How to stop the surge of cyber attacks against the healthcare sector

In the UK, the government’s covid-19 campaign message sits on a deliberately garish sign. The type of sign that would normally warn you of an accident up ahead on a highway.

Stay Home. Protect the NHS. Save Lives.

It’s the second of these three statements that is given the most prominent font. The one that jumps out at you the most as you read it.

Protect the NHS.

It speaks to a fear the UK government has - and they’re not alone - of their healthcare system becoming overwhelmed by the virus.

But not everyone worries about a stretched healthcare sector. Cybercriminals see it as an opportunity. Something they can exploit.

Because while attention is focused on fighting fires, doors can be left ajar. And longer-term protection measures tend to be ignored.

In a way, the covid-19 pandemic has provided the perfect distraction for bad actors. It has given them a helping hand to break through security systems and steal priceless personal medical records.

As we approach the first anniversary of a world living with covid-19, it seems like a good time to take stock. To assess the surge of cyber attacks in healthcare, and to ask some important questions.

What has covid-19 taught us about the kind of threats the industry is likely to be up against in the coming years?

And crucially, what can we do to protect it from these threats?

The healthcare sector is sometimes compared to the financial industry because both are prime targets for bad actors. If anything, though, attacks against hospitals are much more dangerous than those against banks.

Imagine you were the victim of a hack on your bank account. Awful as that scenario sounds, you’d be likely to get the money back that was stolen from you.

But that isn’t the case with your medical records.

Once they’re gone, they’re gone.

If you’re in the public eye, a bad actor might try to use your records against you as blackmail. Otherwise, they would likely end up on the dark web, packaged together with thousands of others for a fee. And these medical records command a high price because of the personally-identifiable information like addresses and bank account details that they contain.

Or, in other words, everything a fraudster needs to pretend to be you.

A glance at some of the most noteworthy cyber attacks in healthcare in the last 12 months highlights the scale of this problem.

But it isn’t only medical records that are being stolen and then listed for sale on the dark web. You can also find fake insurance cards and health IDs.

The idea of vaccination certificates or passports has been mooted in recent weeks. But imagine the danger of these details being stolen and sold on the dark web alongside medical records and health IDs. People could pretend to be vaccinated against covid-19 when they’re not, leading to more chaos and a lack of trust in policies to leave the virus behind.

The healthcare industry - like all others - is rapidly digitizing. Wider trends were already pointing towards increased use and uptake of connected devices, apps, and virtual doctor’s appointments. But the necessity of self isolation brought about by the covid-19 pandemic has given all of them a push.

As we’ve mentioned before on this site, crises have a habit of doing this. Of moving us beyond a threshold. And the last year or so has a strong “no going back” feel to it. Especially in the healthcare sector.

The risk, of course, is that this rush to digitize happens without the appropriate protection in place to ward off a new kind of threat. That we end up in a situation where citizens desperate for medical advice are willing to take their chances with dangerous adware and spyware on apps.

After all, wellness and health apps and their associated smart devices are already completely normalized. People don’t only use them for guided meditations and to track their fitness goals. They’re also used by those suffering from diabetes to get advice and to track glucose levels, for example.

But without proper security, these health apps can be at risk from bad actors. Hackers can perform a dynamic analysis on apps and then reverse engineer them - perhaps later passing them off as the real thing via a phishing campaign. They can inject an app with malware. And they can leak unprotected personal data - together with app logic - to their own private server.

Until developers start thinking like a cyber criminal and locking doors as they’re added to app infrastructure, bad actors will continue to profit from people who place their trust in apps to help them get better.

Unlike the financial industry, cyber attacks in healthcare can risk lives as well as livelihoods. Devices like pacemakers are hackable. As are a range of devices commonly used inside hospitals that doctors and patients rely on every day.

Attacks on hospitals can divert attention away from life-saving procedures and can cause critical delays. They can deliberately mislead medical professionals, resulting in potentially catastrophic decisions being taken.

To most of us, the idea of attacks like these that put people’s lives at risk sounds too hideous to be true. But sadly they do happen, because cybercriminals don’t care about the impact of their attacks on individuals.

They only care about what they stand to gain.

The fact that hackers won’t stop to consider the consequences of their attacks on individuals is a truth healthcare professionals are slowly coming to terms with.

But doctors and nurses aren’t trained in cybersecurity. They’re trained at providing care for patients and saving their lives. Even before covid-19 arrived, medical personnel often struggled to prioritize cybersecurity when there was a backlog of other urgent tasks requiring their attention.

