Hospitals and healthcare providers are under increasing attack from cyber criminals looking to extract valuable medical records. Jesper Johansson, CISO at Yubico looks at what they should do to keep the hackers out.
Medical records are now more sought after by hackers than financial data. According to The Independent, patient information can be worth ten times more than credit card numbers, as it can be used to fraudulently acquire drugs and medical equipment. Records from private patients can be used in combination with a false provider number to file fictional claims with insurers. Cutting-edge research and medical records held at university hospitals also present tantalising targets.
For this reason, attacks on healthcare are on the rise. Cyber criminals are not just using ransomware like WannaCry to exploit vulnerabilities in healthcare providers’ security. Hackers are now exploiting vulnerabilities in networks and targeting staff accounts to plunder the information they hold.
In April alone, a healthcare delivery resources company in Texas revealed that patient data from 29 hospital locations was exposed when its email accounts were targeted, while a California-based medical device manufacturer reported that 30,000 former and current customers may have had their personal information exposed when a company employee’s email account was compromised. The situation is no better in Europe. A Norwegian healthcare provider warned that an unauthorised intrusion into its IT systems may have breached the personal data of over half the country’s population.
Before healthcare providers can effectively protect themselves and their patients online, they must first understand the threats that they are facing. Here we uncover some of the most common techniques for stealing internet credentials, popular and proven methods of defending against these attacks, and best practices to keep data safe:
Attackers can be surprisingly successful at accessing accounts across many sites by guessing common passwords with specific or common usernames. Unfortunately, most people struggle with creating or remembering strong passwords. As a result, it’s common to choose weak passwords for convenience, and to use the same password, or a variant, across multiple sites.
This problem is exacerbated by the large volume of stolen credentials available for sale on the dark web with hundreds of millions of credentials available to purchase. Attackers routinely try these credentials against other, high value, services. Attackers have also reportedly targeted weaker sites to gain individuals’ credentials and if they’re successful, they’ll use those same credentials on other sites that they’re actually interested in.
Getting the job done, whatever the cost
With strict targets and busy schedules, well-intentioned clinical and administrative employees understandably prioritise the patient’s immediate medical needs. They may borrow or share account credentials, leave devices unattended or unlocked, or mistakenly click on malicious links. These are all common practices that result in breaches.
Healthcare providers have vital work to do, and if security hinders rather than helps them, they will work around controls that slow them down. Staff working between different sites may want to work on the go, but one common pitfall for the well-meaning medic is accessing important accounts and data via unsecured networks such as public wifi. Service providers must plan for this happening and ensure that such connections are secure. Even within a provider’s office or a hospital the service provider should not assume that the network will provide any protection.
Unsecured networks can allow attackers access to the network path and place a fake site between their victim’s computer and the site they are accessing in what’s known as a “Man in the Middle” (MitM) attack. This can enable the attacker to steal login credentials and data if the connection is not encrypted, or if the victim believes the attacker’s system is legitimate.
Phishing attacks are becoming more sophisticated and targeted, and even the most tech- or security-savvy individuals can find themselves a victim. 91% of cyberattacks start with a phishing email. While some are obvious, sent by unknown senders with subjects like, ‘Claim your ultimate deal now!’ the far more successful subject lines are the ones that don’t raise much suspicion.
Many phishing emails look like they have been sent legitimately by people known to the user. ‘Urgent – Patient information required’ could be a ploy to weaken the email recipient’s defences through seemingly ordinary alerts. The savvy attacker will study their targets to best tailor the message to the intended recipient.
The body of the email can hold a whole new set of clues, including misspelled words and confusing context. Criminals can also use current or popular events to their advantage. For example, current headlines, causes and natural disaster or tragedy relief efforts are all used to sneak an unsuspecting phishing email into the inbox of thousands of targets.
Hackers are increasingly sophisticated
Hackers today want to stay one step ahead of organisations’ security protocols. PCs that are connected to the internet have large attack surfaces, making them vulnerable to attacks from many fronts, including malware, phishing, malicious apps and WiFi exploits. Attacker objectives, victims, and techniques vary significantly but surprisingly low-tech methods are still yielding significant success. The sad reality is that the attackers do not have to be terribly sophisticated to be successful. That said we do know that internet credential theft and misuse is involved in nearly 81% of hacker-related breaches. Since stealing someone’s password is relatively easy to do from afar, and there’s little risk of or danger in getting caught, it’s become one of the most common attacks in the world.
Having the strongest usernames and passwords isn’t a failsafe method. If the services where they are stored or used are compromised, a hacker can easily access those accounts as well as any others that use the same credentials. In addition, phishing is still immensely successful. Thankfully, practices have begun to recognize that strong authentication is an effective countermeasure. .
So how can healthcare providers protect themselves and their patients against the onslaught of credential theft they face?
Prevention is the best protection
Healthcare providers should ensure that security policies and procedures are communicated to all staff. They should take time to educate staff to provide care beyond patient’s immediate medical needs to protecting their medical records. Regular communication with all staff is key to reinforcing what should be done to prevent breaches, and how to respond in the event of one.
All members of staff with IT access should be advised to follow basic best practice to help protect their accounts. They should never open an attachment or click a link if any aspect of the email seems suspicious, they should be reminded of good habits while using shared computers, and cyber security awareness campaigns should always be encouraged. It is also critical that they only use centrally managed computers for sensitive tasks.
Fail to plan? Plan to fail
While no institution wants to deal with a data breach, those that prepare for doing so before it happens weather the storm better. Drafting a notice to staff and the public after you get compromised is poor practice as is figuring out how to determine what happened and stop it. A clear and tested response plan helps all parties involved know what to do. This attack mitigation plan must be implemented and championed from the top.
Prioritising the protection of data and systems starts at the top. Building out a senior position with responsibility for cyber security and data privacy is step 1 in ensuring that there is a holistic, comprehensive approach to the security and privacy strategy, and it will also help further leadership buy-in by giving security a place in the decision-making process.
Unfortunately, some attacks are so sophisticated that they can even bypass the savviest of users. Thankfully there are surprisingly easy and affordable ways to protect online accounts from all of these attacks. There are technology solutions that can help such as two-factor authentication (2FA). Many services enable the use of 2FA, which can help protect online accounts, emails and computer logins while helping healthcare providers to protect their most sensitive data.
There’s no simple fix to prevent cyber criminals from attempting to plunder the practice’s most precious resources, it is possible to keep them from walking out with the data they want. The best way to achieve this is to ensure good cyber security practices are implemented, that these are reinforced throughout the institution from the leadership to every member of staff, and to double-lock accounts using 2FA.