Health care records are a valuable commodity on the black market. And they are becoming increasingly treasured as a person moves through life.
Credit card numbers, phone numbers, and bank account numbers can change when personal data is lost or otherwise compromised. Yet, someone could steal a teenager’s medical history today to see it appreciate in value when the individual increases their equity in life.
What are the dangers of cyber attacks for hospitals?
“The first draw for cybercriminals is the data, and there is a lot of it,” said Fortinet Sales Engineer Roger Bailey in a recent media interview. “The longer someone stays in the hospital using their wireless devices, the more data is generated.” Netflix, anyone while you’re recovering from heart surgery? Or how about running your business while still tied up to intravenous?
The Dark Web thirsts for this type of data because it’s the most expensive. Hackers look for medical histories, billing records and personal information. We’re not aware of studies in Canada that calculate the value of a health record but, in the United States as of last year, medical records could bring $60 apiece. This does not reflect a lack of demand, but an abundance of supply notes the U.S. Healthcare Industry Cybersecurity Task Force Report published in June 2017.
Joel Griffin is the editor of SecurityInfoWatch.com and a veteran of the security industry. He described how the computer systems of Hollywood Presbyterian Medical Center in Southern California were held hostage in February 2017. Hackers demanded millions of dollars in digital currency and the hospital eventually agreed to pay $17,000 in bitcoins to have access to their personnel.
Yes, these reports happened in the U.S. where we Canadians usually hold the moral higher ground. Except cyber attacks are a global phenomenon.
“Unfortunately, hospitals are a magnet for such cyberattacks,” said Bill Tholl, president of HealthCareCAN, an organization representing Canadian hospitals and other health care bodies.
His organization did a survey of Canadian hospitals on this issue in January 2017. They found that half of hospitals responded to the survey, and half of those respondents indicated that they had been hacked.
It’s for this reason that we’ve encouraged hospitals in Western Canada to establish integrated communications systems that include paging systems.
The push back that we often get is a quizzical expression with assertions saying, “But pagers are old school!”
Old school, indeed.
These devices deployed within a critical messaging strategy help to save lives. They are powerful – given the ability to send a VHF (very high frequency) radio signal, typically broadcast in the range 138–466 MHz (like normal FM radio programs).
But the key is they are not connected to power grids that may be attacked or compromised should a hospital be ransomed by cyber mafia. If one transmitter tower stops working, an adjacent tower’s signal would fill in which increases reliability.
Stu Sjouwerman, founder and CEO of IT security firm KnowBe4, said that hospitals must make themselves a harder target if they want to prevent ransomware from infiltrating their networks. This includes having robust backups on all their mission-critical systems, being diligent about patching and conducting security awareness training for all employees.
Ransomware infections to persist
You recall the WannaCry virus built to scan all areas of the web, hospitals and other public-sector agencies reported on by technology columnist Hess Hirsh of the Metro Morning?
He likens the virus to an automated worm “crawling across the Internet, looking for holes in computers.” It just so happens that hospitals tend to offer up some of easiest access on the web.
“It’s not so much that hospitals are being targeted, it’s more that hospitals have old technology that’s particularly vulnerable,” Hirsh explained.
Critical Messaging – Worldwide
In our report titled, State of Critical Messaging in Health Care, we identify another matter when it comes to the large volume of confidential, personal information that must be considered.
For example, what happens when a staff member leaves an organization with confidential information on their phone? It would be difficult to ensure that the information was isolated and kept only with the system.
Our recommendation is to start with an analysis of current hardware and software assets and their readiness to support hospital security, and address any gaps to ensure organizational and clinical readiness.
We also recommend these 7 items for a well-crafted plan:
- Develop guiding principals for equipment selection and placement
- Identify infrastructure requirements and associated costs
- Determine ownership with roles and responsibilities for operating and maintaining the mobile platform
- Define data management criteria, roles, responsibilities processes and policies to support any certification requirements for mobile devices
- Select middleware to interface mobile technology into clinical workflows
- Address privacy and security risks such as malware
- Create standards for mobile device usage
The health care sector is large, complex, and notoriously difficult to manage. We’ll need to move more quickly to beat the Cyber mafia who understand these technical ailments.