Cancer patients have complained of delays to their surgery in the last year. And other operations seen as non-urgent have been put on hold. In a climate of urgency to deal with a steady tide of covid-19 patients, it stands to reason that cybersecurity measures might also have been put to one side.

Bad actors know this too, of course. In the same way that they’ve preyed on the general anxiety of citizens with phishing emails and text messages (including about covid-19 vaccines), they’ve also exploited this weakness at hospitals.

Compared to other industries like finance, healthcare is much less well prepared to deal with modern, sophisticated cyber attacks. Not only do most hospitals not have the resources to monitor threats, but they might not even know what these threats are - or how to spot them.

Another issue is the level of fragmentation of devices and software in use across a typical hospital.

This fragmentation can act as an invitation to cybercriminals.

They will scope out the software or app that has the most obvious security hole and will then use that as their way into the wider system.

This problem is exacerbated by a common reliance on legacy systems which can lag behind compared with the safest tech architecture.

If we continue with the comparison between the healthcare and financial industries, another key difference relates to regulations.

The financial industry has long recognized the importance of regulations to make sure that all banks and payment providers are on the same page when it comes to cybersecurity.

This isn’t really true of the healthcare industry. In fact, some developers of healthcare applications actually use financial regulations as a best practice guide for protecting their own app.

A lack of app security regulations in particular might be down to the fact that the focus in healthcare has often been around data protection rather than securing the apps and devices that collect that data. But this system is flawed because apps are one of the first places a bad actor would target in order to eventually access valuable personal data.

A hospital can be fined by a regulatory body like HIPPA for misplacing personal medical information. They can also be sued by the patients whose data has been lost. Currently, though, there isn’t as much incentive for them to protect software and applications.

Especially in the near future when technological advancements will naturally lead to the use of even more mobile applications. Not only in hospitals but in the home, too.

There are signs that more legislation is on the horizon. But there clearly needs to be a bit more urgency.

There’s no use denying it. The healthcare industry is going to have a tough time in the coming years. Cyber threats are becoming more complex and now arrive from multiple angles and sources. The sector will have to defend against these threats at the same time that it counts the cost - both financial and mental - of the covid-19 pandemic.

But unfortunately cyber attacks in healthcare aren’t going away. Bad actors are unlikely to suddenly develop a conscience and think twice before targeting hospitals and the developers of medical apps.

So, what can we do to stem the tide of these attacks?

As we’ve said, regulation can help players across the sector ensure they’re following security best practices. Until that regulation exists, it’s a good idea to review respected cybersecurity guidelines such as those at OWASP.

If you’re a developer of medical applications for use in hospitals and the home, you can use guidelines like these to develop applications with security in mind.

Speaking of which, security by design principles can help you to see the bigger picture of who is responsible for protecting applications. Not to mention putting yourself in the shoes of both your end user and the hacker in order to spot potential weaknesses and threats. This is vital if you’re to carry out a proper risk model.

You should also invest in robust in-app protection that stops hackers from performing a static or dynamic analysis on an application. This protection should ideally use multiple layers of security that keep strings, resources, classes, and logic encrypted and securely out of reach.

Quality in-app protection also comes with environment checks that are able to spot signs of tampering as well as hooking attempts, rooted devices, debuggers, and emulators.

In the coming years the ecosystem of medical applications will grow. And people will become increasingly reliant on them to recover from home. As such this protection will be vital. But so too will threat intelligence systems that paint a detailed picture of the types of threats apps are up against.

In the financial industry, banks are now sharing this intelligence with one another to collectively arm themselves against the growing cyber threat. This is something that healthcare providers can learn from.

Within hospitals and other treatment centres, education is going to be crucial, too. There has been a recognition of cybersecurity being important, but it hasn’t been seen as a priority. Clearly it will still come second to patient care, but doctors and nurses will need at least a basic understanding of threats in the near future. That way they’ll get better at spotting phishing attempts and will understand where the typical malware entry points are.

It’s also likely that more cybersecurity experts will be hired into the healthcare sector. And one of their most important tasks will be to tell a story that resonates with doctors and nurses. To make a clear link between cybersecurity and patient care and explain how one benefits the other.

In recent months it has often felt like there’s little hope in the defence against hackers. But a combination of the measures outlined above can help us to alter the landscape.

They can stop the surge of cyber attacks in healthcare.