If you follow cybersecurity trends and news, you’ll likely come across frequent mentions of healthcare. This is primarily due to the fact that the industry is rapidly evolving in a digital sense (cloud, medical IoT, etc.), and that patient data being transferred and stored across digital devices and environments can be sold for a much higher value than financial data on the black market by cybercriminals.
However, we are now seeing a growing number of instances where cybercriminals are attacking healthcare networks with other goals in mind.
According to a recent story from The Independent, “Islamist hackers linked to ISIS carried out an attack on a series of NHS websites in a cyber-attack exposing serious flaws in security systems meant to protect sensitive information.” While the initial fallout from attacks will likely be perceived by the public as a psychological rather than a commercial threat, details are emerging that patient data was vulnerable during the attacks, which highlights the potential weakness of the NHS, and similar healthcare, networks.
While it is believed that this is the first ISIS-backed attack against the NHS, industry experts worry it could be the first of many.
It’s critical that healthcare organisations around the globe understand what is at stake and what is motivating today’s cybercriminals to carry out similar attacks. Let’s take a closer look at some of the potential ramifications:
When a credit card is compromised, there is typically a fairly quick fix, and any potential risks can be stopped nearly instantaneously. However, when patient data is compromised the ramifications can be much more severe, as it has much greater longevity than other types of data.
The information that’s housed within a patient’s medical record, especially in countries like the U.S., (Social Security numbers, birthdates, addresses, etc.) can be leveraged to obtain loans or credit cards, send fake bills, commit tax fraud, or even commit blackmail, to name but a few. Ultimately, healthcare organisations need to recognise that the reason they are being targeted is due to the value of patient data, combined with the risks created by a rapidly expanding attack surface, and take action to prevent this.
As mentioned earlier, the recent ISIS attack on the NHS has not appeared to have had significant commercial ramifications. However, the fact that cybercriminals were able to gain access to the NHS is a major concern in itself, as the NHS forms part of the UK’s Critical National Infrastructure (CNI).
If ISIS and other terrorist groups recognise that organisations like the NHS are vulnerable, they could utilise this as a form of cyberterrorism. Given that healthcare systems are connected to live patients, this could have very serious, life-threatening ramifications.
Data shows that more than half of adults are willing to share personal health information for the purpose of improving research and health care efforts. However, this confidence could be severely damaged after systems have been breached, like those of the NHS were recently.
When a breach draws this much publicity, it tends to rattle the psyche of patients and causes them to second-guess future sharing of their information. While withdrawing personal health information from systems could complicate patient care, it could also stymie the growth of the healthcare industry on a broader level and have a critical impact on things like disease treatment and research.
The NHS is potentially among the world’s richest sources of data about the health and treatment outcomes of individuals within a population. So much so that in 2013 it launched a new project called 'care.data'. This was to be a vast database that would include the medical records of everyone in the UK. The UK’s leading doctors told the public that access to so many NHS records would help them understand the causes of disease, quickly spot the side effects of new drugs, and detect outbreaks of infectious diseases. Despite the obvious benefits to the health of the population, and medical research in general, the project ran into massive problems in 2016 over data confidentiality. This resulted in the loss of public trust, and the project was scrapped.
As we’ve learned so far, data breaches can not only damage public trust, but also open the door to future attacks. However, the ramifications don’t stop there. Governmental authorities, like the Information Commissioner's Office (ICO) in the UK, will come down hard on healthcare organisations that do not properly handle and report breaches. We’ve seen a number of instances where healthcare organisations have been fined upwards of £500k for an improperly handled data breach. This is set to rise under the new General Data Protection Regulation (GDPR), which is intended to strengthen and unify data protection for individuals within the European Union (EU.) It comes into force in 2018, and organisations not adhering to cybersecurity best practices risk either €20 million in fines or four percent of their annual global turnover, whichever is bigger.
If you are a member of a healthcare organisation, your organisation may already be at risk. It is not a question of if, but when your organisation will be attacked. Proper cybersecurity measures need to be in place to protect your organisation and patient data. Fortinet’s Healthcare Solution protects patient data all over the world, including within the NHS. It provides a centralised security architecture, a robust advanced threat protection (ATP) framework, and unified management for the entire integrated security solution through a single portal. All at a superior TCO than our competitors, making it a ‘best of breed’ solution that is also affordable.
Let’s get a conversation going on Twitter! How is your healthcare organisation dealing with the ramifications that are presented by today’s cyber attacks?