Over the last few years, the healthcare industry has become a prime target of cyber-attacks. While most healthcare organisations are committed to patient privacy no matter what it takes, some are still behind in terms of cybersecurity adoption and advancement.
It is a year since Britain’s National Health Service was hit by the biggest cyber-attack in its history.
Vulnerabilities created by having outdated software was partly blamed for the scale of the disruption, which included thousands of appointments being cancelled.
Worldwide, the risk of cyber-attacks in healthcare is certainly recognised: an estimated $65 billion will be spent between 2017 and 2022 to prevent such incidents, according to Cybersecurity Ventures.
It is perhaps no surprise that vast amounts are being spent: healthcare faces particular cybersecurity challenges.
There are several reasons for this, according to Shabnam Karim, the Dubai-based legal director for dispute resolution and insurance at the law firm Clyde and Co, which offers incident-response legal services and cyber liability advice, as well as pre-incident planning.
Firstly, hospitals hold highly personal and sensitive information that could be held to ransom. Also, medical records, research data or drug trial information can be sold through the dark web.
Another vulnerability is that hospitals cannot afford to lose access to their systems because of the effects on patient safety. While to many other businesses, having the IT system unavailable has effects that are primarily financial, for hospitals the consequences could even cost lives. So, they might be left with little option but to pay up to prevent continued downtime.
And healthcare is one of the biggest sectors of economic activity globally, so opportunities to extort money are significant.
Risks could increase, especially in the Middle East, because healthcare institutions are digitising their operations and records, such as unifying digital patient records so that they can be more easily accessed across facilities within a healthcare group.
“Many of our clients are at a stage where they are digitising and developing integrated systems for increased efficiency and patient service,” says Shabnam, who works across the Middle East.
“There’s this focus on becoming more technologically advanced and whilst healthcare companies in this region are starting to develop an understanding of the risks and vulnerabilities that go with increased digitisation, there is still a gap when it comes to processes and plans if things do go wrong.”
Eyad Shihabi, vice president, Middle East, North Africa and Turkey, for BT, highlights multiple measures that institutions can take to prevent themselves falling victim.
Among them are regular assessments to identify threats and vulnerabilities on systems and networks where patient information is stored or handled.
Access to patient information should be controlled on a need-to-know basis, something that Shabnam says many organisations in the region do not adhere to.
“Within organisations, there can be lots of people with access to data where they don’t really need to have that access and there may be no clear oversight of this,” she says.
Shihabi advises organisations to have disaster-response plans, to back up data and test restorations, and to keep antivirus software up to date.
“Ensure that all critical and high security patches are deployed within 30 days of release. Log and monitor all access to critical systems; also log and monitor all administrative actions on critical systems,” says Shihabi.
Another priority is ensuring that suppliers that, for example, carry out hardware and software maintenance have strict procedures to screen staff and prevent breaches. One survey indicated that 30 per cent of healthcare breaches in 2016 were down to business associates or suppliers.
Another of Shihabi’s priorities is staff training on issues like detecting malicious software. Personnel should also be aware of the risk of “phishing” attacks. Shabnam says that cyber security training is being rolled out at various local organisations.
“One of our clients simply added a sticker to every employee’s computer which says, ‘Think before you click.’ The little things like that can go quite a long way,” she says.
“Acts by employees can be malicious or inadvertent; for example, we have seen employees using personal email accounts that may not be secure.”
One of the biggest technological changes impacting healthcare is the Internet of Things (IoT) and the use of connected devices.
As the United States Food and Drug Administration (FDA) says in a briefing document, this will see “medical devices become increasingly interconnected via the Internet, hospital networks, other medical devices and smartphones”.
“There is an increased risk of exploitation of cyber security vulnerabilities, some of which could affect how a medical device operates,” the FDA says.
In August last year, cyber security concerns led the FDA to issue a voluntary recall of 465,000 radio frequency-enabled pacemakers for a firmware update.
If the security of connected devices is compromised, the consequences could be serious.
“When you look at the context of surgery, there are so many instruments and monitoring devices – they’re interconnected and connected to the internet,” says Erol Gelenbe, a professor in the Department of Electrical and Electronic Engineering at Imperial College London.
“If you attack a factory, you might mess up a production line. If you attack a surgical procedure, you could kill someone.”
Gelenbe who is involved with Konfido, an EU-funded project to improve healthcare cyber security, cites as an example an automatic injection system in which a person receives insulin. A wrong dose could prove fatal, as could an excessive dose from a connected device controlling anaesthesia.
Local providers are enthusiastically embracing technology such as the use of diagnostic tools and, in future, robotics in surgery. This could create “multiple points of potential breach”, says Shabnam.
There are also concerns over the increased use of data from remote locations, often to monitor discharged patients.
For example, patients with chronic conditions may have devices to measure their blood pressure and transmit it to their computer, which forwards it to their doctors. Is the patient using, say, a smartphone connected to unsecured home Wi-Fi?
“If a measurement is overheard, that’s not as bad. If it’s modified in transit, the remote medic may [give] the wrong diagnosis,” says Eerke Boiten, a professor in cyber security at De Montfort University Leicester in the United Kingdom.
“With remote health solutions being pushed by governments across the world, quite often for cost saving, the integrity becomes a bigger issue over time.”
One answer to the myriad threats is, says Gelenbe, to have constant monitoring systems that can trigger a rapid response.
“There has to be a layer doing what the human operator could be doing, but doesn’t have the time or the speed to do,” he says.
There should not be interfering flows of information and data coming into the system. If there are flows of information coming into the system, this must be detected and dealt with.
“All this has to be happening not at human level speed, but at microsecond speed; it has to be done by automated software at the same speed the devices themselves are operating,” says Gelenbe.
Ray Kafity, vice president for Middle East, Turkey and Africa at the cyber security firm Attivo Networks, says healthcare organisations are turning to the likes of “deception technology” to provide early detection of, and response to, in-network threats that have bypassed other security controls.
“Additionally, through third-party integrations, advanced detection solutions accelerate incident response with automated blocking, quarantine and threat hunting,” he says.
He says, with modern deception technology, organisations of all sizes can achieve early detection, mitigating the risks associated with network and IoT devices.
Although many of the risks healthcare institutions face are understood and can be mitigated, some feel the growth in the use of connected technologies is creating hazards that are yet to be fully understood.
“At the moment, it’s specialists saying, ‘Are you sure this is safe?’ But the drive to make medicine cheaper is quite fierce, so I’m seriously concerned it will go dramatically wrong before anyone says that it needs fixing,” says Boiten.