Karl Lankford, for BeyondTrust, explores previous attacks to industry and draws on findings from an access threat report: Cyberattacks are putting lives at risk via administrative back doors left open
The healthcare industry continues to come under fire for poor cybersecurity, and as the WannaCry attack emphasised, cyber-criminals continue to take advantage to acquire valuable data, costing healthcare organisations substantial financial and reputational damage.
Interestingly, recent reports show any type of personal data, be it online banking details, online shopping logins, or passport information, has a price ranging from just a few pounds to many hundreds, with medical records reportedly worth more than credit card details.
However, a cyberattack on the healthcare industry goes beyond the theft of data, it could shut down hospitals, impact care delivery and seriously put lives at risk.
How hastening patient care incurs significant cyber risks
All communications within healthcare organisations must comply with data privacy regulations, HIPPA in the United States and GDPR in The EU, which enforce strict rules on how they send and receive patient information. By the nature of their work, hospital staff handle incredibly sensitive information and are accountable under these regulations.
Yet healthcare workers are increasingly feeling the pressure, with the Department of Health and Social Care investing an additional £240 million social care investment to ease the demands over the winter months. It’s common place that patient care takes priority in time-starved schedules.
As a result, good cybersecurity practices can sometimes be overlooked. According to BeyondTrust’s 2018 Privileged Access Threat Report, 60% of employees shared administrator passwords and 46% did not store credentials in a centralised password safe. Controlling and managing credentials is a practice that is paramount if the industry is to remain vigilant against cyber-attacks.
Considering the poor cyber security practices of healthcare workers, it is, therefore, no surprise that 53% of healthcare organisations may have possibly or definitely suffered an insider-related breach in the last year. It’s imperative then to ensure cyber security technologies are deployed that don’t get in the way of providing care, while also ensuring that staff don’t employ unsafe practices.
The hidden threats lurking in IoT devices
In the healthcare industry, the internet of things (IoT) offers a plethora of benefits, including monitoring patients more closely, utilising data to gain insights into patient care and connecting devices in ambulances as well as medical devices such as insulin pumps.
The global usage of connected devices is increasing and is expected to reach an estimated £310 billion by 2023. However, the rise of IoT has led to the increase of devices being utilised by cybercriminals to hack into systems. Since many of these IoT devices have critical functions such as dispensing medication to patients, any tampering could cause a life-threatening effect.
Because of this, the healthcare industry must now consider security around every single, connected medical device. Each one of these devices and systems has an administrative back door that represents a risk, resulting in many thousands of devices that must now be secured.
The third-party perils
If security tools given to employees simply aren’t usable, it’s understandable that staff may skip on secure cyber security practices, especially when working remotely. As many as 40% of respondents admitted to downloading data onto external memory drives to be able to work more efficiently from dispersed locations. To support staff out in the field, healthcare organisations should implement a solution to deliver support remotely and securely, removing the need of having them return on-site with their device to have their issue addressed.
The healthcare industry also frequently employs contractors to service these critical devices. However, allowing third parties to access networks and devices represents a huge risk. In fact, 73% of surveyed respondents stated their belief that third-parties outsourcing work to sub-contractors is a moderate or significant risk factor to their network security.
They are not wrong, but despite this, over a third (33%) of healthcare organisations have increased their use of third-parties by up to 20% in the last two years. Even more worrying is that just under half (47%) admitted to allowing over 100 vendors to log on to their systems per week. As the numbers increase, a cyberattack becomes an ever-increasing probability putting patient care at risk.
How to alleviate the pressure
An organisation’s insiders, such as IT administrators and service desk technicians, need privileged access to support users and systems remotely. Such access is often granted in uncontrolled and untraceable ways, making the organisation more vulnerable to attacks.
Privileged accounts and passwords are prime targets for cybercriminals because they allow hackers to utilise legitimate credentials with elevated permissions to access other areas of the network. If credentials are stolen or compromised, cybercriminals can move laterally across networks, expanding the damage beyond the initial breach. Healthcare organisations can implement privileged access management (PAM) solutions that allow for greater control and visibility of who can access their systems and help to safeguard their most critical data and devices.
There are several vulnerabilities that the industry needs to be wary of, from the cyber risks that come with the urgency to help patients, to the onset of IoT devices and the danger of employing contractors. As a result, the healthcare sector is under pressure to secure its critical systems. By controlling who has access to what on the network, the healthcare industry can ensure that all its sensitive data is secure and only accessible to those who should be able to see it.
Director, Solutions Engineering, EMEA