The black market for healthcare data is up to 20 times more valuable than that for credit card data as it is comprised of comprehensive patient information, which can be used for identity theft and fraud. This is according to Perry Hutton, regional director for Fortinet Africa.
“More importantly, it takes far longer for patients to know their information has been compromised — it can take up to a year or more for someone to realise their patient data has been compromised. When a credit card is stolen, algorithms in the financial industry pick up unusual activity very quickly and systems often automatically provide protection. These same protections simply don’t yet exist in healthcare,” says Hutton.
Hutton says that advancing technology results in the networking of essential health devices, everything from heart monitors to infusion pumps can have connectivity now. While this is a good thing from the perspectives of patient care and operational efficiency, this poses a serious risk to security as connectivity provides a target surface.
“Most of these devices, as well as MRI machines, CT scanners and countless other diagnostic machines were never designed with security in mind. Many diagnostic systems use off-the-shelf operating systems like Microsoft Windows while other devices use purpose-built software designed to collect data — not keep it safe. Too many of these devices are eminently hackable and, once compromised, can provide hackers with unfettered access to the clinical data systems within which they interface,” says Hutton.
“And it is not just patient data that’s vulnerable through connected devices. Cyberterrorists could potentially manipulate machines to intentionally harm patients or shut down critical systems in hospitals. As early as 2011, one researcher demonstrated how an insulin pump could be hacked to deliver a lethal dose of insulin,” says Hutton.
Hutton warns that the threat to healthcare data is not only faced by hospitals and clinics. Personal health devices such as wearables and mobile applications are collecting and transmitting patient information all the time, and usually fail to adequately protect it. Additionally, they often interface directly with other devices, clinical data systems and electronic health records. As these devices are designed for convenience and functionality rather than security, and since anything from a mobile phone app to a home glucose monitor can be the target, Hutton says it shows how badly exposed healthcare institutions are.
“The healthcare security should not be addressed when medical records are breached. The time is now. The healthcare industry as a whole needs to be proactive and begin deploying systems with security baked in, protected at both the network and application levels. The stakes are simply too high to wait,” says Hutton.
Malware, fitting schemes, trojans, and ransomware all traditional types of attacks that happen to all institutions, but Hutton says that the healthcare industry is particularly vulnerable because it lacks the built-in protections and security awareness of other industries.
“These attacks aren’t terribly new, but their sophistication is and the ability to expose patient data is of real concern cybercriminals have developed entire malware platforms that can be customised to attack healthcare organisations,” concludes Hutton.
For more on cyber crime risk and what African business should be doing to battle online threats, read the new print edition of RISKAFRICA magazine.