According to a report by the Identity Resource Center published earlier this year, the healthcare sector suffered nearly half of all the reported cyber-attacks over the past year. More recently, the Federal Bureau of Investigation warned that the cybersecurity standards of the healthcare sector, unlike other sectors such as the finance and consumer retail industries, were substantially below necessary levels required to protect their systems from unauthorized access or intrusion.
As the world has increasingly moved online so has healthcare. Nowadays with electronic health records, the ability to directly contact our physicians and technologies as divergent as Apple’s new health app and Fitbit’s tracking device that counts the number of steps you take in a day, many of us are more likely to interact with our healthcare online than go to the hospital. Indeed, the information technology revolution continues to offer the healthcare sector as ranger of options that can and do make their work more effective and the lives their patients more comfortable including medical information storage and transportability, health monitoring and medical data analysis all accessible from any hospital computer, laptop or mobile device with an Internet connection. To be sure, the aggregation so much private information about so many people under one roof makes it an extremely tempting target to the cybercriminal. Unlike a bank or retailer, healthcare information is much more personal and provides more detailed information about an individual other than just her credit or debit card number.
But why is the healthcare sector so vulnerable? While the healthcare sector has followed the popular trend to “go online”, many healthcare providers have been slow to incorporate the necessary precautions and security measures that protect unauthorized access to their networks, databases and information. One of the main reasons for this, experts say, is because healthcare information has only recently been discovered to be a valuable commodity. Traditionally, the healthcare sector has rarely been the subject of a cyber or criminal attack and so there did not seem to be a need or a budget to actively defend against an intrusion like those that were thought to be necessarily in the finance and consumer retail sectors. Accordingly, the increased use of information technology in the healthcare sector combined with the potential payout for healthcare information has led to the increased targeting of healthcare providers for cyber-intrusion. Moreover, the lack of security precautions has made the ability to gain access a healthcare provider’s computers or network fairly easy.
Fortunately, the intrusions that have been reported so far have been somewhat limited in size and scope. But that does not mean that a more massive attack hasn’t been planned, reported or will not take place in the future. Indeed, the current vulnerability of the healthcare sector to a cyber-intrusion has made many wonder what would happen if a cybercriminal orchestrated a large-scale and persistent cyber-attack before the any of the known vulnerabilities are resolved.
If an attacker was successfully able to gain complete access to a hospital’s network there would be both direct and indirect consequences. Direct consequences are those that affect the targeted computer or network’s integrity, functionality, authenticity and/or availability. A direct consequence or impact of gaining access to a hospital’s environmental control systems, for instance, might cause it to shutdown vital system such as the electricity or water which in turn could lead to the death or harm of patients that need power for the operation of pacemaker. Another direct impact is possible if, for example, an attack was able to tamper with the functionality of a medical information database or knock an appointment scheduling program offline. The inability to provide proper prescription dosages or to schedule timely medical examinations could lead to direct injury or harm to patients both inside and outside of the hospital.
Indirect consequences affect systems that interact with the targeted computer or network and the people that rely on them. For instance, a cyber-attack on a hospital’s patient database may not have a direct impact on the life or safety of a patient but it could expose both patients and staff to financial loss. Healthcare providers, like financial institutions and retails often require and store important financial information such credit card data or banking account numbers. An attacker who could access this information could use it to make unauthorized purchases or account debits. Additionally, access to healthcare provider’s database may also give an attacker direct access to a financial institution such as a hospital payment system that will give them further access to the financial data of patients as well as other customers of the financial institution. Again this does not directly impact the patient medical records or the hospital’s payment system but it does affect the bank or credit card companies that interact with that system.
Alternatively, a cyber-attack might have the indirect impact of exposing a patient to fraud and identity theft by giving an attacker a wealth of information about a patient ranging from his social security number, address, driver’s license information, employer and medical information. This information could be used to create a fictitious person who could be used to apply for new credit cards, loans and passports or file false insurance claims with insurers (RSA, 4). Consequently, the initial direct cyber-attack on the hospital database leads to the indirect theft of a patient’s identity. A further example of the indirect impact of a cyber-attack on a hospital’s computer or database gives a drug trafficker access to a patient’s drug information or in the extreme alternative, unauthorized access to the drug maker/supplier. This access can allow an attacker to use the information to fill fake prescriptions, send drug shipments to a bogus address where it can be picked by the attacker or otherwise obtain drugs without paying for them. Once obtained, the traffickers can resell the drugs on the street or online (RSA, 5) for profit.
While the impacts of a cyber-attack against any institution is inherently uncertain, the fact that healthcare providers store or have connections to vast amounts of highly personalized information make an attack against a hospital or healthcare system more uncertain not only in terms of the attack’s direct consequences on a targeted computer or network but also on all the indirect consequences that could flow from an attacker’s unauthorized access.
References
GAO. (2012, August). FDA Should Expand its Consideration of Information Security for Certain Types of Devices. Retrieved on June 3, 2014, from http://gao.gov/assets/650/647767.pdf
ITRC. (2014, June). 2013 Data Breach Stats. Retrieved on June 4, 2014, from http://www.idtheftcenter.org/images/breach/ITRCBreachStatsReportSummary2014.pdf
Filkins, B. (2014, February). Health Care Cyberthreat Report. Retrieved on June 5, 2014, from http://pages.norse-corp.com/rs/norse/images/Norse-SANS-Healthcare-Cyberthreat-Report2014.pdf
Finkle, J. (2014, April 23). Exclusive: FBI Warns Healthcare Sector Vulnerable to Cyber Attacks. Retrieved on June 5, 2014, from, http://www.reuters.com/article/2014/04/23/us-cybersecurity-healthcare-fbi-exclusiv-idUSBREA3M1Q920140423
O’Harrow, R. (2012, December 26). Health-care Sector Vulnerable to Hackers, Researchers Say. Retrieved on June 3, 2014, from http://www.washingtonpost.com/investigations/health-care-sector-vulnerable-to-hackers-researchers-say/2012/12/25/72933598-3e50-11e2-ae43-cf491b837f7b_story.html
RSA. (2013). Cybercrime and the Healthcare Industry. Retrieved on June 5, 2014, from http://www.emc.com/collateral/white-papers/h/12105-cybercrime-healthcare-industry-rsa-wp.pdf
