Cyber Security Threats and Mitigations in the Healthcare Sector with Emphasis on Internet of Medical Things

Geethika Edithara March 04, 2024

    With the development of modern technology in the world cyber security threats to the healthcare sector is rapidly increasing. Professionals in the cyber security field are always trying to mitigate these attacks. Attackers target the healthcare sector more because it is usually less protected against cyber-attacks. To be protected against these cyber-attacks all personnel involved in the healthcare sector must be aware of cyber threats and pay more attention to cyber security. By implementing the modern security standards and the latest cyber security mitigation mechanisms based on AI and IoT healthcare organizations can upgrade their security and overcome these cyber security threats.

1.    INTRODUCTION

In the modern world everything is digitized. Every sector including Healthcare, Military, Business, Manufacturing & Financial use Information Technology in their everyday work. All the other sectors have taken necessary precautions against cyber security threats except the healthcare sector. That is mostly because the healthcare sector focusses more on healthcare and less on its own security. Also cyber security resources are highly restricted for the healthcare sector due to the high cost in healthcare. But still technological advancements in the healthcare sector are improving the accuracy and quality in the healthcare. But with that comes the risks of cyber threats. Nowadays there are more cyber security breaches in the healthcare sector that are being reported. But the unreported breaches are always more than the incidents that are being reported. If the personnel in the healthcare sector are more considerate about cyber security these attacks and breaches can be reduced by having foundational quality information technology (IT) system, training and awareness, risk base methodologies and preventive and proactive stance. [1]

According to Fortified Health Security releases 2021 mid-year Horizon Report over 22 million people have been affected by breaches in the healthcare sector in 2021 which is a 185 percent increase compared to 2020 [2]. These cyber-attacks may affect patient’s identities as well as finances, obstruct hospital operations and jeopardize patient’s health and wellbeing. When attackers breach hospital databases they can access patient’s full names, date of births, blood types, and diseases treated for which can be a serious privacy issue. These can cause long term problems like loss of reputation and income of hospitals and health facilities [1]. For an example in 2017 United Kingdom National Health Service (NHS) got affected to a ransom ware attack called ‘WannaCry’ [3], in February 2016 a German Hospital Lukaskrankenhaus Neuss was affected by a  ransom ware attack through social engineering and  in 2018 Norway Regional Health Authority (HRF) was compromised by a foreign criminal group [1], and in the same year a small hospital the ‘Hancock Regional Hospital’ in United States was affected by a malware called ‘SamSam’ and recently Ireland Health Service Executive (HSE) faced another ransom ware called ‘Conti’ [3].

When the healthcare sector is compromised it affects its stakeholders. Stakeholders are a party that has an interest in a company or an organization or a party that can be affected by the company or the organization [4]. In the healthcare sector the primary stakeholders are the doctors and the working staff. The secondary stakeholders are the pharmaceutical firms [4]. Secondary stakeholders have the ability to impact interactions or destabilize primary stakeholders [4]. Stakeholders in the healthcare sector have a significant impact on the industry’s trajectory. Their support is critical as they give the financial support, corporate strategy, solutions and other services to the healthcare sector [4].

New technologies are being developed for better treatment and patient care every day in the healthcare sector. Every department inside the healthcare sector use and store personal identifiable information (PII) and protected health information (PHI) [1]. These are highly sensitive data and virtually all the departments manage them at least on some level. These interactions could be subjected to cyber-attacks compromising the integrity of the system and confidentiality of patients and employees through malware [5].

Because of high demand for patient information and the use of outdated systems in the healthcare sector cyber-attacks are very common nowadays [5]. There are some reasons why the healthcare sector is targeted by an attacker. Attackers can make a lot of money by stealing private patient data, attackers can easily gain access to medical devices, etc. open and shareable healthcare information are important but the use of outdated technology and not caring much about cyber security solutions leads to being victim of cyber-attacks [6].

2.    RESEARCH STATEMENT

This paper reviews the literature regarding cyber security threats and mitigations about the healthcare sector. In this paper it is explained in detail about what is the healthcare sector, how harmful the present day cyber-attacks are, how long they can affect, why the healthcare sector is the victim, what kinds of attacks are common, ransom ware, data breeches, insider threats, DDoS attacks and some real world examples of attacks on the health care sector, prevention methods and what to do in the future for the healthcare sector regarding cyber security [5].

3.     REVIEW OF THE LITERATURE

What Is The Healthcare Sector?


