Cyber-security in healthcare

Richard Meeus at Akamai explores a matter of life and death

 

While a ransomware attack against a business can put a halt to trading, in the healthcare setting it is a matter of life and death.

 

Earlier this month, Synnovis, a pathology service provider, announced that it had been targeted by a ransomware attack that locked down vital computer systems used to provide blood testing and transfusion services to hospitals. The Russian group of cyber-criminals known as Qilin admitted to being behind this cyber-attack. The consequences were monumental. Services are still struggling to function; surgeries are being delayed and blood tests are taking six times as long as normal to complete.

 

This recent healthcare attack isn’t an anomaly, it’s a pertinent example of a dangerous trend of the sharp rise of hacktivism. The attack is the latest of 215 ransomware incidents affecting the health sector in the United Kingdom since January 2019, according to the Information Commissioner’s Office (ICO). 

 

The level of confidential data a healthcare institution holds means it is a high-value target. This year, there’s also been a rapid increase in cyber-criminals opting to steal, rather than encrypt, highly sensitive medical data and threaten to publish it on the dark web, unless the healthcare provider pays a ransom. Even if a ransomware actor does not receive a ransom, they gain notoriety.

 

Synnovis has allegedly been demanded by the cyber-criminal gang Qilin to provide $50 million in ransom in exchange for a decryption key. With medical-targeted ransomware reaching astronomical heights, it’s clear healthcare’s current reactive approach to cyber-security is not sustainable. Healthcare institutions must move beyond fortifying their basic security posture and ensure that their cyber-defences are fit for the cyber-threats of today and tomorrow, as a necessity to protect both patient data and lives.

 

The human impact of a ransomware attack

With criminals operating internationally, cyber-crime is ultimately a business. The World Economic Forum has revealed that the cost of cyber-crime could reach $10.5 trillion annually by 2025.  Yet, when bad actors specifically target healthcare institutions - it is patients who pay the price.

 

While a cyber-attack against a business may disrupt services like payments and monitoring stock inventories, cyber-attacks against the healthcare industry can deny patients lifesaving care and slash their trust in healthcare services.

 

It is partly the human aspect that makes healthcare providers a prime target for cyber-attacks. Healthcare institutions store and use significant amounts of personal data. This data is critical to deliver care but it is also an extremely valuable target for cyber-criminals.

 

The uncomfortable truth is that cyber-criminals are not giving a second thought to the disruption they are causing and the lives they are endangering. They are just trying to make a fast buck.

 

Building on this, research from Akamai also detailed that between 2021 and 2023, ransomware attacks against healthcare organisations soared by 162%. No other industry came close to experiencing such a sharp rise. What’s more, healthcare institutions are also much more likely to incur financial losses. While the overall average stands at 36% of organisations reporting that cyber-attacks resulted in financial losses, in the healthcare industry the figure is 43%. 

 

Healthcare’s security weak spots

There’s no doubt about it, the purse strings are tight in the healthcare industry. That’s why budget constraints and a reactive approach to cyber-security are often identified as common barriers to cyber-resilience in the sector. But the truth is that reactive approaches hand the initiative to malicious actors and place healthcare institutions on the back foot.

 

Old healthcare IT systems provide enticing entry points for cyber-criminals. In some cases, legacy systems can account for between 30 and 50 per cent of all IT services, leaving them open to vulnerabilities. Some of these systems may have been designed more than 20 years ago and simply haven’t stayed up to date with technological advancements due to the cost of maintenance. 

 

Healthcare organisations and their security departments are often extremely busy, and cannot always find the amount of time and effort required to patch effectively. Regular audits of an organisation’s cyber-security and a “zero trust” approach can mitigate threats to old and new healthcare IT systems.

 

An effective approach that healthcare institutions can quickly implement is that of assumed breach. “Assumed breach” doesn’t mean panic, it’s an approach that ensures organisations are being pragmatic. It is vital in the healthcare industry that organisations understand where their critical assets are being held, and what they need to provide essential care. This empowers healthcare providers to implement and understand robust authentication and authorisation around those systems and enables them to be “ring-fenced” accordingly.

 

Also, healthcare organisations must promote and provide the capabilities for each employee to practise excellent cyber-hygiene, whilst also providing a duty of care to protect their users as much as possible from phishing emails and cyber-attacks. When hospital staff or those based in medical facilities aren’t trained to recognise and report a phishing email, attackers can simply spam their targets with realistic-looking messages until they find an employee who unwittingly gives up their credentials. The attackers know all of this and use it to their advantage. 

 

This means prohibiting easy-to-crack passwords and making multi-factor authentication standard practice. By adopting this process, healthcare institutions can limit the impact of any breach.

 

Preventing future attacks

The barrier to entry for cyber-criminals has been getting lower for years. Whether it’s the proliferation of self-service websites or AI tools that are doing most of the heavy lifting – even amateur cyber-criminals can wreak havoc. 

 

Using third-party partners and providers expands a healthcare institution’s threat landscape and widens its vulnerability as cyber-security functions could be widely different - despite working toward the same health objective of patient care.

 

As part of their long-term, internal cyber-resilience strategy, healthcare institutions can vastly improve their defence capabilities by segmenting their network. This means identifying the critical aspects of the network and ensuring they’re ringfenced making it impossible for bad actors to infiltrate.

 

Segmentation makes it more difficult for cyber-criminals to move through the network once they gain access. You can think of it as deploying fire doors to contain the spread of a fire or requiring ID scanners to pass through different sections of an office. What’s important here is that even if a cyber-criminal manages to get into your network, they are not afforded the freedom to roam wherever they like and access any data they choose.

 

Segmentation is proven to dramatically improve a healthcare institution’s ability to contain a cyber-attack. The time it takes on average to completely stop a ransomware attack when an organisation’s network is properly segmented is over four times quicker than in a network lacking robust segmentation.

 

When time is of the essence and lives are at risk, every second, minute and hour counts.

 

---

 

Richard Meeus is Director of Security Technology and Strategy at Akamai

 

Main image courtesy of iStockPhoto.com and JJ Gouin