Cyber threats in the healthcare industry

During recent years, the number of cyber-attacks on the healthcare industry has been on a rapid rise   - especially now due to the CoVID-19 pandemic. Given the wealth of sensitive information healthcare organizations hold (which can be worth lakhs or even crores of rupees), they face a large number of attacks from cybercriminals. Most of these attacks are primarily motivated for financial gain, but a relatively smaller threat includes cyber espionage campaigns conducted by international actors. These cyber-espionage attacks were driven by an interest to acquire medical research and to collect large datasets of information.

In April 2019, suspected Chinese cyber espionage hackers targeted an American health centre that focused on cancer research, a high priority for a country facing growing cancer-related mortality rates. The attacks in the past usually targeted pharma companies as they usually have Intellectual Property but nowadays the attacks have noticed to shift from Pharma companies to Hospitals, Medical Device manufacturers, etc.

Today, hackers are shifting their targets towards hospitals and medical care centres, that have lower levels of protection when compared to that of big pharma companies. Once hospitals are compromised, there are multiple ways in which an attacker can earn money; it can be either by selling personally identifiable information or providing a backdoor to a competitor or by locking them out of their systems via ransomware and demanding a payment to restore access to their own systems, etc.

The Cybersecurity Centre of Excellence (CCoE), Hyderabad, has come up with a few precautions which need to be taken by the healthcare industry to keep itself protected from cybercrime ;

          1. Cyber awareness: 

Awareness helps identify problems and provide solutions. The healthcare industry must be educated on cybersecurity and should be encouraged to identify cyber threats. It is important to ensure that the staff is properly trained on all measures to take and whether employees follow them. Most phishing attacks can be prevented through ideal measures taken to make the staff cyber aware.

Cyber awareness training imparted to healthcare professionals revolves around;

• Generating a proactive security culture.
• Building respect towards the privacy of individuals.
• Understanding attacks concerning the wider health cybersecurity landscape.
• Understanding the importance and meaning of Protected Health Information and the reason behind protecting it.
• Understanding security as a part of the whole organisation and how it impacts everyone around it.
• Getting to know the impact of privacy and security rules that apply to the healthcare industry.

(E.g.:- Differentiating between emails shared by the organization and a hacker who tries to mimic the organization's email.)

          2. Control access to data: 

Access to sensitive information such as patient data, doctor's data, etc. should be limited as much as possible. Determine who really need access to which part of data and make sure that they can access that part of the data only. E.g.:  A receptionist should be able to access a patient's name and contact info whereas a doctor should be able to access a patient's medical history. The receptionist doesn't need access to a patient's medical data or anything else in similar way doctor need not have access to the patient's contact information.

It is a best practice to use audits to determine who is accessing what data and maintain logs when access to such data is requested. Remove access to data for ex-employees as soon as they leave your organization and maintain strict access controls.

          3. Encrypt data: 

Data encryption is "an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key," according to HHS. There are mainly two types of data that can be encrypted i.e. data in motion and data at rest. Data in motion is when information is being sent from one individual or device to another individual or device through a direct messaging system. Unencrypted data could be intercepted as it is travelling from one prime location to another. Data at rest is the information being stored. Data at rest could be within the server or even in the mobile devices, such as laptops or smartphones.

The healthcare sector should consider organising and protecting data by implying new devices and information as they opt for new ways to store data, including in the cloud. Encrypting data should be a baseline measure. Multiple encryption keys will help organizations better secure their data. Multiple encryption keys help ensure that the compromising of one key does not compromise the entire data.

          4. Software updates: 

Outdated software is vulnerable to attack. Hackers usually take advantage of such old software to access network and data. It is worthwhile to strip down such systems and update them to the latest software version.

          5. Don't use the same password for everything: 

Use of strong and different passwords for every single platform significantly decreases the probability of vulnerabilities. Force employees to change their passwords after specific, regular intervals and make sure these passwords are different for each platform they access within the network. Wherever it is possible, use Multi Factor Authentication.

          6. Backup of data: 

Even if you follow all measures of security, organisations cannot function without a 'human element' which still leaves them exposed to vulnerabilities. With increasing ransomware attacks like Petya, WannaCry, etc. it is a better option to have a backup plan in place to protect your organisation than to pay hackers to save your reputation. It is up to the individual organization to determine when they need to backup, where they need to backup and how they need to backup.

          7. Network access: 

With an increasing number of devices connected to the internet from your location, it is better to have separate networks for different sets of devices. E.g.:  All mobile devices should be on one network whereas all cameras can be on other network and so on so forth.

          8. Maintain good cyber hygiene: 

The first step to maintain good cyber hygiene is to uninstall unnecessary applications, change default configurations and wipe data from discarded devices. All employee devices should be installed with an anti-virus.

          9. Create a recovery plan: 

Prevention is better than cure, but the cure is important as well. Planning for an attack entails developing a plan for getting the systems back online and protecting yourselves from another attack.

          10. Perform regular risk assessments: 

Risk assessments of your network should be performed regularly and necessary solutions should be implemented as soon as possible.

Conclusion: If the above-mentioned list of precautions is enforced by the healthcare industry, it makes it difficult for an attacker to compromise and infiltrate systems. Always remember an attacker needs only one vulnerability to breach your systems, so it is better to protect yourselves rather than lose your reputation, money and time to an attacker.

About CCoE: The Cybersecurity Centre of Excellence (CoE) is a glocal hub based in Telangana, Hyderabad set up to catalyse innovation, entrepreneurship and capability building in cybersecurity and privacy. It is a joint initiative of the Government of Telangana and Data Security Council of India set up to fulfil DSCI's commitment towards creating a safe, secure and a trusted cyberspace. Cybersecurity Centre of Excellence nurtures a culture of innovation by, incubating start-ups, conducting training/workshops/events, showcasing products in experience zone, hosting delegations and collaborating in local, national and international initiatives. Learn more about CCoE here - https://ccoe.dsci.in/