Healthcare systems were attacked by hackers more than systems of any other industry last year, a systems security expert said, highlighting the risk of the heavy use of internet connected devices in hospitals and other medical facilities.
The Philippines is considered particularly vulnerable to these kinds of attacks. A report last year by global cybersecurity giant Symantec said that the Philippines ranked 20th in the world for cyberattacks, usually intended to steal secure data, and 7th in the Asia-Pacific region for ransomware attacks, a type of attack in which a hacker controls a system, only releasing it to its owner upon payment of a ransom. Both types of attacks are frequently directed at healthcare systems.
Roger Bailey, an engineer with systems security provider Fortinet, said that according to IBM’s 2016 Cyber Security Intelligence Index report, cyber criminals attacked healthcare more than any other industry last year, with more than 100 million healthcare records being compromised.
The increasing use of internet-connected devices – the so-called “Internet of Things” (IoT) is raising the risk of cyberattacks and potentially deadly consequences, Bailey said.
“There are two sides to IoT in hospitals – the customer experience side and the administration/clinical side,” Bailey explained, pointing out that on the one hand, institutions are being pressed to provide better amenities for patients, while doctors and other personnel are increasingly relying on high-tech gadgets to carry out their work.
“Patients are demanding the same comfort level they have when they’re at home. That includes high-speed wireless for devices and access to Hulu and Netflix while sitting in bed. If you’re going to spend any amount of time in a hospital, you want to be comfortable. People can choose what hospital they go to, and they are choosing based not just on the quality of the care but the quality of the services provided,” Bailey said.
On the administrative and clinical side, “Doctors have had pagers, then cell phones, long before most people had them. They have had PCs at every breaking edge, now it’s smart phones and tablets. Doctors don’t even carry medical documentation with them anymore. They get pharmacology reports, lab results, even medical and diagnostic images, sent directly to their devices,” he explained.
All of these systems are vulnerable to attack, but the biggest danger comes from medical devices, Bailey said.
“The next time you go into an ER, look around and count how many electronic devices are there. One issue is the FDA regulates all medical devices that plug into the network (infusion pumps, EKGs, MRIs) so they are painful to update. They cannot put the latest and greatest software on there, and they don’t have encryption.
So for these institutions, one of the major pain points right now is securing those devices,” he explained.
Bailey said that the biggest attraction for cybercriminals is the sensitive data that can be stolen from a medical system. “What makes it even more challenging is the fact that this data is the most expensive and most coveted on the Dark Web. Healthcare client records go for between $400 and $500 per record, versus a credit card record at just $4, so you can see why the attacks continue to mount,” he said.
“Then there is the danger of medical devices being hacked. Imagine an infusion pump in the ICU. A nurse sets the prescribed infusion rate of a medication, but someone hacks the device and starts pumping four times that rate into the patient. This can cause damage, paralysis, even death. All the while, the pump reads the original dosage,” Bailey said, describing a nightmare scenario.
Bailey said that proper system security, including the use of firewalls, multi-layer access, system integration, and usage and event monitoring, some of the services offered by his company, are all critical to keeping medical information systems safe.
“If you do not have a system that is proactively monitoring sensitive areas so you can respond to threats quickly, then you’re doing your organization, and your patients, an injustice,” he concluded.