The healthcare sector is composed of companies that offer medical services, produce medicine and pharmaceuticals and medical equipment, facilitate medical insurance or support the quality of services in the healthcare sector. Every kind of PII and PHI that are used in healthcare sector and providers such as physiotherapists, physicians, pharmacists, technicians, nurses, dietitians likewise and they use some facilities and techniques like; “electronic health records (EHR), e-prescribing software, remote patient monitoring and laboratory information systems; the billing office works with insurance and financial information through medical billing software; scheduling and administration departments work with clinical data on scheduling software” [1]. To access PII, PHI and other purposes also these information are highly sensitive hence cyber security measures are needed to protect these above mentioned facilities and techniques.


Why The Healthcare Sector Is Being The Victim?


There is an increase in the vulnerabilities of organizations for cyber-attacks that can pose a danger to everyday operations as well as the security of private and confidential patient data. This is because there isn't enough time for healthcare workers to train themselves against cyber threats since their days are so long and busy and also upgrading the internet security is too costly for many hospitals to even consider, which has resulted in the possibility for security breaches. However, some healthcare executives are willing to raise cyber security expenditures. Unfortunately, with new risks emerging day after day, it's nearly impossible to identify where an organization's resources should be spent. As a result, the healthcare industry is one of the most significant targets of current cyber-attacks and attackers. Some key reasons for the healthcare sector being victim are,

Attacker may make a lot of money by stealing patient’s private data.

All the patient information is stored in databases in hospitals. If an attacker can gain access to the hospital system, then he will be able to steal patient's confidential data and sell them because that information is too vulnerable for third parties. So it is worth a lot of money to the attackers.

Attackers can easily gain access to Medical devices.

Nowadays, the health sector is technologically advancing every day. Some medical equipment play a significant part in present healthcare such as insulin pumps, X-Rays, defibrillators, positron emission tomography (PET) and computerized tomography (CT) scanners.
 Regarding online protection and patient information protection, these new devices give even more access points for attackers. Because these medical devices are not designed for security purposes and they are made for only one purpose such as monitoring both normal and abnormal metabolic activity, monitoring heart rates and making prescriptions. However, those devices do not store details, but attackers can carry out an attack on a server that does contain valuable data because it’s too easy to compromise these devices [6]. After compromising these medical devices the attacker will be able to restrict the healthcare organization from providing crucial lifesaving medication to patients. It’s the worst thing that can happen when an attacker gains access to the medical devices.

Staff remotely access the data.

Many medical units are interconnected to provide the maximum possible treatment for each patient effectively. Doctors or other staff members who need to access that data can sit at their own desks and they can retrieve data remotely from multiple devices at any time [6]. Because of
this feature attackers can also gain access through interconnected network and as every device connected is not protected correctly as every employee is not aware of the online risks, the attackers can easily compromise the whole system [6].

Workers refusing the use of new technology.

 Everyone knows that the healthcare workers are one of the busiest and most sought-after professionals. This also implies that they don't have the time or resources to add online security measures to their job since they work more hours and under pressure & stress. Health care workers
should be able to focus on their tasks without being distracted by other things like cyber-attacks [6].

Most of the staff doesn’t have any knowledge about online threats.

Because of the heavy workload of the healthcare sector every employee is unable to acquire any knowledge about online risks. Also they are trained for only medical purposes and cyber threats are not a part of their training. As a result of financial, resource, and time restrictions, it is probably not feasible for all healthcare employees to be knowledgeable in cyber security best practices [6]. Because of this reason they are targeted more by attackers and most of them become a victim unknowingly.

Having a huge number of medical devices, which means it is difficult to achieve top level security for all the devices.

There is a vast network of linked medical devices in today's healthcare sector. As a result, larger organizations can operate with hundreds of medical devices interconnected which in turn can pose a possibility for a cyber-attack. As previously mentioned, healthcare staff is not usually aware of threats to devices. So IT professionals are tasked with the responsibility of securing a whole physical network and to protect the rest of the network when one device is compromised.

 Use of outdated technology.

Although the medical technology has advanced significantly over the past decade, not all the aspects of the healthcare sector have caught up. For an example the security side of the healthcare sector is still primordial. As a result of limited resources and a reluctance to acquire new methods, a lot of medical equipment has become outdated. It is recommended that all software must be updated in hospitals and
those who does not are the ones that are highly susceptible to cyber-attacks.

 Open and shareable of healthcare information are important.

 On-site and remotely medical staff can gain access to private patient information on various devices. They do not have the time to stop and think about the security aspects of the equipment they're using in the field since most of the time it’s so urgent [6]. Sharing information is not always protected because they cannot use their credentials every time when accessing those data, most importantly in a time-critical situation. Sometimes users just check their mails, to do that they do not need an admin privilege account, so a single malicious mail can infect everything in the whole system.

 Smaller healthcare organizations does not care much about cyber security solutions

Every organization has a risk for cyber-attacks. Larger companies use huge amounts of data and they are the most attractive targets for attackers because of the large amount of money they can make by attacking them [6]. However, the security expenses of smaller companies are smaller. As a result smaller businesses are often seen as easy targets because of their less complicated and not up-to-date cyber security solutions, as well as a backdoor access opportunity to larger business targets [6].


