Malicious Actors and Medical Data: Where Are We Heading?

March 12, 2020 | Devin Morrissey

malicious actor a bit over-done

Data is the hottest commodity in town, particularly on the dark web. But there’s one type of file that hackers are most interested in: your medical data. Whereas a credit card number or Social Security number can net a criminal $1-$15 depending on the data type, medical records can sell for the equivalent of $60 each (in Bitcoin).

What’s more, the theft of these files isn’t uncommon. Despite U.S. healthcare organizations’ mandatory compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, healthcare topped the charts for the number of data breaches in 2018. And hackers don’t need to break in to get the data: over half the incidents reported were the product of internal threats, either errors or bad actors.

As the medical community becomes more and more reliant on internet-connected technology and generates record amounts of personal data, they’re going to need to learn how to scale their cybersecurity efforts to the same extent. Patients’ privacy and even their lives depend on it.

The Medical Community Needs to Get Better at Security

Stories of hacked machines, demands for payment, and blackmail are appearing in the media with greater frequency than ever. That’s no surprise: ransomware attacks are a growing threat for healthcare organizations. Why? Because in a life or death situation, a hospital needs to decide whether to pay the hacker or lose the patient.

The medical community is increasingly facing threats at a greater rate than many other industries. Unfortunately, their security training practices don’t match the growing occurrence nor the obligation healthcare providers have under the law: a study by Kaspersky Lab in 2019 noted that only 29% of respondents knew and understood the HIPAA Security Rule, a fundamental part of their job. What’s more, 40% of workers weren’t aware of their organization’s cybersecurity rules and measures.

It’s easy to believe that nurses, doctors, and administrative staff don’t need comprehensive cybersecurity training. It should be the IT department’s role. Unfortunately, cybersecurity doesn’t work that way: hackers aren’t scaling walls to get into healthcare systems, they look for open doors first. And when a doctor or nurse doesn’t know how to encrypt their email, uses weak passwords, or clicks on an email infected with malware, then the hacker can walk right in.

Hackers Get in Through the Most Unlikely Doors

The problem goes beyond what happens within the confines of a doctor’s office or hospital setting. As healthcare organizations connect with patients through their personal devices, they’ll have to secure not only their own devices and programs but also compensate for side doors created through other unsecured apps and platforms.

In 2020, researchers reported that hackers were using the Google Play platform to distribute apps that screenshot sensitive user information. To do so, they were exploiting a rooting vulnerability within the Android operating system, which allowed them to gain full control of Google phones as well as other Android models. Google patched the vulnerability once discovered, but it sent a strong message to security experts elsewhere: even if your app is secure, others aren’t.

Hackers aren’t just relying on Android users to fall for dodgy apps or links. In 2018, security reporters found that hackers were using a bug in Google Maps to redirect users to malware-laden sites. People use Google Maps because it holds enough data to make their journeys easier and provides things like estimated arrival time.

The healthcare industry needs to accept responsibility not only for its own security apparatus but also for the weaknesses in others.

As Medicine Generates More Data, More Care is Needed

Trends like big data are going to bring healthcare to the next level: it will be what causes major breakthroughs in research and what helps empower patients to take care of their own health via opportunities to use that data for self-education. Patient engagement apps, chatbots, wearable tech, and apps will help patients seek out care and improve satisfaction and health outcomes. But the number of types of data they’ll generate and the devices it will come from will also mean that the healthcare sector can expect to see a commensurate amount of vulnerabilities.

Not only will data put a bigger target on healthcare’s back, but all these new ways of collecting data will increase the number of vulnerabilities exponentially.

The time for healthcare organizations to lead the pack in cybersecurity was years ago. Unfortunately, the industry’s lag has meant that patients’ data has wound up for sale on the dark web to anyone with enough Bitcoin to buy it.

If healthcare truly wants to make the most of the potential offered to it by new technologies, the sector first needs to get back to basics and start with employee education. Investing in employees as well as firewalls is what will protect patients on their journey to empowerment — and it’s likely to save lives.

Devin Morrissey

About the Author: Devin Morrissey

Devin prides himself on being a jack of all trades; his career trajectory is more a zigzag than an obvious trend, just the way he likes it. He pops up across the Pacific Northwest, though never in one place for long. You can follow him more reliably on Twitter.

Read more posts from Devin Morrissey ›

‹ BACK TO ALL BLOGS

Watch a demo ›
Get price Free trial