Cybersecurity fact: Your healthcare system is only as strongly defended as its weakest part, and no matter how advanced your firewalls are you will be hacked unless you train your staff

As humans we are programmed with compassion and a desire to help, but this trait is one of the reasons that hackers are so successful in bypassing our cybersecurity and infiltrating our cloud networks and healthcare systems.

It’s obvious when you look at the ease with which a social engineer hacker at DEF CON 2016 managed to gain total access to a user’s cell phone account in under 2 minutes using a combination of clever psychological manipulation, a sound track of a crying baby and an oversight in the cybersecurity protocols for the company [1].

The approach via social engineering is not the end game but is an entry point to carry out targeted attacks and is increasingly in use and even being automated. Like everyone else, hackers are using technology to improve efficiency.

Artificial intelligence (AI) is being used in many areas and hacking is no exception to jumping on board this train to improve and increase the number and sophistication of their attacks. As with the case of all technology and innovations – it can be used for good or for bad.

Gizmodo has reported: “These days, the overwhelming number of cyber-attacks are automated. The human hacker going after an individual target is far rarer, and the more common approach now is to automate attacks with tools of AI and machine learning [2].”

There are many types of attack that range from installing malware (software that is intended to damage or disable computer systems), Denial of Service Attacks (DoS), eavesdropping through to Phishing (sending emails that people are induced to trust and click on infected links) and the variants – Vishing, and Smishing – voice based and text-based attacks respectively.

In many instances the first vector for attack in an organization is an individual’s failure to identify and prevent breaches.

I recently interviewed a prominent expert in Social Engineering, Christopher Hadnagy, who said: “I can get anyone to click on a phish if I know your motivation and the right time and the right emotional content [3].”

He also revealed that, despite sending millions of phishing emails and writing books on the topic, he too had been “Phished”

The Anatomy of an Attack

What might a Phishing attack look like? The following fictional scenario is typical of the steps and methods used to open up a vulnerability in an organization.

Opening emails and checking for status updates on the clinics patients was a routine task for Colin, as was receiving an email from Lucy Thomson from the associated clinic with a patient referral. When he opened the link, it was confusing as it just displayed Lucy’s departmental website. Colin assumed the link was broken.

Colin had just been “phished” and that one action would have widespread ramifications for his clinic, department, hospital, and patients as the ransomware that had downloaded and secretly installed from the link he had just clicked was now inside the information systems outer defenses. The malware, no longer limited by the firewall and cybersecurity systems, kicked into action and sought out all the other connected devices on the hospital network and quietly replicated itself.

Days later, with the original email long forgotten, computers across the hospital started to lock users out and display a message saying files had been encrypted and seeking payment in bitcoin for the key to unlocking the hospital systems and threatening to delete files every hour.

Hitting the Mother Lode – Healthcare Data

Healthcare represents the richest source of data for hackers and any stolen healthcare data attracts a premium when sold on the black-market – anywhere up to 10 times the price of buying stolen identities or credit card information.

Since healthcare data contains such a wealth of exploitable information that includes all your demographic information – names, historical information of where you lived, worked, the names and ages of your relatives and often financial information like credit card and bank numbers – along with your medical history. It is the most comprehensive record about the identity of a person that exists today – a veritable treasure trove of opportunity for fraudulent credit and financial applications and ongoing mischief.

Healthcare cybersecurity has entered a new era where the health and safety of our patients can be impacted by malicious hackers. The traditional data security and HIPAA compliance paradigms of the past are not sufficient to limit the potential harms we and our patients will face.

The current regulatory environment surrounding the use of electronic medical records has catalyzed our dependence on such technology and has also incentivized rapid and less secure system implementations. The attack surface for hackers has grown, leading to more frequent and sophisticated large-scale breaches and hospital network intrusions.

https://www.hipaajournal.com/healthcare-data-breach-statistics/

The delay and disruption of patient care across the globe during the recent WannaCry and Petya attacks has solidified a growing sentiment in healthcare cybersecurity circles that patient care and safety is a at immediate risk.

After the attack, UK’s National Audit Office revealed the following:

  • The attack led to disruption in at least 34% of trusts in England although the Department and NHS England did not know the full extent of the disruption.
  • Thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency departments.
  • The Department, NHS England and the National Crime Agency did not know how much the disruption to services cost the NHS [4].

And healthcare continues to struggle to address the rising cybersecurity threat, as in the first six months of 2018, there were 154 breaches reported to the Office for Civil Rights, up 13% compared to the same period in 2017.

