Securing the Medical Sector is a Matter of Life and Death

by Anastasios Arampatzis

In the previous two articles we had discussed the importance of Operational Technology (OT) security to the health and safety of employees and local communities and to preserving the environment, while underlying the crucial function in the pharmaceutical industry. In this article we are going to touch upon the necessity of cybersecurity for the medical and healthcare sector.

During the last year, hospitals and healthcare providers made the news headlines for the right reasons; the race to combat the coronavirus pandemic highlighted the importance of a robust and reliable healthcare system. But, at the same time, hospitals were the center of our attention because they were increasingly targeted by attackers. These criminals leveraged both the increasing reliance of healthcare services on cyber enabled systems and internet connectivity and the urgent need to treat a growing number of COVID-19 patients.

Attack surface is expanding

Hospitals and healthcare organizations had always been an attractive target even before the coronavirus pandemic. Patient records were always valued by attackers to further launch sophisticated insurance fraud schemes, purchase medical supplies or drugs, or commit other types of fraud including identity theft. Financially motivated actors targeted medical records because they are expensive assets in the dark market.

The deployment of new devices—especially those categorized as IoT that use wireless networks and sensors to collect and exchange information—is a double-edged sword. While these devices offer medical environments tremendous capabilities to care for patients and increase efficiencies, each device increases an organization’s attack surface.

Hospitals in Greece have evolved significantly in the latest years in areas related to digital transformation. In secondary healthcare providers, these efforts include systems and databases that keep track of hospitalizations, surgeries, laboratory services (LIS), supplies and administrational needs (HIS), and electronic prescriptions. Tertiary hospitals have deployed, in addition to the aforementioned, a patient–centered digital strategy, which allow for a more flexible management of procedures and operations, and provide a more efficient, patient and hospital pharmacy management through a thorough patients’ electronic medical records registry

comments Aikaterini Aravani, MSc, Director of Nursing at Preveza General Hospital.

Compliance challenges

Adding to the complexity of these security challenges are the strict requirements for compliance with regulatory frameworks, such as GDPR and NIS Directive. While these regulations are enacted to protect systems and sensitive data, healthcare organizations face multiple moving targets for managing controls and meeting these requirements.

For example, in the UK, hospitals and other healthcare entities of the National Health System (NHS) using digital services are responsible for ensuring they meet the minimum standards in the areas of network security and data protection.

In the field of data protection, healthcare organizations need to comply with the requirements of GDPR. Considering that according to the Regulation medical data are “special category of personal data” and need to afford further protection, securing patient data must be a top priority. The high price for patient records, combined with new and growing vulnerabilities, provide a great impetus for cybercriminals to attack.

What is the impact of cyber-attacks?

Securing the healthcare sector is of vital importance considering the increase in cyber-attacks experienced during 2020.

According to a report by Check Point, Europe recorded a 67% increase in ransomware attacks, although Spain saw attacks double, and Germany recorded a 220% surge. Central Europe experienced the biggest rise in cyber-attacks on its healthcare organizations during the period (145%), followed by East Asia (137%) and Latin America (112%).

In fact, the increase in healthcare data breaches is attributed mainly to ransomware attacks. A recent report from cybersecurity firm Tenable indicates that ransomware attacks accounted for 54.95% of 2020’s healthcare data breaches. The next largest cause was email compromise / phishing (21.16%), followed by insider threats (7.17%) and unsecured databases (3.75%). Third-party vendor compromise accounted for about 25% of the healthcare data breaches, and about 12 million of the exposed patient records.

Overall, there was a stunning increase of 55% in the number of cyber-attacks targeting hospitals and other healthcare providers. According to a new Bitglass study, this increase impacted the medical records of some 26 million people in the United States.

The available data shows a steady rise in healthcare cyber-attacks in recent years, but 2020 was more severe due to a combination of pandemic conditions: organizations shifting to remote work models, increasing permissibility of “bring your own device” (BYOD) policies for internal networks and the rapid onboarding of new cloud-based services.

Attackers regard medical records as flexible all-in-one identity theft packages and scam toolkits. This has turned attacks on healthcare providers into a $13.2 billion industry, with the average data breach cost per record rising to $499 last year.

Nowadays, healthcare organizations such as hospitals have currently increasingly come under cyber-attack to collect personally identifiable information from their patients, as well as financial and operational information as intermediaries between physicians, insurance companies and governmental institutions relevant to the health care system. This information can be used for ransom and financial fraud using the personal data of the patients/clients. Most importantly, studies reveal that cyber-attack against hospitals can result in the significant disruption of health services (scheduling medication, unavailable laboratory and radiology records, phone systems offline etc.), significantly affecting the quality of the provided health care and thus the morbidity and mortality rates in a hospital

explains Vasileios Margaritis, PhD, Senior Lecturer in Public Health Doctoral Programs, Walden University, USA.

Hospitals act also as vaccination centers to immune the general population against the coronavirus pandemic. “A cyber-attack to the registry that tracks the current progress of Covid-19 vaccinations would be devastating, if it was held successfully,” says Aikaterini Aravani.

What needs to be done?

For healthcare providers, it is imperative to adopt a proactive approach to cybersecurity. Administrators and other security leaders should review insights and recommendations provided by various organizations and agencies, including the FBI and CISA, to tackle the ransomware threat before falling victim.

The foundation of these security controls is the implementation of a Security Assessment to capture the current state of potential risks and threats, identify vulnerabilities and assets. Based on the results of the assessment, ADACOM suggests moving gradually to a risk-based implementation of security controls that provide:

  • Visibility, so that the healthcare organization can identify all critical assets and behaviors in corporate networks.
  • Detection of cyber threats, vulnerabilities, risks, and anomalies.
  • Analysis and Evaluation of identified risks.
  • Prioritization of proposed remediation controls.
  • Unification of monitoring and protection against advanced and targeted attacks.

The above objectives can be meet through a combination the most appropriate solutions focusing on:

  • Identification, classification and prioritization of critical assets and medical records.
  • Dynamic segmentation of the network and segregation of IT from OT.
  • Deep analysis and protection of the traffic and the environment for threats and vulnerabilities.
  • Enforcement of access security controls for users and devices, both wired and wireless.
  • Protection mechanisms such as encryption.
  • Use of certificate-based digital identities to streamline the security and integrity of IoT devices and offer superb user experience by eliminating insecure passwords.

Additionally, the serious enforcement of an information security program based on Information Classification, Monitoring and Protection is more crucial than ever, so a combination of DLP, Classification and Encryption solutions is the best way to move on.

Finally, it is crucial to build a work culture to support effective implementation of cybersecurity measures. Healthcare providers need to be educated on cyber hygiene best practices and imminent cyber threats, while hospital executives should be fully supportive of the need to address vulnerabilities and ensure that all components are protected from cyber threats.

To learn how ADACOM can support you, contact our experts.