Healthcare and the menace of cybercrime – Excerpt from my first book

For decades, even during times of conflict, medical institutions have been considered sacred places and thus spared from deliberate attacks by malicious wrongdoers. The 1949 Geneva Conventions obliged immunity for hospitals and medical staff, stating, ‘Persons regularly and solely engaged in the operation and administration of civilian hospitals, including the personnel engaged in the search for, removal and transporting of and caring for wounded and sick civilians, the infirm and maternity cases, shall be respected and protected.’

?The current spate of cyber-attacks shamelessly targeting hospitals and other vital medical institutions is making a mockery of these long-cherished human ideals. Hospitals are under siege. Cyber threat actors continue to commit despicable deeds, such as blocking access to critical medical records using strong encryption algorithms, forcing hospitals to cancel or postpone high-risk surgeries, and threatening to destroy critical records unless victims pay a ransom in a cryptocurrency, such as Bitcoin.

?The 2016 hack of the Hollywood Presbyterian Medical Center in Los Angeles shocked America and the world. The hospital was forced to transport patients to other hospitals when cybercriminals crippled its central medical records for approximately ten days and demanded financial ransom. The hospital was left with no option but to comply with the stated demands, paying bitcoins equivalent to US$17,000 at that time.

?But not all attacks are driven by financial gain; some are motivated by perverse, exceptional malice. Back in 2008, in a horrifying prank, cybercriminals hacked a forum run by the US Epilepsy Foundation. They then redirected visitors to sites that featured bright flashing images known to potentially trigger epileptic seizures. This cold-hearted attack claimed at least one victim.

Consumers can block compromised credit cards, businesses can restore encrypted data from backup files, celebrities can block bullies from their Twitter accounts; each will survive to live another day. However, cyber attacks on hospitals can endanger patients’ lives and result in tragic consequences. Attacks against medical infrastructures are profoundly immoral. Yet it’s now an inescapable reality that these malefactors are willing to endanger fundamental human moralities simply to satisfy their greed or selfish desires.

?These reprehensible acts have received widespread condemnation, including from fellow hackers who voiced displeasure at such unconscionable and despicable violations of basic morals. Physicians rely heavily on up-to-date patient records to conduct open heart surgeries, liver transplants and several life-critical procedures.

?Online magazine WIRED asserts that ‘without quick access to drug histories, surgery directives and other information, patient care can get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that could result in death and lawsuits’. This growing menace reminds us that debilitating, illogical attacks are not impossible merely because they sound insane.

?Previously revered institutions are no longer as safe as the public assumes them to be. The days of security by obscurity are gone – it’s time for parishes, churches, charity organisations, hospitals and even orphanages to protect their networks. A big part of the problem lies with the healthcare industry itself, which has long ignored or discounted the threat of cybercrime.

?This indifference has perhaps been understandable; the prospect of someone remotely commandeering life-sustaining medical devices to harm patients seemed farfetched to many experts. That changed in 2011 when, at a security conference in Miami, Barnaby Jack, the late security researcher, demonstrated how he could hack his diabetic friend’s insulin pump to potentially inject a lethal dose of insulin.

?Jack’s live experiment evoked multiple responses – it set off alarm bells among diabetes patients; prompted the device manufacturer, Medtronic, to issue a public warning; and reignited the healthcare security debate among academics, practitioners and the public.

?Since then, cyberthreats targeting the healthcare industry have intensified far more rapidly than previously projected, spurred by rising demand for stolen medical information, rapid commercialisation of hacking tools and the increased integration of healthcare IoT devices with core healthcare systems.

?As this menace unfolds, the healthcare sector finds itself woefully unprepared. The roots of its predicament lie in many factors, chiefly decades old technologies resulting from years of technology investment neglect. A 2015 survey by the SANS Institute, a computer security training and certification organisation, provided a telling insight.

?The report predicted that in 2016, healthcare institutions would allocate an average of 4–6 percent of their IT budgets to security. This is especially worrying considering that during the same period, the SANS Institute predicted that the financial services sector would commit approximately double (10–12 percent) of their IT budgets to security.

?Confirming this view, international news agency Bloomberg asserts that ‘hospitals seem at least a decade behind the standard security curve’. With such a strain on resources, security flaws are inevitable. Several medical device manufacturers still commission vital medical devices with poor security controls, such as hard-coded administrative passwords, unencrypted communications or other exploitable vulnerabilities. Even more worrying, some of the devices have no inbuilt mechanism to deliver security patches. At the same time, cybercriminals have become increasingly sophisticated and audacious, exposing the soft underbelly of these vital institutions to attack.

?How can health care institutions reduce exposure?

?Faced with this potent risk, health institutions need to up their game. Failure to act will increasingly put patient lives in jeopardy.?Here are some key areas healthcare organisations should consider to maximise technology benefits while minimising cyber risk. These are not comprehensive, detailed industry standards such as NIST, ISO 27001 or COBIT exist to provide more detailed guidance.

1. ?Prudently maintain up-to-date backups for all critical systems as well as regularly test disaster recovery procedures to minimise impacts from these inevitable attacks.
2. Define a standard set of cyber security requirements for medical device manufacturers and mandate that each device comply with these minimum standards before signing contracts.
3. Decommission legacy systems and migrate critical processes to modern and secure platforms.
4. Identify most important digital assets (crown jewels) and enforce higher levels of protections around those high-value assets.

The threat is real, and demands attention from the most senior officers. Given the significance of their missions, health institutions need to honestly reflect on their cyber security capabilities and take required actions to address any gaps. This is more than just protecting high-value digital assets; it’s about protecting human lives.

For more insights check my award winning book - The Five Anchors of Cyber Resilience