Kit media
The health information system, which aggregates electronic patient records to medical devices, is more vulnerable than one imagines. And the stakes are far too high to turn a blind eye to this thorny issue.
Today, on the black market, patient data is up to 20 times more expensive than payment card data recovered, for example, after a hack targeting a retail player. The medical data is detailed, rich and full of information that cyber criminals seek to perpetrate their identity hijackings and other frauds. In addition, patients take much longer to realize that their health information is being misappropriation, up to a year for some patients. In order to identify fraudulent use of payment cards, banks have algorithms that quickly identify suspicious activity and often automatically take appropriate security measures. These security measures do not exist in the medical field.
Health care providers themselves do not always realize the vulnerability of the many systems they use to cyber-attacks:
Traditional cyber-attacks
These attacks, which attack all organization profiles, are carried by malware, phishing, Trojans orransomware. Compared to other industries, health care is particularly vulnerable in the absence of integrated safeguards and a lower priority for safety. These malwares, whether deployed through targeted attacks, hacked websites or infected mobile devices, result in the disclosure of confidential data and result in high costs and particularly time-consuming post-incident restoration tasks.
These attacks are not really new, but they are becoming more sophisticated and the loss of patient data is a real problem. Cyber criminals have designed entire malware platforms that can be customized to attack health care providers.
Connected medical devices
Today, from heart monitors to infusion pumps, all equipment can be connected to a network and interface with electronic patient records, allowing real-time alerts for healthcare staff to be activated. This interactivity is, from the patient's perspective, good news. But in terms of security, it's more of a nightmare.
The majority of this equipment, including MRIs, scanners and other diagnostic equipment, was not designed to make safety a priority. Many use operating systems like Microsoft Windows and software designed to collect data... And not necessarily keep them safe. Hacking of these devices is therefore possible and once compromised, cyber criminals can directly access the clinical data systems with which these devices are interfaced.
Patient data is not the only resource that can be hacked via connected devices. Cyber-terrorists could potentially manipulate machines and harm patients. In fact, as early as 2011, a security researcher demonstrated that an insulin pump could be hacked and used to inject a lethal dose of insulin.
Personal and residential health facilities
Health devices proliferate far beyond hospital walls. More and more personal health equipment, health applications and other fitness coaches are collecting and transmitting data. These systems can potentially put patient data at risk (or at least not provide perfect protection), and they also often interface with electronic patient records or systems hosting clinical data. While a glucose control device or health app on iPhone may be the target of attacks, these vulnerabilities also apply to health care institutions. The priority of clinical devices is to offer new modalities for practical, innovative and efficient patient care. Security is less of a priority.
Health care security should not wait until patient data hacks have succeeded to become a priority. We need to be concerned about that now. The healthcare sector as a whole must take proactive action and focus on equipment that integrates native security, but also active protection at the network and application level. The stakes are simply too critical to afford the luxury of waiting.
Find out more: www.fortinet.com
