Hacked Healthcare data sells at a premium so it’s on the rise. But losing your data is your first problem. Then there’s the money, the downtime, the lost records and…the lost patients.
Cyber security is like going to the dentist: expensive and unpleasant, but necessary.
Cyber security in health is underinvested and underappreciated, and a spate of hospital attacks this year have drawn attention to the value that healthcare information holds, security experts say.
“The records that GPs keep of seemingly mundane information, like names, addresses, Medicare information, are really valuable to criminals,” said Robert Merkel, a lecturer in software engineering at Monash University.
Medical records were the fifth-most exposed pieces of information in data breaches in the past year, and make up 36% of the data leaked, according to a global report by software security company Symantec released earlier this month.
Medical practices are facing a growing threat of ransomware, where they are specifically targeted in an attack that locks up, and holds to ransom, patient and practice management files.
One such attack occurred in 2012, when hackers got into the Miami Family Medical Centre on the Gold Coast and demanded $4000 in Bitcoin from the centre to decrypt the files. Several hospitals in the US have been victims of similar ransomware just this year.
As healthcare moves towards greater connectivity, there is concern this will open up more opportunities for hacking.
“We hand over a whole huge amount of very important, and sometimes extremely private, information to doctors who have done a remarkably good job over the years in keeping that information private,” Mr Merkel said.
“But now that information is on computers that are connected to each other and the internet, and there’s that financial incentive to steal it.”
There was now a need to change the mindset for health professionals from one of being personally responsible for maintaining patient privacy, to actively preventing people from stealing it, Mr Merkel said.
While he sees huge potential benefits in electronic health records, Mr Merkel was sufficiently sceptical of MyHealthRecord’s security to choose to opt-out with his newborn daughter.
“I’m not convinced governments have thought through just how secure that data would need to be,” he said.
“This data has to remain secure for all eternity. Or at least the lifespan of the people whose data is in it, and that’s why the security requirements in this are extremely high.
“But the number of people who have to have access to this to do their job is also high, and doctors want to access the data without too many hoops in front of them. If there are too many hoops, then they’ll just tend to bypass the system,” Mr Merkel said.
Why does it happen?
“Money. This is serious business,” explained Nick Savvides, security specialist at Symantec.
Cybercriminals typically demanded $5000 to $15,000 for medical practice data, and $500 to $800 for individual consumer data, he told TMR.
This is because health data can fetch a lot more than other personal information on the black market. Where Netflix accounts could get 25c for a username and password, medical patient records may fetch up to $50.
“It often comes with a whole suite of information,” Mr Savvides said. “Name, address, location and other information about the user can be used to steal their identity or construct fraud against them.”
Cybercrime is worthwhile if it is lucrative, and if it is easy.
So far there has been an underinvestment by medical organisations compared with financial or other professional sectors, making it an easier target, Mr Savvides said.
Two years ago, the FBI warned the healthcare industry that it was at an increased risk of attack, saying the industry “was not as resilient to cyber intrusions compared to the financial and retail sectors”.
But where the US and Europe have mandatory notification laws for health-data breaches, Australia largely relied on an honour system, which likely underestimated our figures, said Mr Savvides.
Of course, money isn’t the only motivator.
A US encryption software company, PKWare, predicts that terrorist group ISIS will dramatically increase their cyber capabilities to target Western entities.
Nation-state hackers and foreign intelligence can also pose a threat.
Chinese hackers penetrated a US government database last year and stole the medical records of millions of government employees, some with classified security clearances.
Another hospital security lapse led to more than 2000 patient X-rays being downloaded to a computer in China, where normal chest X-rays may be valuable to individuals looking for travel visas into countries prohibiting infectious lung diseases such as tuberculosis.
How does it happen?
The delivery of pathology results and meals at the Royal Melbourne Hospital was hit in January, after the IT system was infected by a computer virus.
This was because the hospital continued to run the outdated software operating system Windows XP on its computers, despite Microsoft warning that it would no longer be offering security patches after April 2014.
Phishing was one of the most common ways of hacking into a network, and relied on both a social and tech vulnerability, Mr Merkel explained.
A person in the organisation gets an email from what appears to be a legitimate sender, and clicks on the link. If the computer doesn’t have appropriate countermeasures in place then the malware, or malicious software, can sit on the system, collecting usernames and passwords as people type them in.
In the case of the Royal Melbourne Hospital, if the hackers had also stolen internal credentials, they might have been able to log into health systems and download a lot of patient data, Mr Merkel said.
Medicare has already lost hundreds of thousands of dollars to scammers exploiting this type of information.
Using personal medical data, a group of hackers was able to set up fake bank accounts and make fraudulent Medicare claims in those patients’ names. Hackers had also been known to divert Medicare rebates away from doctors and into fake accounts, Mr Savvides said.
Security researchers at the US policy think-tank, the Ponemon Institute, estimate the cost of a breach in the healthcare industry was between $US159 and $US359 per record, and this is down to notifying customers, legal fees, credit monitoring in the following years and the operational costs of fixing the problem.
This doesn’t take into account the damage done to the organisation’s reputation or fines from regulators.
Another cyber threat involving medical devices has prompted a warning by the TGA. Any device that can send messages wirelessly is at particular risk, because hackers can get remote access and meddle.
Last year, a security flaw was found in one of Hospira’s infusion pumps, that could allow a hacker to remotely control the dosage delivered by the pump.
Infusion pumps, insulin pumps, implantable drug pumps, implantable cardiac defibrillators, pacemakers, neural stimulators, insulin pumps, telemetry heart monitors and infant or foetal monitors could all be exploited like this, the TGA warned.
As a hospital, if you were not able to trust your pumps to make an infusion, or if your $1 million scanner was taken offline, you would just pay the ransom, said Mr Savvides.
As the systems get more and more connected, the risk of infiltration increases.
“Until someone actually steals the data, it’s like going to the dentist,” Mr Merkel said. “It’s unpleasant, it costs you money, it takes time and possibly involves painful things. But ultimately if you don’t go, you might end up with a dental abscess on New Year’s Eve.”