Security In Smart And Connected Health
Ever since healthcare services integrated technology and the landscape of information flow changed, the industry has been tasked with addressing portability, accessibility, and patient data security. To understand the implications of confidentiality and privacy in smart and connected health, it is worthwhile to understand why hospitals and healthcare institutions are such a profitable target for cyber-attacks. The primary reason is that Personal Health Information (PHI) is of a much higher value than Personally Identifiable Information (PII). While this might seem counterintuitive initially, it makes a lot of sense. A scam email, professing a life-saving drug, targeting a patient suffering from a rare condition, has a higher likelihood of success than a credit card call. Everyone gets paranoid when it comes to health. Leaked medical information can have several nefarious applications ranging from fraudulent insurance claims to resale of medical equipment1.
Healthcare institutions have a very dynamic network topology owing to the time-sensitive nature of the industry. They maintain massive amounts of patient data and are also responsible for handling an immensely complicated network of medical devices connected. We have enhanced the functionalities of medical devices, and thanks to ML and AI, we can save more lives every day. However, none of these devices were modeled, keeping security or privacy in mind. Security is often an afterthought, rarely included in designing an algorithm, software, or system. This makes medical technology an easy choice for attackers2. Further, doctors, nurses, and other healthcare staff rarely have a desk job where they can physically keep their devices secure. They need quick access to patient information on the go. Patient data needs to be easily and quickly accessible because every second counts.
Ransomware attacks in healthcare have grown exponentially in the last decade. Ransomware typically requires attack vectors to enter and propagate through the network. Phishing and social engineering are some of the most prevalent attack vectors out there, and healthcare professionals are lucrative targets for social engineering attacks. Indeed, a significant percentage of Healthcare Data Breaches in 20193 started with phishing emails. Several machine attack-vectors are equally dangerous. Malvertising uses malicious advertisements as the source for malware to be downloaded onto the victim’s system. Sometimes, a victim simply visits a malicious web page and causes an unintentional malware download. This is called a drive-by attack. Once the malicious software infects a victim’s system, it restricts user data access until a ransom is paid. Hospitals often have critical situations to resolve. These can get held up in case of a ransomware attack, which is why healthcare institutions have a general tendency to pay the ransom. This is primarily what makes malicious actors target medical facilities.
Business Email Compromise (a common form of email fraud) occurs when an attacker spoofs emails and other account information to trick pharmaceutical vendors into initiating money transfer or dispensing prescription drugs4. This attack disrupts the general functioning of any institution, not only healthcare. Another very common threat is that of DDoS attacks. While the other attacks compromise data confidentiality, DDoS threatens availability by bombarding the infrastructure with traffic. Coupled with urgent network dependency in healthcare, it can cause significant inoperability leading to catastrophic outcomes if not thwarted.
Healthcare institutions must, therefore, have robust defenses in place to combat each of these threats. As with all IT infrastructure, setting up firewalls and intrusion detection/prevention systems form the most basic defense line. It might also be worthwhile to partner with a company offering DDoS mitigation services. Appropriate cybersecurity response policies need to be set up for each threat. These need to be flexible enough to incorporate detection, prevention, and recovery strategies. One of the most important safeguards against cyber-attacks is providing cybersecurity training to all medical staff5. It is easy to see how most of the attacks occur or propagate due to a lack of awareness. Healthcare professionals are indispensable to society, but they are simply not trained to think about cybersecurity risks. Providing security training, following basic security principles of least privilege, and failsafe defaults, coupled with periodic security audits, can help identify and intercept attacks. Prevention is always better than cure.