27 September 2016
Blogs by author: Bas de Graaf , Head of Product Management, Security Consulting, BT.
The healthcare sector deals with vast amounts of patients’ critical, confidential data every day. So it needs to protect this from cyber criminals.
In the world of movie-speak, ‘your money or your life!’ is a well-known quote. ‘Your information or your life’ doesn’t quite have the same ring to it. But, in the healthcare system this information could save your life. So it’s important that the sector recognises how valuable it is and does more to keep it safe.
Realise that data security is necessary.
We’ve all seen ransom and blackmail in the movies. We watch the action scenes and accept the code-breaking and abseiling required for heroes and villains to get their hands on mission-critical data. It’s exciting to watch, but something that we’d never want to experience for ourselves.
And the thrilling action makes sense — data that has the power to save or end lives should be heavily protected. But why are we on the edge of our seat when the heroes fight to keep vital intel out of the wrong hands, and sitting back when it comes to our own mission-critical information in the healthcare sector?
It’s a harsh reality that one of the biggest threats to health information today is the threat of a malicious cyber-attack. And following FBI reports of ransomware attacks on hospitals, the HHS Office for Civil Rights has released new guidance to help mitigate the huge potential for harm to patients caused by cyber criminals.
Perhaps they’re not as exciting-looking as remote spy bases, but healthcare providers like hospitals, clinics and pharmacies, are vital to the lives of thousands of people. And if the information they need to save and improve lives is taken away from them, the consequences for many are unthinkable.
Being aware and staying vigilant.
Hospitals can’t be heavily fortified and remote like a spy’s lair. They have to be accessible to the public. That’s why no-one asks you who you are when you enter and walk around — something that gives criminals access to sensitive patient information. Even records that are restricted to certain hospital personnel can at times be obtained by unscrupulous people.
And it’s not just those with the intent to cause harm that hospitals should be aware of. Lax security, such as leaving computers unlocked, means other patients could be privy to sensitive information.
While they may not have sought the information out, there’s still potential for them to cause serious damage — whether through inadvertent or malicious breaches of privacy. In particular, the ability to disseminate sensitive information widely via social media is a cause for concern. So it’s incredibly important that healthcare professionals remain vigilant and protect their patients.
The same goes for a hospital’s online information. Medical records are increasingly being moved into electronic formats and stored in a variety of locations. This information needs to be shared among various professionals, so hospitals, clinics and surgeries are becoming increasingly reliant on a wide range of networked IT systems.
It’s not just records that are vulnerable either, a wide range of medical equipment, from MRI scanners to lasers, surgical robotics and ventilators, can be hacked and exploited by cyber criminals. In fact, hackers recently installed malware into X-ray equipment.
Many of these technologies were designed from a functional perspective, with security built in as an afterthought. Yet they have the potential to cause serious physical harm if hacked, so it’s important to incorporate security into these tools from a foundational level.
How much is your life worth?
Such equipment can be used to hold healthcare providers to ransom, preventing them from accessing the data that’s vital to patient care, and, in the worst cases, survival. Knowing this, it’s easier to understand why, for cyber-criminals, the value of a medical record is at least ten times that of a credit card.
Your credit card can, ultimately, be rendered value-less. Your health, however, can’t. And in an environment where staff work with an abundance of personal data, much greater care needs to be taken over privacy and the integrity of the information they use.
This isn’t just the stuff of movies.
In the movies, the fight for vital information is thrilling. In reality, it’s devastating for the people it’s needed by. For example, US hospital Hollywood Presbyterian Medical Centre was attacked with ransomware, which encrypted all the patient records.
This resulted in hospital staff resorting to pen, paper and fax, the redirecting of ambulances to other hospitals and the cancelation or delay of medical procedures. In the end, the hospital paid out a $17,000 ransom, something which only encouraged the criminals to launch further attacks.
And beyond ransomware, there have been instances where patients’ private information has been broadcast on platforms like Twitter. The impact of this can’t be overstated. Medical notes contain some of the most personal and intimate details of peoples’ lives — from drug taking, to sexual activity, psychiatric state, past medical procedures and more.
Be the hero of the story.
Forget the movies and be the real-life hero, keeping critical information safe from those who’d exploit it for personal gain. Here are just some of the practical ways the healthcare supply chain can improve its approach to privacy and security:
- Perform periodic vulnerability assessments to identify threats and vulnerabilities on systems and networks where health information of patients is handled or stored.
- Establish a plan to mitigate or remediate those identified risks.
- Security awareness: train your personnel on detecting malicious software, and how to report such detections. But also take into account phishing attacks.
- Control access to health information of patients based on a need-to-know principle and assure these individuals are periodically screened.
- Maintain an overall contingency plan that includes disaster recovery, emergency operations, frequent data backups, and test restorations.
- Ensure that suppliers who perform hardware and software maintenance (or perform any other type of work related to systems where the health information of patients is stored or handled) are accredited, have screened personnel and have solid procedures in place for the protection and destruction of data.
- Deploy antivirus, and keep it up to date on all critical systems.
- Ensure that all critical and high security patches are deployed within 30 days of release.
- Log and monitor all access to critical systems; also log and monitor all administrative actions on critical systems.
- And last but not least: document and distribute your policies and procedures, so that all staff and supporting parties are aware of their responsibilities.
Call in the ethical hackers.
It’s vital that the healthcare sector recognises the seriousness of the risks it faces. Ethical hacking can ensure you pick up any weak entry points or vulnerabilities in the applications, systems and networks which are accessing or transporting your sensitive data. And once you have this information, it’s easier to train staff to be aware of the threats to avoid social engineering, ransomware and careless data handling.
Find out more about BT’s ethical hacking solution.