In October 2016, computer systems in Northern Lincolnshire and Goole NHS Trust had to be shut down following a suspected ransomware attack. The Trust cancelled numerous operations, outpatient appointments and diagnostic procedures as a result.
This incident is far from being an isolated case; an NCC Group Freedom of Information request revealed that almost half of NHS trusts have been subjected to a ransomware attack in the past year. The healthcare sector has suffered countless breaches. It’s perhaps not surprising when you consider the range of sub-sectors within the industry; from healthcare services and facilities, to medical devices and equipment, to medical insurance.
However, there is evidence that cyber threat actors are increasingly targeting the industry. This is reflected in chatter by criminals on the dark web debating the ethics of attacking hospitals for monetary gain.
2016 has been the year of ransomware. In addition to the ransomware attacks described earlier, cybercriminals have conducted similar attacks on US hospitals including the Hollywood Presbyterian Medical Centre, the Methodist Hospital in Kentucky and the Chino Valley and Desert Valley hospitals in California. Hospitals in Germany, Brazil, and Canada have also fallen victim. There will of course be many others.
Cybercriminals are also attracted to the plethora of personal and medical data collected in the different healthcare sub-sectors. In criminal markets, healthcare records fetch 10, sometimes 20 times the price of credit card details. The reason is health records contain information that can be used for opening accounts, obtaining loans, stealing healthcare services and other identity-theft related schemes.
In addition, health records are near impossible to change. Compromised credit cards can be frozen or replaced, transactions can be reversed. Health records on the other hand contain social security numbers, addresses, dates of birth and other personal information which can be used by cybercriminals even after the victim has been alerted to a breach.
Healthcare providers may also hold payment card details due to paid-for treatments. Most providers also make significant payments to companies within the supply chain, thus supply chain fraud is also an objective. The many ways in which cybercriminals can compromise healthcare providers, and monetise their efforts, makes the industry an attractive target.
In early 2015, Anthem and Premera Blue Cross, two major American health insurance companies disclosed that hackers had successfully stolen records from their servers. In June of that year, the United States Office of Personnel Management (OPM), announced that it had also been breached. Together these three breaches consisted of over 100 million compromised records.
According to security experts, the culprit for these attacks was Deep Panda – a hacking group associated with the Chinese Government’s People’s Liberation Army. The three attacks were conducted concurrently, and it has been suggested that the acquisition of data from different sources could be used by a nation state to corroborate intelligence on rival nations i.e. the identities and locations of military and security personnel. Such information could also be used to create a dossier of individuals for future social engineering based attacks.
Proprietary information and intellectual property held by healthcare organisations will also be of interest to nation state actors. This information could be used to benefit domestic companies as well as to achieve the strategic healthcare goals of their government. This could become a growing threat when you consider the increasing technological advances, application, and connectivity of medical devices and equipment. The pharmaceutical industry is already a major target for such actors.
Hacktivism is the act of hacking or disrupting computer systems, for politically or socially motivated reasons. Anonymous demonstrated this with DDoS and phishing attacks against Boston Children’s Hospital in April 2014 under #opjustina.
It was reported that a hospital diagnosis led to custody of a 15-year old girl being temporarily taken away from her parents. The attack by Anonymous forced the hospital to shut down access to some of its website pages. This resulted in some patients and staff being unable to view online accounts, check appointments, or access test results.
Thus, hospitals that are seen to operate unethical practices, consistently breach patient data, or withhold treatments for the most vulnerable, will likely come to the attention of hacktivist groups.
The insider is a pervasive threat that is particularly difficult to mitigate against. How often do we see offices and systems left unattended in hospitals and dentists? How can you effectively monitor the masses of patients and visitors within healthcare establishments, let alone the staff? Moreover, this reality highlights the difficulties in defending the physical perimeter as well as the electronic. Banks, for example, allow the public to enter relatively few areas without an escort.
In November 2010, 4 hard drives containing sensitive data from Brighton and Sussex NHS Trust were sold on eBay. The Trust was unable to explain how an individual, who was sub-contracted to destroy 1,000 hard drives, managed to remove at least 252 from the hospital during his 5 days on the premises. The Trust was fined £325,000.
It is important that healthcare bosses understand the full capabilities of implantable medical devices (IMD). Many of these devices support everyday technologies such as Bluetooth and Wi-fi. If a connected device is hacked, the device can be forced to malfunction - potentially causing serious harm.
Numerous proof-of-concepts already exist that provide scenarios where this could happen. Even former US vice-president Dick Cheney revealed that he had his heart implant modified for fear of terrorist attack. The US Department of Homeland Security has been actively investigating the threat to IMDs for several years now.
As with many IoT systems, IMDs are often shipped with simple default passwords that are sometimes hardcoded into the device, meaning they cannot be changed.
But it is not just IMDs. Network-enabled hospital equipment such as infusion pumps are also vulnerable to attack. Imagine an attacker surreptitiously and remotely changing the dosage administered to patients. To address safety issues associated with infusion pumps, the US Food & Drug Administration launched the Infusion Pump Improvement Initiative in 2010.
An intrinsic problem with medical devices is that they often require years of research and development. By the time they are implemented, there are often new security considerations to contend with. With other electronic systems, such as phones and PCs, vulnerabilities can be quickly patched. With medical equipment, and in particular IMDs, this may not be possible.
The healthcare industry carries a greater risk than most. Despite this, its cyber security appears to be weaker than other industries - so it remains an easy target for cyber threat actors.
The industry has struggled with raising cyber security awareness and providing training. In addition, new technologies, connected devices and the increasing digitalisation and centralisation of health records compound security concerns. It is important that healthcare leaders recognise that the industry is not immune to cyber threats, despite the benevolence associated with the industry.