That fitness device you are wearing on your wrist can bring a hospital or a healthcare organization down. This isn't a doomsday scenario or an Armageddon-type scare tactic, but rather a product design issue.
Nick FitzGerald, Senior Research Fellow, ESET, told Enterprise Innovation in an exclusive email interview that while fitness trackers, smartwatches and other health wearables collect data that allow users or healthcare practioners to make better decisions based on real-time information, they also provide an easy entry point for cybercriminals to gain easy entry to the hospital network.
"Medical devices used within hospital networks generally run on common – and often outdated – operating systems," he explains. "Security and privacy are often an afterthought in their product design process. Thus, the widespread use of these devices creates an extremely large number of attack points for cybercriminals to exploit."
It is easy for healthcare organizations to get that they need to take steps to guard against unauthorized access to this information, but it is also important to take a holistic view of security and guard the entire network as a whole, rather than just the devices accessing the data, according to FitzGerald.
"This means that care must also be taken to secure devices such as medical equipment that may not be used primarily to store or transmit data, but can be used as conduits to launch attacks on an organization’s network," he says.
Enterprise Innovation (EI): What is usually the motive behind these breaches? What is the interest of cybercriminals in a healthcare sector?
Nick FitzGerald (NF): Healthcare organizations handle large amounts of data, almost all of which can be very valuable to cybercriminals. This can include financial and billing data, credit card details, as well as health-related information generated by patient visits. According to a study published by Xerox in February this year, healthcare information is even more valuable than credit card details.
Medical information of high-profile individuals can also be very lucrative. We saw this during last year’s US Presidential campaigns, where health records of Donald Trump and Hilary Clinton were highly sought after.
Another consideration is that modern hospitals and other health service providers tend to be very heavily digitized, and are usually large organizations with sizeable budgets. Thus, the cost of digital disruption to a hospital can be very high – especially relative to the cost of paying the ransom – giving ransomware victims even greater motivation to pay the demanded amounts. This is yet another vulnerability that cybercriminals are all too eager to exploit.
EI: How serious is this security threat in the healthcare industry?
NF: The problem of security among healthcare organizations has been increasingly highlighted by multiple security vendors in recent months. The growing popularity of personal medical devices such as fitness trackers – which tend to be highly insecure in design – is likely to prompt enterprising cybercriminals to exploit these loopholes.
In this region, a pharmaceutical company in India was the victim of a ransomware attack last year, the first known instance of hackers demanding ransom payments from Indian victims in bitcoins. Another high-profile cyberattack was the Qbot attack on Royal Melbourne Hospital – also in 2016 – that left many parts of the hospital reverting to pen-and-paper systems. It took days for the IT team to restore services to the pathology unit, and the hospital was forced to fast-track its upgrade to Windows 7.
In an earlier case, the Centre for Liver and Health and Institute of Digestive Disease at the Prince of Wales Hospital in Hong Kong was also hit by ransomware in 2014. An approximate 10,000 records were held hostage, with a ransom of 0.6 Bitcoin for the decryption key.
These attacks should serve as a reminder to all organizations to always have a ready incident response plan in place, as well as the value of investing in a reliable and easy-to-implement backup system.
EI: In a ransomware incident, should hospitals or healthcare firms pay? Do they really pay? What is the financial picture involved in these transactions?
NF: Undeniably, there is an argument to be made that when organizations give in and pay cybercriminals the demanded ransom, they directly contribute to the viability of the criminal business model. They may also just be throwing away their money, as there have been several cases of ransomware with bugs or implementation flaws that meant the ransomers could not actually decrypt the already-encrypted data.
However, in most cases, the decisions made are purely financial in nature – it is often cheaper to pay up than bear the costs – monetary and non-monetary – associated with losing all your data.
Healthcare organizations in particular face an even more pressing problem where ransomware is concerned. They are heavily reliant on patients’ and clients’ prior health information to make accurate decisions rapidly – delays experienced by healthcare professionals could be a matter of life and death. These are factors that have to be taken into consideration for leaders to make a responsible assessment of whether to pay or not.
What’s wrong, however, is for healthcare organizations to consider paying ransoms as alternatives to prevention and proper disaster recovery planning. A good disaster recovery plan gives organizations viable options aside from paying up when they are attacked by ransomware, and equally means that they are well-placed to handle the disruptions of major natural disasters, during which healthcare providers will be most heavily tasked with handling the increased medical emergencies arising from the event itself.
EI: Aside from monetary loss, what are the other serious implications of a data breach in a healthcare setting?
NF: As with any other company, data breaches can result in a wide range of non-monetary implications such as damage to reputation.
In a healthcare setting, there could be even greater consequences as decisions need to be made quickly. Delays caused by data breaches, ransomware or ‘jackware’ could potentially cause life-or-death situations. Furthermore, any damages caused by data breaches could also lead to lengthy and costly lawsuits as a result of not taking sufficient precautions against cyberattacks.
Data breaches also lead to loss of trust, an essential commodity in today’s digital economy. The lack of trust among customers and, in some cases, patients, could severely impair a healthcare organisation’s ability to carry out its day-to-day operations.
EI: What do healthcare organizations need to understand about security and what can they do to protect themselves and their clients, patients or customers?
NF: There are a few things that healthcare organisations can do to protect themselves and their stakeholders. Firstly, it is important that they are fundamentally prepared for a breach. Setting up an incident response plan so that they can react appropriately will save time and allow them to choose a path of action wisely and quickly, especially in event of emergency.
Secondly, IT departments at healthcare organisations should also look into more advanced security measures such as encryption and user authentication. It is vital that users are verified before allowing the viewing, sharing or modifying of information, as the consequences of misuse are much higher. Multi-factor authentication can also be employed for online account access.
Last but not least, organizations should ensure that education – of employees, patients, clients, vendors and any other key stakeholders – factors highly on their agenda. By ensuring that every user is empowered to do their part and perform any digital activity securely, they can efficiently reduce the attack surface available to cybercriminals by a large extent.
EI: On the consumer side, technology is fun, hip, challenging. What can they do from their end to protect their data from these threats and to help the healthcare organizations mitigate risks?
NF: Consumers can do their part to minimize risk of cyberattacks – to themselves or organizations – by taking some proactive steps to protect themselves.
Simple actions they can take to improve their cybersecurity posture include making sure to change default passwords on their connected devices such as routers and fitness trackers. They should also be careful not to connect to unsecured public Wi-Fi networks using devices that are used to collect and transmit their health data.