A visit to Dr. Blackhat
Targeted cyberattacks against various industries have become increasingly common in recent years. The healthcare sector is no exception. In 2015, this reached its peak, especially affecting United States (U.S.) based healthcare companies, with more than 113,27 million records being exposed.
The U.S. has implemented a strict healthcare regulation called the Health Information Technology for Economic and Clinical Health Act (HIPAA). Other countries don’t operate under such regulations and therefore, even if similar breaches happen worldwide, most statistical data originates from the U.S. For example, at the beginning of this year, an estimated 2,7 million recorded calls from the Swedish national healthcare service hotline was found publicly accessible due to storage on an entirely unencrypted system. No password or any other sort of authentication was required.
The data was stored with a third party called MediCall registered in Thailand. The whole breach included 170,000 hours of sensitive conversations about medical conditions. As this incident shows, more and more third parties are entering the health supply chain and thus increasing the risk of data loss.
There are various reasons why there is an increase or perceived increase in data breaches in healthcare. We say ‘perceived’ because the actual number of occurrences of breaches was not extensively high, but when breaches occurred, they affected large electronic systems with a large number of compromised health records. According to a study that collected data on breaches between 2010 and 2017, 2149 breaches were reported to the US Health and Human Services Office for Civil Rights with a total amount of 176,4 million compromised health records (McCoy TH, Perlis RH, 2018).
While the most common media for data loss still seems to be paper and film, the largest share of breached records accounts for information breaches from network servers (ibid.). Therefore digitalization of the industry plays an important role when looking at data breaches in the healthcare sector. Especially, since breaches that concern digital information can remain undetected for a long time period in comparison to a physical medium that contains health data.
The healthcare sector as any other sector is undergoing immense changes towards digitalization. Digital healthcare can empower patients to receive better health services, for example, better tracking over time, timely reminders of screenings and preventative checkups, sharing of medical history cross health providers, etc. Therefore, by digitalizing health data, the data becomes more accessible. The intent of the industry is to increase accessibility for authorized users to increase information sharing and collaboration for better patient care.
The side effect of this is an increase in the attack surface because the healthcare sector is not mature enough to secure their assets. Knowledge and awareness, as well as budget, might not always be sufficient for securing health data and addressing security issues. When we refer to health data, which will be the term moving forward, we understand health data as information that describes physical and/or mental health, the provision of health services, such as administrative data (personal identifiable information (PII), financial data), insurance claims data, patient disease registries (registries for collecting clinical data of the population) and clinical trial data for research.
The healthcare sector is not the only sector that increases its attack surface through digitalization but the health data they are processing and sharing is, first of all, of very sensitive nature and that makes it crucial for them to protect patients health data. Secondly, health data has many purposes due to the variety of data within one health data record. An attacker can choose to leverage only the PII data, the financial data or the medical history part of this record for a specific purpose, amongst others, fraud, identity theft and/or physical harm. Especially in the latter, health data cannot be changed regarding medical conditions, social security number, or date of birth – this data is connected to a patient for a lifetime; once compromised, always compromised.
Besides unauthorized access to databases of health data, another cause for an increased attack surface of the healthcare sector is insecure connected medical devices, or IoT medical devices serving as an entry point for attackers.
Medical devices such as heart rate monitors or insulin pumps were designed to serve a medical purpose. Security features – until now – are often not considered when developing such devices. The devices themselves might not have data storage capabilities but provide an entry point to servers and other network devices that do store sensitive data or provide the opportunity to install malicious software, e.g. ransomware. The most well-known campaign was WannaCry in 2017, which disrupted and impacted the National Health Service (NHS) hospital and GP practices in the United Kingdom by disrupting approximately 19,000 appointments and surgeries.
This ransomware outbreak cost the NHS almost £100 million. In 2018, a malware dubbed Kwampirs targeted healthcare cooperations in the U.S., Europe, and Asia. The malware seemed to target systems that had the software installed to use and control MRI’s and X-ray machines. Only recently, the U.S. based Grays Harbor Community Hospital and Harbor Medical Group were infected, as a consequence medical records, prescriptions, and other functions were down.
While direct patient care was not impacted by the attack, patients were asked to bring their prescriptions and other medical histories in physical form so that the staff could access that information. The ransom demanded was $1 million.
Additionally, medical devices can be disrupted remotely and cause severe (physical) damage to a patient. While medical devices are playing a significant role when considering vulnerabilities for the healthcare sector, they will not be further explored in this research, the focus will be on compromised health data and what an attacker can do with them.
Therefore, we would like to explore the question of why health data is so attractive for attackers; and what an attacker can do with stolen health data. In order to explore these questions, we have the following hypothesis:
Health data is more attractive to an attacker because it brings more value due to its multitude of information, e.g. financial data, PII, medical history.
Stolen health data is sold for a higher price per record on online markets in comparison to other stolen data such as financial data.
Targeted cyberattacks against various industries have become increasingly common in recent years. The healthcare sector is no exception. That’s why we research two hypothesises. Read all about our findings and recommendations in this whitepaper.