability that it offers, it is also important to note that hospitals need to be aware of the security risks associated with it. If proper care is not taken, then there are risks of data security, network reliability in terms of latency and performance, storage reliability, and service levels provided by the cloud provider. However, with appropriate strategies, planning, and the right cloud partner, it is easy to embrace the cloud-based advanced solutions to support the smart hospital initiatives.
Data breach is one of the most significant threats faced by the healthcare industry. A report by the Ponemon Institute stated that the healthcare sector witnesses more data breaches than any other industry. So why do these breaches occur? There can be many causes such as malware that steals the credentials, employees with or without a vendetta who accidentally or intentionally disclose patient data, or through IoT connected devices. What the bad guys are really after is PHI aka Personal Health Information which is why they go after medical databases. With hospitals increasingly becoming more connected, it is important that the hospitals tailor their training programs for employees to at least ensure that data breaches caused due to negligence are avoided.
Employees in the healthcare space have a lot of access to healthcare data. The big mistake that most healthcare providers make is focusing on the outside threats too much and ignoring the deadliest threat – disgruntled or careless employees. For an employee with the basic knowledge of the hospital network setup, it’s child’s play to exploit vulnerabilities, steal the data or sell it to third parties. It’s not just an evil employee that’s a risk, it’s also a careless one who may accidentally click on malicious links and compromise the entire network as a result.
If a cybercriminal uses malware to affect the files and systems of the hospital, the functioning of critical processes will be rendered useless until the criminal is paid a ransom. Why this hurts a smart hospital so much is because all the processes and departments are connected and any issues with this functioning can dramatically slow down the whole process. In this situation there are only two viable options, pay the ransom or pay exuberant amounts to rectify the systems, either way, resources that were allocated to support the growth and digitization of your hospital would be absorbed by a cybercriminal.
The Black Market of Medical Records
Did you know that EHR, or electronic health records have more value than financial data on the black market? Criminals care more about your health records than they do about your credit card details. This is because a single EHR can contain the details such as birthday, social security numbers, policy numbers, and even billing information of the patients – this is a lot more than they will get with a stolen credit card. All this information can be used for identity theft, resell of prescription drugs, and making of fake medical insurance claims. EHR theft is harder to trace as compared to stolen credit cards which are a pain to disguise.
Distributed denial of service (DDoS) attacks is a tactic that cybercriminals resort to so that they can overwhelm a network to such an extent that the systems stop operating. Healthcare providers and institutes need access to their network at all times to provide a proper patient experience. Processes that are hampered include the use of the internet, which means that there is no access to emails and update or access of patient information such as records or prescriptions cannot be done. DDoS attacks are usually conducted by individuals with a personal vendetta against the organization or system.
Loopholes in the BYOD (Bring Your Own Device) Policy
Across the globe, a large number of healthcare providers are persuaded to allow their staff bring to their own mobile devices such as laptops, iPads, and smartphones. 81% of healthcare institutions allow their staff to bring their own devices. While this may save costs in short-term, are such hundreds of devices connected to the network secure? And even if they are, what if a device were to get stolen outside the premises, all of the data on the said device would be compromised. A hospital in LA suffered the loss of data of 700,000 patients, all because two unencrypted laptops were stolen. Moreover, one can never be sure about the privacy policies and security of apps that doctors or nurses may use to make their workflow more efficient. It is, therefore, extremely important to have stringent systems and policies in place for BYOD.
In conclusion, according to Symantec, the reason why the healthcare industry is constantly falling victim to identity theft and ransomware is because the hospitals don’t spend enough on cybersecurity. KPMG in a report stated that 53% of surveyed healthcare institutions were not prepared for IT attacks. Especially with the smart hospital movement, hospitals need to get smarter with their budgets for cybersecurity. It is the need of the hour for healthcare and is an absolute must. As the threats grow, there is a large percentage of good guys as well who are on par with the brightest minds in the cybercrime ring. Get the good guys on board so that you don’t have to do any damage control later. As they say, a stitch in time saves nine.