Why is healthcare so vulnerable to cybercrime?
Posted 29th January 2020 by Joshua Sewell
When it comes to cybersecurity, healthcare systems are some of the most difficult to secure, not just because of technological issues. Healthcare providers also need to make difficult decisions about investing in information technologies, security, or the staff and medical facilities which deliver front line healthcare services.
How vulnerable is healthcare to cyber-attack?
Generally speaking, there are two primary models of healthcare delivery: for-profit healthcare and national state-run healthcare systems.
Nationally run healthcare programs generally seek to appease the political climate and public demands; providing a bare minimum of necessary and affordable services. If we take the example of a threat-actor who is focussed on extracting money via ransomware or via extortion through illicit procurement of medical records, that threat actor tends not to be particularly successful when targeting a national healthcare program.
In the for-profit healthcare world, where numerous clinics are incredibly wealthy, a more interesting situation plays out. In the US we’ve seen some major hospitals and clinics attacked by ransomware, resulting in some institutions paying to recover their files. There was also a recent example in Canada, where a third-party medical diagnostic lab paid the ransom to recover access to their data.
From a national healthcare perspective, there is now a fascinating critical infrastructure attacker scenario where the primary adversary would be a nation-state targeting the health care system of that nation for political or ideological motives.
An attack on a nationally run healthcare system which significantly degrades already marginal capability is probably the one thing you can do to a country to ensure a response at a kinetic level. I feel that healthcare facilities are a red line and the International Committee of the Red Cross supports this view: if there is a deliberate attack on a national healthcare system, then the nation responsible would be perpetrating an act of war. Any state responsible for conducting the cyber-attack would have to understand the grave consequences. I think that message to potential adversaries is something that should be made clear in foreign policy – it will not be tolerated.
Indeed, healthcare in general, whether national or for profit, is very vulnerable to cyber-attack: it has a great diversity of supply chain vulnerabilities; it has an abundance of sensitive information in its records; it appears to be a tempting target to advance a political agenda or to exploit financially.
Are public or private healthcare model more at risk?
When comparing the two models, national publicly funded healthcare systems would seem to be more vulnerable and chronically underfunded.
If we take the UK as an example, there seems to be a propensity to wring as much as possible out of every last pound in the NHS. For example, pushing systems and machines far beyond their life expectancy and forcing integrations to newer software systems with ancient equipment. There may even be Lab Information Systems (LIS) dating back to the early 2000s still in use.
Whereas in for-profit institutions, in the US for example, there are ample monetary resources to address major cybersecurity deficiencies should the organization chose to make that investment. Having said that, health care technology has much longer life-cycle expectancies than general computing systems and is frequently bespoke or hardware dependent. Unpatched vulnerabilities may exist for years if not decades. Even so, the affluent for-profit organization has budgeted for and can quickly establish compensating security controls – whereas the nationally funded systems may not have that financial independence.
This difference in attack surface is clear when we look at attacks on national critical infrastructure in the US. There are several examples where gross underinvestment and lip service to security controls had catastrophic consequences for hospitals. A prime example of this is Hollywood Presbyterian in 2016, which was something of a harbinger of things to come.
Are healthcare providers taking enough action?
Certainly, there is awareness now amongst hospital board and executives that cyber threats are potentially existential to their facility. This is a point that’s been made on a couple of occasions as a result of cybercriminal activity. However, there is currently something of a haphazard and varied approach.
Private healthcare businesses that suffer an impactful attack tend to shore up their defences, make a public apology, and try and get back to work as soon as possible.
In the US, there is HIPAA legislation that can be equally as crippling as the original attack. This kind of regulation is applicable in a for-profit healthcare system as a deterrent. Unfortunately, HIPPA fines are not applicable if the facility can reasonably prove that the healthcare records remain undisclosed to an unauthorised 3rd party. So, the modern ransomware attack may escape regulatory scrutiny if the records are not stolen by the malicious actors.
In the case of the NHS, there was a digital strategy that was unveiled in 2015. To be blunt, we’ve seen very little evidence of any execution of that strategy. The NHS has not made the strides necessary to prevent similar attacks to WannaCry and NotPetya. Any minor progress that has been made should be understood in the context of those attacks.
My concern is the order of magnitude in expense, talent and cybersecurity controls to ward off a persistent attacker at the nation-state level. It is almost incomprehensible in terms of resources and requirements and much larger, better-funded and better-resourced governments and organizations are barely able to keep these Advanced Persistent Threat (APT) actors out of their systems.
Overall there has been some progress and growing awareness. But in terms of tangible good news stories, it’s still looking bleak.
Ian Thornton-Trump is Chief Information Security Officer for Cyjax and an ITIL certified IT professional with 25 years of experience in IT security and information technology.
There is still time to register for the Global Cyber Security in Healthcare and Pharma Summit but be quick. Get your pass today.
Leave a Reply