Healthcare: a cyber battlefield of choice?

Leak of medical records, cyber attacks: is health a target?

Health under attack!

Concerning reports of leaked personal data available for sale onto the dark web also coincide with alarming headlines on cyber-attacks hitting hospitals in different parts of the world. What sounds weirdly like an elaborate Wellsian prank turns out to be a dead serious pattern which health stewards ought to give consideration.

Mid-February, not far from Lyons, France’s second largest city, a coordinated cyber-attack froze all information systems of a network of three hospitals. This came shortly after another hospital in the South-West saw its data encrypted and inaccessible. Last year, the regional teaching hospital of the Normandy region suffered a similar ordeal.

All attacks bore the same trademark: a crypto-virus which blocks all IT systems until a ransom is paid. Ryuk is the name of this probable Russian trickbot. As Health Tech magazine explained back in October 2020 Ryuk is

A highly infectious ransomware that encrypts network files and disables Microsoft Windows System Restore. That means stolen data can’t be recovered without external backups.

While the French national information systems security agency collaborates with regional health authorities to try and strengthen the safety of IT-intensive health information systems, the threat grows steadily for hospitals which are prime targets for cyber pirates, in particular at times of COVID-19.

The raging pandemic entails shortage of staff, over-utilization of resources coupled with the necessity to respond to emergency flows. Information systems are therefore at their most vulnerable, with the development of teleworking arrangements further fragilizing health networks.

A solution pointed out by Health Tech magazine? Protect sensitive data with network segmentation so critical information doesn’t reside on the same server and network segment as the email environment. Read more about Health tech’s analysis on this cyber threat: click here.

Was patient’s health impacted? Well, in many cases redispatch of emergency cases to other hospitals proved possible and relatively seamless, while rudimentary logging and case documentation systems could be put in place while full access to electronic records and health information systems was restored.

Hospitals: the weakest digital link?

Truth be told, the healthcare providers’ exposure to digital risks and in particular ransomware is not exactly new. Already in 2016, US-based Wired magazine try to raise the issue of “why hospitals are the perfect targets for ransomware”. In one particular article, the drivers behind this alleged vulnerability were underlined by a tech security expert:

If you have patients, you are going to panic way quicker than if you are selling sheet metal," says Stu Sjouwerman, CEO of the security firm KnowBe4. Hospitals are a good target for another reason as well: they "have not trained their employees on security awareness ... and hospitals don’t focus on cybersecurity in general…

At the time, hospitals across the US were experiencing the strain of ransomwares, some care providers having to pay to recover access to data and operating systems (one medical centre for instance had to transfer $17,000 in bitcoins). Click here to read Wired’s article on hospital ransomware.

Health data for sale: the dark web as a marketplace

In addition to these appalling and despicable to blackmail health providers to pay ransoms, cyber pirates also organize leaks of health data and siphoning down of electronic medical records which are then auctioned on the dark web.

Start-up CybelAngel raised a flag on 12th February to underscore the biggest yet identified leak in France with 491,840 hospital records available on dark web fora for sale. Personal health data can be valued up to $1,000 per person according to Ask website (click here to read more).

What was the content of these files?

The documents indicate identity, email addresses, health status, blood types, health insurance numbers, GPs, as well as personal health data ranging from pregnancy, treatments or even pathologies including VIH status!

Earlier on in December 2020, CybelAngel already raised alarm at the availability of a staggering  45 million medical images available online. The results of their investigation was published in a report named “Full body exposure” which echoed through the digital world and served to highlight the structural weaknesses of information systems: click here to download the report.

CybelAngel tools scanned approximately 4.3 billion IP addresses and detected more than 45 million unique medical images left exposed on over 2,140 unprotected servers across 67 countries including the US, UK, France and Germany.

Immediate questions arising for decision makers in health and pertaining to the security of health data include:

• The practical steps to prevent breach of confidentiality of health data
• The operationalization of patients’ rights to confidentiality
• The partnering solutions between public and private experts to shift the level of security of health information systems
• The realistic chances of prosecuting cyber thieves and enforce protective regulations.

How to prevent or mitigate hospital cyber-attacks?

Based on good practices recommended by IT experts and healthcare information systems specialists, hereunder are a number of first steps which may help healthcare providers prevent or at least stave off the direst effects of data breaches in hospital contexts.

• Update and adapt

Ensure regular update of your OS, security patches and through your SLA or in-house security routines automatic anti-malware upgrades

• Locks and keys

Password nomenclature and policies shall help enforce a security grade commensurate with the access to sensitive data, but also needs recurring change and exclusivity procedures contributing to limiting risk exposure.

Access to programmes, software and web-based must be strictly in accordance with a risk mitigation plan and a digital tool strategy.

• Back up and plan

Restrict use and access: by minimizing the amount of data available as well as programmes that can be run risks are mitigated and exposure to outside malware limited. Sensitive, personal and or proprietary data have to be stored in secure servers or offset to external secured storage spaces.

• Train and develop

Beyond the skill mix available at IT network administration level or through outsourcing of network security maintenance, it may be worth investing in staff’s capacities to prevent, detect and react to cyber threats of any kind, including quick reaction to ransomware.