Why does healthcare require the severest cybersecurity measures?

25.12.2020

Back to blog list

There is a lot of novelty in medicine. Here, we can talk about the emergence of telemedicine, "smart" medical devices, and the digitization of medical cards. These innovations are designed to improve the quality of service and save time for patients and doctors. However, neither doctors nor patients realize how vulnerable medical information becomes.

Not only does digitization simplify the work of medical centre staff, but also reduces the risk of errors in the provision of emergency medical care, when patients can’t provide information on their own. The electronic medical record shows the complete patient history: information from various medical institutions, information about diagnoses and appointments, allergies, and chronic diseases. 

There are also enthusiastic reviews on the development of telemedicine, which allows anyone to get advice from the best doctors in the country. And the importance of smart medical devices is obvious: they improve the quality of life and give hope for a healthy life to those who couldn’t dream of it. 

However, the health sector still does not realize how critical the amount of information is which it possesses. Patient data, treatment and surgery protocols, as well as drug dosage, can become weapons in the hands of fraudsters. And the demand for this data is significant. Information is bought at a high price on the Dark Net, the amount reaches $1,000 per patient and up to $500,000 for an electronic medical database, and this data is never expired.

In 2017, the number of information leaks in healthcare seems to have broken the record compared to other sectors*. There were 228 leaks in the medical industry, which corresponds to a quarter of all information leaks. Some countries do not have laws that require you to publish information about compromised data.

There was a case in the X city when patients' personal information was inadvertently published on the website of a medical institution. As soon as the data became publicly available, citizens began to receive scam calls offering medical services and expensive drugs. 

How can a database with patient information be used?

•    For resale to third parties:
- pharmaceutical companies; 
- private doctors; 
- funeral services bureau; 
- other clinics.

•    To harm the patient: 
- blackmail, e.g., info featuring addiction treatment and plastic surgery clinics, seriously ill patients, etc.;
- purchase of medicine by persons who are not patients of clinics;
- making changes to drug dosages or treatment protocols; 
- remote hacking of medical IoT devices. 

The latter, by the way, is not a fiction. Last year information security researchers Billy Rios and Jonathan Butts told the manufacturer (Medtronic) that they found a vulnerability in the pacemaker. The researchers claim that the company ignored their letter, so they decided to demonstrate the hacking of the device at a specialized conference. They managed to introduce a malicious program that can imperceptibly control the functions of a pacemaker, for example, change the number of heartbeats.

It's not just words

Unfortunately, all these cases are not some made up "horror stories". There are stories about the resale of data to funeral services agencies and pharmaceutical companies; the transfer of medical cards from state clinics to private ones; and even the transfer of information about drug-addicted patients to drug dealers.
It is clear that among medical institutions employees will always be those who want to earn extra money by reselling the information they have. Meantime the medical industry is facing a new threat, the scale of which is still not estimated. The paradox is that patients are the main culprit of putting themselves at risk. It is explained by their insufficient knowledge of the infosec. 
Around a year ago, authorities issued a law that legalized telemedicine. Now you can get medical advice on hundreds of aggregator sites. The patient voluntarily provides personal data and medical history. There is no info on how secure the data on these sites is. So, in case of hacking or leakage due to an insider, the attacker will receive high-quality information. 

We should separately talk about medical social networks, here patients receive advice from doctors or share their experience with other patients. The information is stored in the public domain. The popularity of these social networks is enormous. For example, in the American PatientsLikeMe, there are more than 600 thousand patients with 2,800 diseases. The main source of income of such social networks is the sale of user contacts to pharmaceutical companies. The creators of the social network do not even hide it. 

So where do we stand now?

If the medical institution doesn’t use electronic document management, the data leak risk remains, but it is minimal. It's funny, but this has nothing to do with careful protection of paper media, on the contrary – often the registry staff can not understand where your medical card is. I suspect each of us has faced similar situations. It is this confusion that is the main "protection mechanism" at the moment. In fact, for data to have a price, it is to be updated and digitized, and this is a very time-consuming task.

However, paper document management in medicine is dying, which means digitalization is only a matter of time.

How to recover from the current state of affairs? 
Given the enormous damage caused by leaks in the healthcare segment, there is an urgent need to find a balance between efficiency of medical services assisted by modern technologies and their safety. 

And if there is no security policy in your organization, then start small:

1.    Implement regulations for working with information. Ensure strict compliance with the rules concerning storing and using patients’ PI and other medical documentation.
2.    Distinguish access to the information within the institution. Only certain individuals should have access to private personal information. However, there also should be a restriction towards them, so they can’t download or send it anywhere.  
3.    Implement information security tools. For example, HIPAA, which operates in the United States, obliges medical institutions to protect personal data and critical IT infrastructure. Still, the way to ensure compliance is decided on by the heads of the organizations. The most reliable solution is the installation of information security tools, such as DLP systems. 
4.    Conduct training and information security activities for medical personnel on a regular basis. It could be done either by full-time specialists or outsourced experts on information security (CTI, Security Awareness Training).
5.    Nevertheless, if your staff comprises more than 200 people, it is reasonable to hire an information security specialist.
   

*data from the Breach Level Index global database