Healthcare sectors around the world have been experiencing a spike this year, no thanks to the deadly virus SARS-CoV-2, the strain of coronavirus that causes a coronavirus pandemic beginning this year.
With the significant rise in the number of patients going for screening, consultation, and treatment, it is common to ask this question: How safe is our healthcare data safety?
IntSights' chief security officer (CSO), Etay Maor, said although healthcare data safety is something hospitals, clinics and providers take very seriously, unfortunately – so do cybercriminals who will take advantage of the data and gain profit from it.
"They know that this type of data (healthcare) can be monetised. While there are regulations in place and a constant increase in the investment in cybersecurity in the healthcare sector, at the same time we still witness two particularly important issues: basic security hygiene mistakes, and an increased interest by sophisticated attackers," said Maor.
Basic security hygiene mistakes include unpatched servers, open ports and services, and end of life (EOL) systems.
FINDING THE RED FLAGS
"The first step is to try and answer three questions -- what do I know about the adversary; what does the adversary know about me; and what do I know about myself?" said Maor, adding that these are three classic cyber security questions healthcare organisations should look out for to guard themselves against cyber threats.
What do I know about the adversary?
Do these organisations know who is the threat actor that is targeting them? What tools do they use? What techniques? What are their motives (patient data? ransom? IP? etc.)
What does the adversary know about me?
Are my employees sharing data unintentionally on social networks? Do I have open services that can be abused? Are they planning an imminent attack?
What do I know about myself?
Do I truly know all my employees, sub-contractors, third parties etc., and what and how they are allowed access? Can I detect shadow IT? Do I have unclear (or easily circumventable) security processes?
GOVERNING ACT
According to IntSights' regional sales director, Asia, Michael Tan, in Malaysia, Personal Data Protection Act (PDPA) governs how organisations across sectors, including healthcare, process personal data. And since there are many private healthcare practices in Malaysia, patients' data are also protected under the Private Healthcare Facilities and Services Act.
The challenge for healthcare organisations is that cyber security breaches may not stem from the organisation but could be a result from a breach in a third-party vendor.
"While not mandatory in Malaysia, healthcare organisations should look to a United States federal statute, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for its guidelines when evaluating security measures and data protection strategies.
"The HIPAA includes data protection rules that cover healthcare organisations as well as business associates (including third-party vendors) to cover the grounds for potential channels for breaches.
"Third-party vendors are key to an organisation's digital ecosystem, and healthcare organisations should take governance and employ tools that help assess and manage cyber risk to reduce exposure to threats," adds Tan who also shared that the Ministry of Health Malaysia is in the midst of implementing an electronic system to share patient information in 145 hospitals nationwide.
"The electronic medical record system will facilitate the transfer and sharing of patient information. Thus, maintaining data protection will be utmost critical," he said.
THE TOOLS AND TECHNIQUES
There are several tools and tactics cybercriminals utilise, says Maor. However, he said, in some cases it is simply a matter of typing specific search parameters into a search engine that can lead to open databases!
"In other cases, attackers scan for open ports and services. We have also seen cases in which the attackers reuse compromised usernames and passwords – unfortunately some users reuse the same password on multiple services which means that if their credentials have been compromised in the past, these credentials may work on multiple platforms.
"Last, but certainly not least, sophisticated attackers use spear phishing and social engineering to get hold of network and database credentials."
THE IMPACT
Answering the question of what the best practice(s) would be for local healthcare providers for a 'healthier' data protection, Tan suggests a proactive approach in terms of drafting and implementing effective cyber threat programmes.
"Healthcare has been approaching security from a data privacy and defensive stance. Since attackers, from cybercrime gangs to nation state actors, have started targeting healthcare providers – this approach must change.
"Healthcare organisations need to mature their security programmes and start thinking like a cybercriminal! They need to be able to consume and analyse threat intelligence that will allow them to understand their threat landscape and prepare strategies.
"Healthcare providers need to understand who they are up against, what their motives are, what are the tools, tactics and techniques that will be used against them – from phishing and malware, to targeted social engineering and ransomware," says Maor who also stresses how attacks like ransomware can shut down operations, how stolen data can be used for financial and medical gain, and how even a doctor's home office can be used as a point of entry to a healthcare organisation.
Healthcare data breaches can be as serious as those faced by financial institutions, adds Tan, where patients' medical records, health history, etc. are at stake.
"All these information are of high value in the pharmaceutical and medical sectors. Healthcare organisations need to adopt a comprehensive, holistic security strategy that combines risk management, compliance needs and proactive threat intelligence," he said.
"Other benefit cybercriminals could gain from breaching healthcare data include patient data (can be used for identity theft, insurance fraud etc.); patients and hospitals data, which allows access to drugs; physical access to hospitals; credit card and financial data, access to the clinic/hospital internal network, and targeting a clinic/hospital with ransomware," he added.