Impacts


Since patient safety and confidentiality are at stake, cyber security in healthcare sector is definitely a great challenge. For an example when a credit or debit card is stolen it can be revoked and a new card can be obtained. But in healthcare field when a system is compromised the patients PHI and PII like date of birth, blood group, and health and genetic information cannot be changed or new ones cannot be obtained [7] [8]. Information about a person's health can be used to commit a wide range of crimes, from identity theft to medical fraud. Unlike social security or credit or debit card numbers, a patient's health information is worth far more on the dark web, which means that the attackers can gain a lot of money [7] [8].


Real World Examples

  • UK ‘WannaCry’ ransom ware attack.

The 'WannaCry' ransom ware assault in 2017 hit the (National Health Service) NHS heavily [3]. A third of English NHS Trusts were compromised, and over 7,000 appointments were canceled as a result of the attack on the NHS. This assault was "a relatively unsophisticated attack and could have been prevented by the NHS if they had followed basic IT security best practices” as National Audit Office identified that [3].  

  • Germany Lukaskrankenhaus Hospital.

LUKASKRANKENHUS NEUSS is a public hospital in Germany. Through a social-engineering approach a ransom ware attack in February 2016 resulted in a variety of error messages for all the employees. Servers and computer systems were taken offline as a result of the infection. In the meanwhile, personnel continued to work using pen, paper, and fax machines, although high-risk operations had to be postponed [9]. There was no direct request for ransom, but the hospital was given an email to reach for more information. According to local authorities, hospital did not contact the attacker through the mail [9]. Luckily the hospital had kept a back up to date and they were able to restore their system within a few hours.   

  • Norway Regional Health Authority (HRF)

Norway Regional Health Authority (HRF) is a state-run region-specific organization of specialist hospitals and healthcare service [1]. About 2.9 million people's PHI and data were compromised in January 2018, according to South-East RHF. The attack is thought to have been carried out by a sophisticated criminal organization linked to foreign espionage or a state agency [10].   

  • US Hancock regional hospital

Hancock Regional Hospital is a local and non-profit hospital. Hancock Regional was the victim of a ransom ware attack called ‘SamSam’ in 2018. The assault attacked a server in their emergency IT backup system and propagated via the electronic link between the backup location, which was located miles away from the main center, and the hospital's server farm [11]. “The attackers had completely damaged components of backup files of numerous systems, excluding the electronic medical record backup files, it was subsequently found later. Investigators then discovered that the attackers used Microsoft's Remote Desktop Protocol as an access point into the system, and that the hackers used a hardware company's administrator account to launch the cyber-attack [12].”


Mitigations

  • Provide Information Technology (IT) at the foundation.

Good information technology is required in order for any health care organization to have an effective information security state. In healthcare contexts, this is particularly challenging owing to the lack of human resources, financial constraints, a history of lack of investment, and the complexity of the application area. But still it is essential [1]. Some indicators can offer some insight on a health care facility's IT quality, even if there are no well-established models or methods for doing so even currently. Examples include health facilities with solid application bases that do not have overflowing helpdesk call logs and IT personnel that is largely focused on fixing faulty or broken apps [1].

  • Risk-based approach

A high level of security is required when it comes to cyber security. However, because there is no such thing as perfect cyber security, a risk-based strategy through corporate risk management is required [1]. An assault is always possible, even with the best IT infrastructure and procedures, as well as a proactive attitude and information security safeguards. so, the cyber security framework suggested by “US National Institute of Standards and Technology (NIST) and the recommendations of the European Union Agency for Network and Information Security (ENISA) are advised to be practiced in a risk-based approach [1].”

  • Training and awareness

When it comes to cyber security, people are always the weakest link. As a result, health care institutions should consider educating all users regularly. Although this does not ensure security, at the very least, it is a positive step in the right direction [13]. Health facility users, from doctors to staff members, to patients might accidentally or purposefully compromise the hospital's cyber security. So providing trainings that are both relevant and effective can reduce those compromises drastically. Health facilities should regularly analyze and identify knowledge gaps [14]. Because of their unintended acts, end users must always be aware of the dangers they can pose.

  • Privileges issuing.

Assigning administrative powers to users in healthcare organizations comes with a great deal of dangers attached with it. A great majority of large-scale assaults that have resulted in substantial damage and costs have been launched by breaching of privileged accounts, such as those of third-party providers [15]. Administrative rights should be granted in a regulated and limited and a reasonable way to keep the amount of such accounts to a reasonable amount for the business.

