Why Healthcare is an Attractive Target for Malicious Actors
(Part 1) Geopolitics of Cybersecurity and the Healthcare Sector Series
Introduction: The Internet of Health Things (IoHT)
The global healthcare sector suffers more breaches than any other industry; in 2018, it accounted for approximately a quarter of the global total. This is not overly surprising; healthcare has always been an attractive target for malicious actors.
As a sector, the medical device sector is woefully lacking in cybersecurity prioritization – its first priority has always been, and should always be, the treatment and wellbeing of patients – but it is increasingly clear that without better security, these devices could put that very wellbeing at critical risk.
Given the largely unregulated nature of the sector, security measures are currently an afterthought for many manufacturers, rather than built into critical processes. Additionally, the vast treasure trove of very sensitive patient data collected by the sector is a veritable goldmine for cybercriminals.
All manner of Personally Identifiable Information (PII) can be found on the Dark Web, ranging from Social Security Numbers (SSN) available for $1 to a full medical record, including a patient’s address, date of birth, family connections, and other Protected Health Information (PHI) going for $1000.
The nature of the information the sector collects can make it more valuable than credit card credentials. After all, a person’s medical history can’t be canceled or changed, allowing criminals many more ways through which to target their victims with scams, fraud, or extortion.
This combination of minimal security coupled with lucrative data makes the healthcare sector a low-risk, high-reward target. While financial gain is the primary driver for attacks, cybercriminals are by no means the only threat. State-backed actors have also been known to infiltrate an organization in the hope of obtaining valuable Intellectual Property (IP), particularly in the pharmaceutical and biotechnology industries.
Of course, corporate espionage is in no way a new phenomenon, but never before have nefarious actors wishing to do harm or steal valuable assets been able to access so much, so quickly and cheaply. The ease with which an adversary can enter a poorly secured network and retrieve sensitive information in the hope of giving their country a competitive advantage in cutting edge fields represents a real threat to victim organizations that poured time and resources into research and products, and it endangers the lives of the people these organizations hope to help through innovative healthcare technology.
This series on the intersection of geopolitical risk, cybersecurity, and healthcare explores those elements of the healthcare sector which are growing exponentially and changing lives at a pace which often sacrifices security for a rush to bring a product or service to market. The first part of the series focuses on the Internet of Health Things (IoHT), highlighting the vulnerabilities that connected wearables and medical devices create for the companies making them and the people using them.
Part I: The Internet of Heath Things (IoHT)
The Internet of Things (IoT) – the interconnection of network technology in everyday items – is gradually being applied to healthcare devices, giving us the Internet of Health Things (IoHT). Just as other IoT devices are pervading everyday life, IoHT devices are expected to enjoy significantly increased adoption in the coming years, with Accenture estimating that the market will be worth $163 billion by 2020. While the rise of IoHT will provide greater levels of efficiency to already overburdened healthcare industry, they create new cyber risks to patients and healthcare institutions alike.
Carefully protecting sensitive information is not just a compliance issue – healthcare organizations also have a business priority to ensure that they properly secure sensitive information for the sake of business continuity. Healthcare organizations are not only responsible for their patients’ health data and overall security of devices; they also have a duty to protect private data and intellectual property to maintain a competitive advantage.
Failure to do so puts patients’ privacy and safety at risk while failing to protect sensitive business data endangers the organizations’ ability to continue operating successfully. As will be discussed later in the series, healthcare entities that are negligent in enacting security measures, and don’t meet government regulations, are often faced with significant reputational damage, as well as fines, audits, or even criminal penalties, as well as legal proceedings brought forward by affected parties. This is why security considerations must be prioritized to offset the vulnerabilities they introduce, as the mass implementation of IoHT devices across the healthcare sector continues.
Remote Patient Monitoring (RPM)
The rise of network-capable medical devices allows several innovations, offering numerous advantages for healthcare professionals and consumers. Perhaps the most prevalent of these is Remote Patient Monitoring (RPM), which aims to allow the real-time diagnosis of patients without the need for the patient to physically travel to a medical facility. It can identify early warning signs of health complications as soon as they manifest and immediately inform healthcare professionals of the need for treatment.
These devices are capable of, amongst other things, collecting, processing, and sending patient data seamlessly to a physician, thereby increasing efficiency and reducing the physician’s time constraints. This collation of data can also be used for research. Through data analytics, healthcare professionals will be better equipped to research common ailments that affect large percentages of the population.
Whereas most research projects traditionally only study the behavior of small numbers of people, data lakes, or aggregate data from hundreds or thousands of patients, could allow researchers to analyze the conditions of many and design treatments based on the findings.
IoHT Cyber Attacks
There are, however, some inherent risks with an over-zealous adoption of network-capable medical devices, which are not as rigorously controlled or methodically approved by the FDA as actual medical tools and medications. Namely, most of these devices were not designed with security in mind. As is so often the case with new innovations, security is given lower priority, often added as an afterthought in the rush to bring a device to market.
The introduction of any new device to a network increases the attack surface of the network overall. A malicious actor could utilize IoHT devices to create botnets for nefarious purposes or use the processing power of infected machines to mine cryptocurrencies – also known as cryptojacking. This could stop the devices from performing their functions correctly and affect the health of their users.
