Perhaps the most important lesson from the most recent cyber-attack on the healthcare industry is this: Hackers have no shame! We knew that already but recently we were rudely awakened to just how low they will go.
Attack on Finnish healthcare
Thousands of psychotherapy patients in Finland recently reported getting extortion notes from a hacker, or hackers. The hackers had breached a private healthcare company called Vastaamo. During these attacks they stole confidential treatment records, including recordings of doctor-patient sessions. Extorting clients is an unprecedented method for hackers. Usually they only demand ransom from the company from which they’ve stolen the data. When Vastaamo refused they sought out the patients themselves.
The cyber-attack against Vastaamo makes it crystal clear that the healthcare industry is more vulnerable to cyber-attacks than any other.
The healthcare industry is vulnerable
It is believed that the first cyber-attack on Vastaamo’s healthcare facilities happened in 2018. The data is just now being leaked or used for extortion of patients. There’s a reasons why healthcare data is more valuable to cyber-criminals than social security numbers or credit cards. The owners of the data are in a much more vulnerable position. It’s not just their money or credit score that’s at risk, it’s their peace of mind. Their health. Their most intimate privacy. Something that they can never get back if it leaks out. It is therefore more important for the healthcare industry than any other sector to keep data safe.
Patient data is not the only thing at risk. Devices and important machines, such as pacemakers, ventilators and surgical robots, are now connected. This means they are under threat too. Hospitals are being sabotaged.
Covid-19 increases the risk of a cyber-attacks on healthcare
The Covid-19 pandemic has carried along with it another kind of infectious risk. A cyber-risk in the form of viruses, scams and social media disinformation. Hackers are using phishing emails which promise news about the pandemic or vaccines. They use hot topics to trick people into clicking false links or attachments. What does that mean for the health care institutions that we need to keep us safe?
Doctors and other healthcare workers are working under extreme pressure and in unprecedented circumstances. They rely more than ever on their own private devices for communication and search for the latest news and research on treatments. For this reason they are easily scammed if they have not been trained in cyber security awareness. And with everybody wearing masks and protective gear within healthcare facilities, tailgating is now an even bigger risk than before. A recent physical attack on a Croatian covid-hospital left doctors and patients in the dark and without electricity for a few hours after someone broke in and turned off the main switch. This kind of breach focuses our attention on the importance of physical security too, and the importance of having a strong security culture.
Are cyber-attacks on healthcare inevitable?
For years cybersecurity experts have been pointing out the fact that both public and private healthcare facilities are using outdated and poorly maintained systems. Healthcare facilities tend to run on old legacy software. Some even use software that has been discontinued and is therefore not updated anymore. This puts patient data in a lot of risk. Covid-19 has introduced a massive collaboration between the public and private sectors. Patient information is being collected and shared like never before. This further increases the opportunity for hackers to find and exploit weak links. If nothing is done to minimize the risk we will see even more cyber-attacks on the healthcare industry.
Pharmaceutical companies are also a target. Especially during this pandemic. They may have stronger security systems and better software in place but they have still experienced attacks and security breaches. This is most likely due to a lack of security culture. Their employees might accidentally click on phishing emails or accept downloads from compromised websites. Yet another reason why healthcare employees need rigorous security awareness training.
How to avoid cyber–attacks on healthcare?
So why is the healthcare industry still more vulnerable than any other sector? Although there’s money in healthcare it is often prioritized towards what is perceived as “most critical”. We’re talking about life-saving equipment, staff, medicine etc. This is understandable. The healthcare industry is often working under pressure with little time or funds to spare. However, helping people in their time of need should not come with the risk of their personal health care data being stolen and used for extortion later. Part of patient care should be caring for the patient’s data and privacy as if their lives depended on it. Because they do.
The first step to any cyber security resilience plan is to remember the “holy trinity” of cyber security:
Healthcare facilities need to invest in the right technology to keep their sensitive information safe. This is technology like cloud based anti-virus software and spam-filters. This also means upgrading to a software that is patched regularly. Healthcare facilities need to train all their employees in how to use email and the internet safely and create a strong security culture among their employees.
AwareGO offers a ready made cyber security awareness training program for healthcare. It consists of 25 training subjects that cover both physical and cybersecurity threats. Cyber security awareness training goes hand in hand with HIPAA and GDPR compliance as well. A free trial of the AwareGO training platform (LMS) and content is available with no credit card or commitment needed.
Finally, there need to be processes in place that help keep data safe. Rules that apply to all. And plans on how to respond should a security threat arise. For those who want to know more about cyber security resilience we recommend our short and concise guide: Cybersecurity For Dummies: AwareGO Special Edition. Read up on the fundamentals of cybersecurity and help make your workplace a more cybersecure place.