Subscribe

Patient data turns gold mine for hackers

The black market for patient data is up to 20 times more valuable than that for credit card data, says Fortinet.

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 03 Mar 2015
Most of the devices and machines being used in the medical industry were never designed with security in mind, says Perry Hutton, regional director at Fortinet Africa.
Most of the devices and machines being used in the medical industry were never designed with security in mind, says Perry Hutton, regional director at Fortinet Africa.

As more technology enters the medical fraternity to improve healthcare, cyber criminals are targeting the sector more.

So says Perry Hutton, regional director at network security solutions provider, Fortinet Africa, who notes today, the black market for patient data is up to 20 times more valuable than that for credit card data often stolen in retail breaches.

According to Hutton, healthcare data is detailed, rich, and full of information that cyber criminals can use for identity theft and fraud.

More importantly, he adds, it takes far longer for patients to know their information has been compromised - it can take up to a year or more for someone to come to this realisation.

"When a credit card is stolen, algorithms in the financial industry pick up unusual activity very quickly and systems often automatically provide protection. These same protections simply don't yet exist in healthcare," he says.

Breach magnitude

A recent study by Gemalto notes no other industry experienced as many data breaches as the healthcare sector, which had 391 such incidents in 2014. Gemalto says that amounted to one-quarter of all the breaches reported for the year.

The digital security company reveals healthcare organisations last year had 29 384 567 data records compromised in these attacks, and the average records lost per breach for the industry was 75 152, compared with 49 000 in 2013.

Among the top breaches in healthcare last year were the Korean Medical Association, with 17 million records exposed in an identity theft attack; Community Health Systems, with 4.5 million records in identity theft; and the State of Texas Department of Health & Human Services, with two million records in identity theft, says Gemalto.

Doros Hadjizenonos, sales manager at Check Point SA, says the recent attack on Anthem, the second-largest health insurer in the US, which exposed identifiable personal data of tens of millions of people, has again put cyber security in the spotlight, especially as identity theft is on the increase in SA.

"The attack on Anthem was probably not a smash-and-grab raid but instead a sustained, low-key siphoning of information over a period of months. The breach was designed to stay below the radar of the company's IT and security teams, using a bot infection to smuggle data out of the organisation," says Hadjizenonos.

Customised attacks

Hutton notes these attacks on the medical industry are not really new, but their sophistication is and the ability to expose patient data is of real concern. Cyber criminals have developed entire malware platforms that can be customised to attack healthcare organisations, he points out.

"Today, everything from heart monitors to infusion pumps can be networked, automatically interfacing with electronic health record systems and providing real-time alerts to healthcare providers. From the perspectives of patient care and operational efficiency, this is a good thing. From a security perspective, it's a potential nightmare," Hutton states.

He believes most of these devices, as well as magnetic resonance imaging machines, CT scanners and countless other diagnostic machines were never designed with security in mind.

"Many diagnostic systems use off-the-shelf operating systems like Microsoft Windows while other devices use purpose-built software designed to collect data - not keep it safe. Too many of these devices are eminently hackable and, once compromised, can provide hackers with unfettered access to the clinical data systems within which they interface."

According to Hutton, it isn't only patient data that's vulnerable through connected devices. He notes cyber criminals and terrorists could potentially manipulate machines to intentionally harm patients or shut down critical systems in hospitals. As early as 2011, he adds, one researcher demonstrated how an insulin pump could be hacked to deliver a lethal dose of insulin.

"Healthcare security should not be addressed when medical records are breached. The time is now. The healthcare industry as a whole needs to be proactive and begin deploying systems with security baked in, protected at both the network and application levels. The stakes are simply too high to wait," Hutton concludes.

Share