How do You Secure Your Data and Enterprise?

Security needs to be everyone’s responsibility and has to come from the very top of the organization. This is not just a corporate issue but a personal one and understanding the attack vectors and sharing the stories of individual and corporate failures and losses as a result of poor security are an integral part of mitigation and prevention.

The new imperative is not only making security everyone’s responsibility but equipping everyone with the knowledge and tools to be able to assess security threats in the context of the impact to patient safety. Increasing staff participation in all aspects of security from the top of the organization down to create a culture of security will create a solid foundation to mitigate the rising risk of security threats.

While technology offers tools that can mitigate the risks from these attacks, people remain the weakest link in securing the healthcare enterprise and patient data. Without attention to the human factor and creating a security culture that enables people with information and skills to make good decisions, healthcare systems will continue to face the recurring nightmare of dealing with cybersecurity breaches and loss of protected health information.

This article originally appeared in AIMed Magazine issue 04, available to download here.

Photocredit: Ecole polytechnique

Cybersecurity buzzwords explained

Ethical Hacker: synonymous with white hat (and some gray hats) Ethical Hacker: synonymous with white hat (and some gray hats)Ethical Hacker: synonymous with white hat (and some gray hats) Ethical Hacker: synonymous with white hat (and some gray hats)

Security Researcher: usually a white or gray hat hacker who independently Security Researcher: usually a white or gray hat hacker who independently

Penetration Test: a contracted, professional assessment to simulate an attack Penetration Test: a contracted, professional assessment to simulate an attack

Penetration Tester: an ethical hacker who works as consultant is contracted Penetration Tester: an ethical hacker who works as consultant is contracted

Red Team: A group of penetration testers with various specialties that use all attack vectors available to compromise a target

Blue Team: A group of IT and InfoSec professionals who have been assembled to defend against the actions of red team during some penetration tests

 

References

[1] This is how hackers hack you using simple social engineering, www.youtube.com/watch?v=lc7scxvKQOo

[2] Hackers have already started to weaponize artificial intelligence, www.gizmodo.com/hackers-have-already-started-to-weaponize-artificial-in-1797688425

[3] The impossible task of security in the age of sophisticated social engineering, www.incrementalhealthcare.com/the-impossible-task-of-security-in-the-age-of-sophisticated-social-engineering-chris-hadnagy/

[4] Investigation: WannaCry cyberattack and the NHS, www.nao.org.uk/report/investigation-wannacry-cyber-attack-and-the-nhs/

Bio

Dr. Nick is a leader in Digital Healthcare and Innovation and former Chief Medical Officer for Dell. He provides strategic insights and guidance to support healthcare organizations, medical professionals and patients through information-enabled healthcare. He brings an incremental approach to developing successful strategies and applies his expertise to achieve a technology environment that is interconnected, efficient and patient-focused. He is a highly sought out speaker on the practical and futuristic use of healthcare technology and how it can improve patient engagement and wellness.

Experience
Dr. Nick van Terheyden brings a distinctive blend of medical practitioner and business strategist, both national and international, to the realm of digital healthcare technology. A graduate of the Royal Free Hospital School of Medicine, University of London, Dr. van Terheyden is a pioneering creator in the evolution of healthcare technology. After several years as a medical practitioner in London and Australia, he joined an international who’s who in healthcare, academia and business, in the development of the first electronic health record in the early 1990’s and later, as a business leader in one of the first speech recognition companies. His rare combination of patience, creativity, skill and intrinsic business ethics has led him to a diverse career in healthcare with some of the most prestigious hospitals, consulting firms, and technology companies.

His focus is on small improvements we can learn from other industries and can be applied in healthcare to bring immediate value but that also add up to the big leap in we need and are all looking for – focusing on evolution not revolution. He was most recently the Chief Medical Officer for Dell where he was responsible for providing strategic insight establishing the organization as an innovator in healthcare technology and Digital Health.

In addition to writing and lecturing on futuristic trends in healthcare technology, his advice and counsel are sought by hospitals, physicians and other allied healthcare professionals all of whom are trying to figure out how to integrate and use technology to make the healthcare system work from the perspectives of quality and financial success. Dr. van Terheyden pays attention not just to processes and systems, but to people. His ability to speak in terms people can actually understand makes him a sought- out speaker

Specialties: Digital Health, Internet of Medical Things (IoT), Medical Home, Healthcare Informatics, Speech Recognition, Natural Language Processing, Mobile Health, Social Media, cybersecurity.