According to WhitehatSec report issued in November 2018, Healthcare sector (along with finance and retail) has been showing fewer serious vulnerabilities per site in 2018 compared to the previous year. This is perhaps due to increased investment of healthcare sector into cybersecurity – however vulnerability reporting remains slow: the window of exposure for serious vulnerabilities is worryingly high in the healthcare sector. Despite a seemingly improved state of cybersecurity in healthcare, it remains the industry most affected by data breaches (which are not necessarily caused by cyber attacks but often by negligence): 27% of all breaches in 2018.
SingHealth data breach was perhaps one of the biggest in 2018: about 15. million outpatient records have been exposed after Singapore’s healthcare network, was hacked in an alleged attack targeting the PM of the country. The breach, which started by hackers gaining access to a single medical station, exposed detailed records of patients, including addresses, race, age, gender, and national ID number. Interestingly enough, a large portion of healthcare organisations seem to consider insider threat as a major cybersecurity issue, and turn to user and entity behaviour analytics (UEBA) technology to detect such threats before they materialise.
How health data can be at risk
Health Insurance Portability and Accountability Act is a standard of protection for sensitive patient data required to be adopted by any company that deals with medical data, in regards to physical and technical safeguards for data transmission, storage and processing. Cloud infrastructure remains one of the most frequent targets of cyberattacks, mainly because of the high payout they offer, in terms of quantity and quality of data. Healthcare services usually use third-party cloud storage providers, but nevertheless carry liability for all misconfigurations and cyberattacks that result in a data leak. Using VPN services to protect access to cloud storage with sensitive medical data is one of the cybersecurity measures important not just for healthcare providers but for the end users. Using encryption is a necessary basic measure for all online operations you conduct with your health data. A good VPN provider will ensure that whenever you connect to the internet and use your health app, or access your electronic medical records, all your data is encrypted and protected from interception by third parties.
The healthcare data is highly priced on the black market (and therefore south by hackers) for a reason: it contains personal and private information that is usually unalterable (biometric data, medical history), sensitive (history of substance abuse, HIV/AIDS status) and extremely valuable to insurance providers.
Protect your own data
As the healthcare industry continues to adopt network applications and tools, patient data must remain secure and private. The responsibility lies, of course, primarily with the healthcare provider that collects and stores patient data. But today, we access medical services not just at the hospital, ER, or pharmacy. Health data apps on a smartphone allow us to monitor our heart rate, calorie intake, daily physical activity, and much more – not to mention how these apps are connected through IoT to portable devices (bracelets, or even an actual heart monitor).
Many ‘hacking’ attacks are built on social engineering. Human end user, or a human staff member of a healthcare facility are the main entry points for hackers to gain access to personal records. Medical identity theft is a serious issue as it might result in another person using your insurance number for fraudulent claims. Phishing emails prompting you to submit your health data have become a routine tactic of lazy hackers: they usually contain the words ‘urgent’ and ‘immediately’, and appear to be sent by your company’s HR manager or insurance representative. When targeting employees of a healthcare facility, most common phishing emails tend to be fake payment notifications or message alerts prompting the addressee to click on a link. Trainings and simulations of phishing attacks must become a routine workplace practice to mitigate cybersecurity risks.
Mind that you may not always be the first to learn that your medical data has been leaked. In some cases, especially when a database misconfiguration leaves a whole lot of medical data in open access, users get notified promptly by the provider – or by the media. In other cases, when medical data gets stolen to be sold on a dark web market, the breach may not become discovered for quite a while. In the EU, General Data Protection Regulation obliges companies by law to report a data breach within 72 hours upon discovery. In the US, there is no federal regulation, but industry-specific laws (healthcare and banking) such as Health Insurance Portability and Accountability Act oblige healthcare data controllers report data breaches to affected parties and Department of Health and Human Services.