Another type of attack demonstrated by researchers is the use of an unsecured IoHT device to easily gain access to a healthcare facility network. Once the attacker gains access, they can move laterally in the search for PHI. This type of information is highly sought after by cybercriminals on the Dark Web and can be used to commit fraud or blackmail. With a reported 600% increase in attacks against IoT devices between 2016 and 2017, the issue will only gain in significance as these devices proliferate.
The infection of network devices may prove a minor inconvenience to most other industries that do not handle sensitive data, but in the healthcare sector, it could have life-threatening implications.
In 2016, researchers from the University of Leuven and the University of Birmingham successfully hacked into a pacemaker and were able to harvest patient data, flatten the battery, and issue malicious commands.
Similarly, at a Def Con event held in Las Vegas in 2018, researchers from McAfee’s Advanced Threat Research team showed that it was possible to falsify a patient’s vitals in real-time, potentially leading to unnecessary treatments.
Potential Physical Consequences
The relative ease with which a criminal can engage in the manipulation of healthcare devices presents a major security concern for patients who rely on these devices to alert them to the need to seek emergency treatment. For the average individual, seeking unnecessary treatments could range in severity.
If a criminal were to alter a heart-rate monitor to show the wearer they were having a heart attack, the wearer would seek immediate medical attention, creating stress, incurring costs, and overwhelming already strained healthcare systems. Doing this repeatedly would raise insurance costs, and additional stress could lead to further health problems. If an attacker were to alter the settings on a medication dispenser, the consequences could be considerably more severe with immediate effect.
But what about a targeted attack against a prominent political figure? Or a senior executive overseeing a company merger? Modifying their medical signs could make them believe themselves to be unfit to perform their duties, resulting in their resignation or termination by a risk-averse board.
Alternatively, a cybercriminal could change their medical data to show that they are in full health to prevent them from receiving treatment. If insurance companies were to use compromised devices’ metrics to determine what treatments to approve, cover or reject, this would result in deaths, financial burdens, and larger societal effects, with implications for healthcare-related businesses and countries with strained infrastructure – potentially resulting in consequences on an international scale.
This is not a fictional scenario. In 2019, it was reported that Israeli researchers had created a form of malware that allowed them to add or remove malignant growths to CT or MRI scan results. In instances where they added false growths, radiologists diagnosed cancer 99% of the time. When they removed signs of malignancy, 94% concluded the patient was healthy. The researchers provided a list of potential motives for such an attack: “to stop a political candidate, sabotage research, commit insurance fraud, perform an act of terrorism, or even commit murder.”
Recent attempts to address the vulnerabilities of IoHT devices are very much a work in progress. In 2018, the Food and Drug Administration (FDA) released guidance in a document entitled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” It provides technical recommendations for manufacturers to follow, to aid in securing medical devices before reaching the market.
While an Inspector General report issued later that same year states that the FDA hadn’t done enough to assess the cyber risks, IoHT security is becoming an FDA priority, and the document does give manufacturers a baseline for assessing whether they’re meeting minimum thresholds.
But the issue is wider than just medical devices. Passing legislation that legally requires manufacturers to provide cyber protections in IoT devices as a whole has been difficult. Several bills regarding IoT security failed to pass Congress in recent years, meaning that manufacturers can implement security in their products to any degree they like, and sell them widely, in countries where this type of legislation is also absent. This poses a particular problem for IoHT as these devices are designed to be effective at maintaining and monitoring patient health, not at stopping cyber-attacks.
A new bill, the “Internet of Things Cybersecurity Improvement Act of 2019,” is more comprehensive than previous iterations and has a better chance of passing Congress. If it does, it could be the first domino in a global trend to better align legislation to fast-moving technological advancements in the healthcare field.
Guidance for Healthcare Organisations
These developments will, eventually, lead to manufacturers implementing greater security measures during the design process of their medical devices. Healthcare organizations themselves will have to act now by taking on greater responsibility to ensure that they maintain a level of cyber defense that protects their customers. After all, if patients are injured or killed as a result of easily exploitable vulnerabilities, healthcare organizations’ reputations will suffer, and they may incur fines and penalties.
This could be as simple as providing employee training to maintain an acceptable level of basic security hygiene amongst staff. This may seem like a minor measure, but Verizon’s 2019 Data Breach Investigations Report estimates that 58% of healthcare breaches involve inside actors. This is not necessarily always malicious but can be a result of healthcare staffs’ poor understanding of the dangers of connecting unsecured devices to a network. By training employees to understand the consequences of using shortcuts or failing to follow specific procedures, organizations can reduce such instances and demonstrate a commitment to patient safety.
Likewise, the regular updating and patching of software is essential in maintaining the security of IoHT devices and will go a long way to stopping network intrusions. IT staff should carry out Shodan searches to identify publically exposed devices and then enact measures to secure them.
Finally, all patient data should be encrypted in transit and at rest, and access permissions granted only to data which is required for an individual to do their job, so that even in the event of a data breach, mass volumes of patient data are not exposed.
The adoption of IoHT devices is still at its early stages in the healthcare sector, but will undoubtedly grow as countries work to find solutions to overburdened and understaffed healthcare sectors. These are basic security precautions that, if taken now, will help mitigate IoHT vulnerabilities and potentially save money, reputations, and most importantly, lives.
If you are interested in learning more about the connection between geopolitical risk and cybersecurity, be sure to also listen to our recent podcast on Cyber-Geopolitics and the Role of Data.