Skip to main content

The healthcare industry is in a world of cybersecurity hurt

As a relentless swarm of successful cyber attacks severely disrupt companies in every industry and require enormous expenditures to repair the damage, what typically gets lost in the shuffle is that some industries are victimized more than others — sometimes far more. The corporate victim that almost always grabs this dubious spotlight is the healthcare industry — the second-largest industry in the U.S. and one in which hacker meddling of operations not only costs lots of time, money and operational downtime, but threatens lives.

The healthcare industry itself is partly responsible. In a seemingly admirable quest to maximize the quality of patient care, tunnel vision gives short shrift to other priorities, specifically cybersecurity.

In aggregate, healthcare organizations on average spend only half as much on cybersecurity as other industries. For this and other reasons, such as the unusually high value of stolen patient records on the black market, attracting extra-large flocks of hackers, hospitals especially find themselves in a never-ending cyber war zone. FortiGuard Labs, a major security protection firm, reports that in 2017, healthcare saw an average of almost 32,000 intrusion attacks per day per organization as compared to more than 14,300 per organization in other industries.

Some attacks are outright deadly. For example, MedStar Health, a huge, Maryland-based healthcare system, was severely incapacitated by a ransomware attack that made national headlines when, among other things, it threatened lives. Compromised by a well-known security vulnerability, MedStar Health was not only forced to shut down its email and vast records database, but was unable to provide radiation treatment to cancer patients for days.

Such trouble typically starts when a doctor or other healthcare worker is persuaded to open an email sent by an attacker and click a link or attachment that downloads malware to his computer, a so-called “phishing” attack. The attacker can then use this software to gain access to the healthcare organization’s financial, administrative and clinical information systems.

Attackers also can use the health network to spread into connected medical devices and equipment, such as ventilators, X-ray and MRI machines, medical lasers and even electric wheelchairs.

Any medical device connected to a network is potentially at risk from being taken over and exploited by hackers.

Hospitals and other healthcare providers must practice better cybersecurity hygiene.

Compounding the threat are prevalent and vulnerable Internet of Medical Things (IoMT) devices, which integrate components and software from dozens of suppliers with minimal concern for security. Even individual patients can be targeted. A few years ago, former U.S. Vice President Dick Cheney’s doctors disabled his pacemaker’s capabilities because there were concerns about reports that attackers could hack such devices and kill the patient.

It’s a dire situation that must be addressed. Hospitals and other healthcare providers must practice better cybersecurity hygiene. For starters, healthcare organizations must improve the speed and thoroughness of software patching and update processes. As much as possible, organizations also need to use threat intelligence and automation, as well as institute cyber-awareness training programs to protect against social media attacks and other attack vectors.

As IoMT devices proliferate, more elaborate network segmentation and inspection is required. A segmented strategy enables organizations to institute checks and policies at various points of the network to control users, applications and data flow and to more quickly identify and isolate security threats. And on the network visibility front, healthcare organizations need more insight throughout the network, including the cloud.

Hospitals and other healthcare organizations must do a better job of protecting patient’s records, as well.  Since the transformation from paper records to digitized Electronic Health Records (EHRs), records are commonly updated and then sent by doctors to specialists in other hospitals. The problem is that hospitals are not banks, where financial information is locked up and not shared. This unencrypted information is vulnerable to profit-hungry hacker attacks.

A solution to this is likely to be homomorphic encryption, an impressive technology that allows for the encryption of data-in-use and that has tremendous potential to lock down the most valuable medical information. Specifically, this technology can secure and protect sensitive medical records and personally identifiable information (PII), often the target of cyber thieves.

Notwithstanding the fact that data-rich healthcare records are worth more than 10 times a credit card on the black market, this would shut down the most aggressive “data-focused” hackers.

These improvements will not occur without substantial monetary investment and effort. It’s commendable that hospitals focus overwhelmingly on day-to-day quality of care, but times change, and they must look at their mission with a broader perspective. Because they fail to do so, hospitals typically pay up in almost non-stop ransomware attacks, minimizing the possibility of additional health threats while systems are down.

Among the obstacles that hospitals face in pursuing the path toward change is intensifying merger and acquisition activity in the healthcare sector. IT integration challenges, including different medical technologies, create additional vulnerabilities, as does the need to share information between newly merged organizations.

The reputation of and trust in healthcare organizations depends on their understanding of the true extent of threats and taking sufficient measures to guard against them. The healthcare industry has no choice but to improve its capabilities regarding security. Nothing short of our lives are at stake.

from TechCrunch


Popular posts from this blog

Android blatantly copies the iPhone X navigation gestures

Google unveiled some of the new features in the next version of Android at its developer conference. One feature looked particularly familiar. Android P will get new navigation gestures to switch between apps. And it works just like the iPhone X.“As part of Android P, we’re introducing a new system navigation that we’ve been working on for more than a year now,” VP of Android Engineering Dave Burke said. “And the new design makes Android multitasking more approachable and easier to understand.”While Google has probably been working on a new multitasking screen for a year, it’s hard to believe that the company didn’t copy Apple. The iPhone X was unveiled in September 2017.On Android P, the traditional home, back and multitasking buttons are gone. There’s a single pill-shaped button at the center of the screen. If you swipe up from this button, you get a new multitasking view with your most recent apps. You can swipe left and right and select the app you’re looking for.If you swipe up o…

Square launches restaurant point-of-sale platform

Square, which has already made its way into retail stores and service-based businesses (think hair salons, massage therapists, etc), is officially getting into the restaurant business with the launch of Square for Restaurants. Square for Restaurants is a point-of-sale system that handles everything from menu updates, floor layouts, employee scheduling, performance tracking to tip splitting.Usually, restaurants have “some old legacy thing or something else,” Square Seller Lead Alyssa Henry told me.“Historically, we’ve not served this customer segment very well,” Henry said. “With Square for Restaurants, we’re excited to finally be able to serve this customer segment and deliver on a couple of key things that are core to Square but also highly valued by sellers of all types.”This new product is designed to be fast, self-serve, elegant and cohesive, Henry said. It also integrates seamlessly into Square’s existing ecosystem that includes Payroll, Capital and more. Given Square’s ownership…

Recapping the TechCrunch China Shenzhen 2018 event

This year we returned to Shenzhen, the Chinese city known as the world’s ‘Silicon Valley for hardware,’ for an event that was packed full of future-looking discussions, innovative startups, experienced founders, VCs and more.We love Shenzhen. Sure, Beijing has Zhongguancun and Shanghai has its international and diverse entrepreneurial community. But Shenzhen has a certain je ne sais quoi, an energy that pervades the entire city. Maybe it’s the great weather or maybe its youth of the place — both the residents and the age of the city itself — but every time we come to this southern city, we’re amazed by the people, projects, and companies thriving here.#Shenzhen, not Beijing or Shanghai, is the forerunner of Chinese innovation, says @ganglu, founder and CEO of TechNode— TechNode (@technodechina) November 19, 2018 This year was no different. From blockchain smartphones to battling robots, from hackathons to VC speed …