The healthcare industry is overwhelmingly reliant on internet-connected devices as solutions. There’s no doubt some of those devices advance patient care and even critical response. Healthcare possesses elite data making their security, independently and collectively, a cause for concern the world over. The recent cyberattack on Universal Health Services, one of the largest medical cyberattacks in U.S. history, underscores the urgency of this situation.
National Cyber Security Awareness Month (NSCAM) has a theme we can definitely get behind: ‘Do you part, be cyber smart’ is a good way forward for all of us. Part of the initiative is to delve into the health care industry and take a look at securing the internet-connected devices that much of society relies on when interacting with the health care system. With this in mind, Social-Engineer (SECOM) wants to look at this and the future of connected devices. We want to do our part and #BeCyberSmart, for now and in the future.
If It Can Be Used for Good…
Budding technologies are changing our lives as human-machine partnerships accelerate.The advent of telemedicine, internet-connected wellness apps, and lifesaving medical devices have all created benefits and advantages for society. These make our lives easier in many ways and digitize them in many more, some of which were unimaginable 20 years ago. Wearing watches that monitor and collect information on our heartrates, steps, calories, sleep quality and recovery rate was more akin to science fiction two decades ago than the reality it is today.
But these same devices and technologies have also exposed us and the medical industry to vulnerabilities that cyber criminals can exploit. Worse still, these vulnerabilities are hard to fix. Health data, for criminals, is elite data.
Should We Care?
Does it really matter if someone can find out your blood type or weight, or that you have a +3-prescription lens? Should we be concerned if the internet crime leagues know we’ve been treated for high blood pressure or a broken foot five years ago? What about a recent heart attack or the onset of diabetes? Most of us shrug this off: “How dangerous could it be? I’m willing to share most of this with just about anyone.” Well, it’s more of a threat than you’d first think, because health data can’t change.
With traditional identity theft, banks and the Social Security Administration are able to work against the criminals by changing details, such as our account numbers, our social security numbers, and even our passport information. Health data is unchangeable this way. We can’t change our blood type, our prescription lens, or a fondness for jumping from high things, once to the detriment of an important foot bone. Worse still, we can’t always change our mental health status or invisible injuries, such as anxiety. This permanence is what makes healthcare data elite data. We, as the victims, can’t always offset the consequences by reporting and disputing.
There’s another more sinister side to the insecurity of healthcare devices to consider. Take for example the consequences if hackers were to gain access to a pacemaker. This, and other threats, are well within the realm of possibility. There’s also the fact that some devices track location, which is usually a nice feature. However, bad actors can use it against us.
Healthcare Elite Data: Criminal Use
That your health data really can be more valuable than your banking data may boggle the mind at first. Our health data is bought by people who make a living impersonating us. Buyers might use the information to create fake IDs to purchase medical equipment or drugs, or to file a false insurance claim. This can be extraordinarily hard to undo on the part of the victim; there’s not always a central point to report to and there’s not always straight forward recourse.
To step back and see the broader picture, selling health records in the criminal world is a multi-billion-dollar industry. According to Reuters, our medical information is worth 10 times more than our credit card number on the black market. Experian notes that a patient’s full medical records can sell for up to $1,000. By comparison, Social Security numbers and credit card information usually sell for $1 and up to $110, respectively. Healthcare data truly is elite data. So the question becomes: how are criminals getting our data and why aren’t we stopping them?
Devices: A Sure Way In
Unfortunately, the explosion of connected devices represents a growing cybersecurity threat. This is true for modern devices and legacy ones. Securing connected devices, new and old, modern and legacy, has emerged as one of the top priorities for healthcare IT security professionals. But it’s immensely difficult to do. At the very highest level, it requires building in security from the early stages of design. However, companies often lack the security expertise and resources to build high levels of security into their products.
Security: The Other Side
SECOM wouldn’t be doing our job right if we didn’t mention the other glaring hole in device security: it’s humans. Human error and human deceit, working exclusively or together, can have devastating consequences to the security of a device and its data. The potential threat posed by human error or focused adversarial tactics, is a concern that SECOM consistently helps medical firms and organizations with. Fighting the good fight with technology will only go so far in the cold war we find ourselves in with cyber criminals. If they can bypass technology by walking into a hospital wearing scrubs and a badge, they will. Let’s not waste time debating it.
SECOM actively fends off attacks in institutions and organizations by acting exactly like the bad guys, but instead of taking off with the data, we debrief them and then hand in a report. As a result, our clients have actionable data which can improve their security features making them more resilient and resistant.
We’ve now looked at the requirements, both technological and people-centered, needed to safeguard us and our data, but the real challenge is the balance required to do so successfully. A multi-tiered and hybrid approach may be the only that will work. This approach will have to change and adapt with the times and stay in sync with technological advances.
In light of this, ongoing education, awareness and testing of users is one side that we must not ignore. The other side must focus on encryption and security specifications that constantly evolve. All of this will make it increasingly difficult for cybercriminals to mount a successful attack. It’s important to realize that one cannot thrive without the other, and they should not be treated as separate units or schools of thought. Technology and people, testing and training, and security and usability are intertwined and interwoven. This is the current state of it all, and it’s most definitely the future.
Hope, Action, the Future
Whilst securing healthcare devices and, in turn, their users, is an immense challenge, it is not impossible. There are ways to limit and mitigate the risks inherent in networked devices. It takes us all to #BeCyberSmart, and that will take systemic change. Change that includes how we teach our kids and value data. As well as how we evolve it for advancing cultures and technologies.
We are the future of cyber security. If we aim to make it smarter, we have to be smarter, too. #BeCyberSmart.