For several years, even during times of conflict, medical institutions have been considered sacred places - thus immune from deliberate attacks. The 1949 Geneva conventions obliged immunity for hospitals and medical staff, stating, “Persons regularly and solely engaged in the operation and administration of civilian hospitals, including the personnel engaged in the search for, removal and transporting of and caring for wounded and sick civilians, the infirm and maternity cases, shall be respected and protected”
The current spate of cyber-attacks shamelessly targeting hospitals and other vital medical institutions is making mockery of these long-cherished human ideals. Cyber criminals continue to commit despicable deeds, such as blocking access to critical medical records using strong encryption algorithms, forcing hospitals to cancel or postpone high-risk surgeries, threatening to destroy critical records unless victims pay ransom in the form of bitcoins. The February 2016 hack of the Hollywood Presbyterian Hospital in Los Angeles (USA) provided a chilling example. The hospital was forced to transport patients to other hospitals when cyber criminals crippled its central medical records for 10 days and demanded financial ransom.
But not all attacks are financially motivated; some are outright cold-hearted. Back in 2008, in a horrible prank, cyber criminals hacked a forum run by the Epilepsy Foundation (USA), and then redirected visitors to sites featuring bright, flashing images known to potentially trigger seizures. Unlike other cyber-attacks, which victims can manage with moderate impacts, attacks on medical infrastructure are particularly worrying. When hospitals are hacked, patient lives are in danger.
So, why are hospitals being targeted?
Cyber-attacks targeting medical institutions are soaring. A 2016 report Ponemon institute revealed that nearly 90 percent of healthcare organisations surveyed incurred a breach during the previous two years, and nearly half experienced more than five data breaches in the same time period. There are five primary factors fuelling these attacks:- High demand for stolen medical information - Personal medical information commands higher value on the darknet, when compared with other classes of stolen information. The reason: A personal health record is inherently richer as it contains other types of valuable information, such as credit card numbers, social security numbers, date of birth, next of kin or medical history. This wide range of information is used by criminals to process fraudulent health insurance claims, forge prescriptions to buy controlled pharmaceuticals, secure fraudulent lines of credit, file falsified tax returns or sell fake medications to desperate patients. Further complicating the challenge, this critical information, is held in disparate locations (insurance providers’ systems, hospital archives, clinical laboratories and mobile devices) - which makes it difficult to secure. Furthermore, unlike credit cards, that victim can immediately deactivate once they are aware of a breach, patients cannot instantly change their medical history, allowing the criminals to profit from the information over a prolonged period of time.
- Stakes are higher – Hospitals are increasingly being targeted by ransomware attacks - a sinister form of malware that encrypts or blocks access to critical digital files and demands the victim to pay ransom, normally in the form of bitcoins, before the files can be unlocked. This trend is not surprising as several studies reveal that cyber-crime is predominantly motivated by financial gain. Cyber-criminals know that doctors heavily rely on up-to-date patient records to conduct life-critical procedures. The Wired Magazine asserts that without quick access to drug histories, surgery directives and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits.
- Antiquated systems – A number of hospitals run critical processes on aging systems that lack modern security capabilities. Software vendors cease to actively maintain systems once they go past their extended support phase. Accordingly, new vulnerabilities for these legacy systems will no longer be reported and security patches will not be supplied, creating softer avenues for attack and exploitation. This was the case for one of Melbourne’s largest hospital networks, which, in January 2016, suffered a debilitating cyber-attack which affected the delivery of meals and pathology results when hackers exploited vulnerabilities in its unsupported Windows XP fleet.
- Lower cyber security capabilities - Closely related to the previous point, but even more worrying, most health care institutions have historically under-invested in cyber security. On the contrary, cyber-criminals have become increasingly sophisticated and audacious. The reasons behind this complacency are obvious: Hospitals were never primary targets. The recent spate of high profile incidents has exposed the soft underbelly of these vital institutions. As Bloomberg put it, hospitals seem at least a decade behind the standard security curve.
- Increased digital complexity - Innovation is enabling health care organisations to deliver efficient, cheaper and high quality patient care. Connecting heart monitoring devices, thermometers, glucose monitors, and many other devices is enabling patients to proactively monitor their health and take corrective steps. But interconnecting millions of health monitoring devices also has a downside. The vast amount of personal data collected by these devices is raising significant consumer privacy concerns. Plus, it has already been proven that many of these health related devices are hackable, as they were not been built with security in mind. Back in 2011 Jay Radcliffe, a diabetic and cyber security researcher demonstrated at a cyber security conference how he could exploit security flaws in his OneTouch Ping insulin pump, potentially forcing it to deliver unauthorised insulin injections. This chilling discovery prompted the product manufacturer, Johnson & Johnson, to issue a warning to its customers, advising that the security flaw could be manipulated to overdose diabetic patients with insulin, though it described the risk as low.
How can health care institutions reduce exposure?
Faced with this potent risk, health institutions need to up their game. Failure to act will increasingly put patient lives in jeopardy. Here are some key areas healthcare organisations should consider to maximise technology benefits while minimising cyber risk. These are not comprehensive, detailed industry standards such as NIST, ISO 27001 or COBIT exist to provide more detailed guidance.
- Prudently maintain up-to-date backups for all critical systems as well as regularly test disaster recovery procedures to minimise impacts from these inevitable attacks.
- Define a standard set of cyber security requirements for medical device manufacturers and mandate that each device comply with these minimum standards before signing contracts.
- Decommission legacy systems and migrate critical processes to modern and secure platforms.
- Identify most important digital assets (crown jewels) and enforce higher levels of protections around those high-value assets.
The threat is real, and demands attention from the most senior officers. Given the significance of their missions, health institutions need to honestly reflect on their cyber security capabilities and take required actions to address any gaps. This is more than just protecting high-value digital assets; it’s about protecting human lives.