  • Incident response plan


An incident response and business continuity strategy should be developed for health institutions as cyber-attacks have grown more common in recent years. As a result, these strategies should be frequently executed as well as kept offline and maintained regularly [1]. In order to be successful, plans should be based on a procedure that has been agreed upon by all the parties that has been involved. In the absence of a chief information security officer (CISO), it's necessary to have a designated team and cyber security leader. There should be a clear division of tasks and responsibilities within the team. It is also important for the organizations to agree on what defines a reportable event and when should it escalate. Mitigation trainings should also be incorporated into programs [1].

 

 4.    FUTURE RESEARCH

 

Cyber-attacks on the health sector are increasing day by day, as a result cyber security counter measures and threat mitigations should be automated. For example, cloud based technologies and IoT (Internet of Things) as well as Artificial Intelligence will be used more frequently in the future. To catch up with them cyber security professionals must develop and implement new and advanced more powerful and effective methodologies for the detection and prevention of all kinds of cyber threats. So in the future the use of AI controlled security control systems, other various automated systems and IoT must be used to diagnose malware, cyber threats not just by their signature but also by their behaviors. Training sessions should be held in the future including that updated knowledge. Future cyber threats will be much more advanced and deadly due to the advancement of technology and the increased usage of technology in the healthcare sector. So establishing much stronger security standards according to future necessities is recommended.

 

5.    CONCLUSION

Cybercriminals pay more attention to the healthcare sector more due to less cyber security protection in healthcare facilities. Attackers use malware, ransom ware and phishing attacks to breach healthcare systems and steal sensitive information. The most common motive for these attacks is Money or financial benefits. As these attacks are increasing day by day health organizations should pay more attention towards cyber security and implement necessary mitigations and prevention mechanisms. Personnel in the healthcare sector should consider about cyber threats seriously and act accordingly.

 

6.    REFERENCES

[1] Argaw, T. Pastoriza, S. J. and L., "Cyber security of Hospitals: discussing the challenges and working towards mitigating the risks,”

[2] F. H. Security, "Fortified Health Security Releases 2021 Mid-Year Horizon Report,”

[3] DorianRees, "Pinsent Masons," 18 June 2021. [Online]. Available: https://www.pinsentmasons.com/outlaw/analysis/cyber-attacks-healthcare-europe.

[4] Kimberly, "Swift Digital," 13 August 2021. [Online]. Available: https://www.swiftdigital.com.au/blog/stakeholders-healthcare/.

[5] "Cyber Attacks: In the Healthcare Sector,” 08 Feb 2017.

[6] "9 reasons healthcare is the biggest target for cyber-attacks," Swivel Secure, [Online]. Available: https://swivelsecure.com/solutions/healthcare/healthcare-is-the-biggest-target-for-cyberattacks/.

[7] F. J. Humer C, "Your medical record is worth more to hackers than your credit card," 27 04 2014. [Online]. Available: https://www.reuters.com/article/uscybersecurity-hospitalsidUSKCN0HJ21I20140924.

[8] R. E. M. M. S. R. K. C. Luna R, "Cyber threats to health information systems: a systematic review. Technol Health Care," 2016.

[9] S. S, "Hackers hold German hospital data hostage," 2016. [Online]. Available: https://www.dw.com/en/hackers-hold-germanhospital-data-hostage/a-19076030.

[10] K. S, "Nearly half of the Norway population exposed in HealthCare data breach," The Hacker News Logo, 2018.

[11] S. C. T. UNIT, " SamSam Ransomware Campaigns," 2018. [Online]. Available:

https://www.secureworks.com/research/samsamransomware-campaigns.

[12] H. O, "Hancock regional hospital back online after paying hackers $55,000. Digital Health," 2018. [Online]. Available:

https://www.digitalhealth.net/2018/01/hancockregional-hospital-back-online/.

[13] B. S. O. S. S. J. F. J. G. A. Pycroft L, "Brainjacking: Implant Security Issues in Invasive Neuromodulation," p. 462, Aug 2016.

[14] "The CIS Critical security controls for effective cyber defense," 2016. [Online]. Available:

https://creativecommons.org/licenses/by-ncnd/4.0/legalcode.

[15] "New Report Connects Privileged Account Exploitation to Advanced Cyber Attacks. CyberArk," 2018. [Online]. Available:

https://www.cyberark.com/press/new-reportconnects-privileged-account-exploitationadvanced-cyber-attacks/.

Stay Informed, Stay Safe!

Geethika Edithara

Posted by Geethika Edithara

Hi I'm Geethika Edithara. I'm a Cyber Security Analyst who is hoping to make a change in the cyber security sector for the better. My main goal here is to spread correct, reliable & upto date cyber security news & Information so everyone can gain some type of knowledge & be safe from cyber threats.