The health information system, which links patients' electronic records to medical devices, is more vulnerable than we imagine. And the stakes are far too high to turn a blind eye to this thorny issue.
Today, on the black market, patient data is priced up to 20 times more expensive than data from payment cards recovered, for example, after hacking aimed at a player in mass distribution. The medical data is indeed detailed, rich and full of information that cybercriminals are looking for to perpetrate their identity theft and other fraud. In addition, patients take much longer to realize the misappropriation of their health information, up to almost a year for some patients. Indeed, to identify fraudulent use of payment cards, banks have algorithms that quickly identify suspicious activities and often automatically take the necessary security measures. These security measures do not exist in the medical field.
Health workers, themselves, do not always realize the vulnerability of the many systems they use in the face of cyberattacks.
Traditional cyber attacks
These attacks, which attack all profiles of organizations, are carried by malware, phishing, Trojans or ransomware. Compared to other business sectors, the health sector is particularly vulnerable in the absence of integrated protection measures and given a lower priority given to security. This malware, whether deployed through targeted attacks, hacked websites, or infected mobile devices, results in the disclosure of confidential data and results in significant costs and particularly time-consuming post-incident recovery tasks.
These attacks are not really new, but they are gaining in sophistication and the loss of patient data is a real problem. Cybercriminals have also designed entire platforms of malware that can be customized to attack healthcare providers.
Connected medical devices
Today, from heart monitors to infusion pumps, all equipment can be connected to a network and interface with electronic patient records, thereby enabling real-time alerts for healthcare staff. This interactivity is good news from the patient's perspective. But in terms of security, it is rather a nightmare.
Most of this equipment, including MRIs, scanners and other diagnostic equipment has not been designed with safety as a priority. Many of them use operating systems like Microsoft Windows and software designed to collect data … and not necessarily keep it safe. Hacking of these devices is therefore possible and once compromised, cybercriminals can directly access the clinical data systems with which these devices are interfaced.
Patient data is not the only resource that can be hacked via connected devices. Cyberterrorists could potentially manipulate machines and harm patients. In fact, as early as 2011, a security researcher was able to demonstrate that an insulin pump could be hacked and used to inject a lethal dose of insulin.
Personal and residential health facilities
Health devices proliferate far beyond the walls of hospitals. More and more personal health equipment, health apps and other fitness coaches are collecting and transmitting data. These systems can potentially put patient data at risk (or at least not provide complete protection), and they also often interface with electronic patient records or systems hosting clinical data. While a glucose monitor or health app on the iPhone may be the target of attacks, these vulnerabilities also apply to healthcare institutions. Clinical devices have, in fact, the priority of offering new methods for practical, innovative and efficient patient care. Safety is a lower priority.
Healthcare security does not have to wait for hacking of patient data to become a priority. We have to worry about it today. The healthcare sector, as a whole, must take proactive actions and favor equipment that integrates security natively, but also deploy active protection at the network and application levels. The stakes are simply too critical to afford the luxury of waiting.