Cybercriminals targeting healthcare organisations: Fortinet

• Entire malware platforms can be customised to attack healthcare targets
• Healthcare industry especially vulnerable because it lacks security mindset

FORTINET has warned that patient data is far more valuable to hackers on the black market than credit card numbers because it tends to contain data that is detailed, rich, and full of information that cybercriminals can use for identity theft and fraud.
 
“The black market for patient data is up to 20 times more valuable than that for credit card data often stolen in retail breaches,” said Michelle Ong (pic), Fortinet’s country manager for Malaysia.
 
“More importantly, it takes far longer – can be up to a year or more – for patients to realise their information has been compromised.
 
“When a credit card is stolen, algorithms in the financial industry pick up unusual activity very quickly and systems often automatically provide protection. These same protections simply don’t yet exist in healthcare,” she added.
 
According to Fortinet cybersecurity experts, there are three primary vectors of a healthcare cyberattack:
 
Traditional cyberattacks
 
These are the types of attacks that happen to all institutions, even if some are more likely to make headlines than others, Fortinet said in a statement.
 
Malware, phishing schemes, trojans and ransomware are all out there, but the healthcare industry is particularly vulnerable because it lacks the built-in protections and underlying security mindset of other industries.
 
These types of malicious software, whether deployed through targeted attacks, compromised websites, spam, infected mobile devices, or otherwise, can not only expose sensitive data but create distracting and expensive IT headaches, according to Fortinet.
 
A 2012 Ponemon Institute study found that data breaches cost the average healthcare organisation roughly US$2.4 million over the previous two-year period.
 
Connected medical devices
 
Today, everything from heart monitors to IV (intravenous) pumps can be networked, automatically interfacing with EHR (electronic health record) systems and providing real-time alerts to healthcare providers.
 
From the perspectives of patient care and operational efficiency, this is a good thing. From a security perspective, it’s a potential nightmare, said Fortinet.
 
Most of these devices, as well as MRI (magnetic resonance imaging) machines, CT (computerised tomography) scanners and countless other diagnostic machines were never designed with security in mind.
 
Many diagnostic systems use off-the-shelf operating systems like Microsoft Windows while other devices use purpose-built software designed to collect data, not keep it safe.
 
Too many of these devices are eminently hackable and, once compromised, can provide hackers with unfettered access to the clinical data systems within which they interface.
 
And it isn’t just patient data that’s vulnerable through connected devices, Fortinet said. Cyberterrorists could potentially manipulate machines to intentionally harm patients or shut down critical systems in hospitals.
 
Personal and home health devices
 
Device proliferation isn’t just occurring in hospitals. An increasing numbers of home health devices, mobile apps, wearables, and more are collecting and transmitting personal health information, Fortinet said.
 
Not only do these devices and apps potentially expose patient data (or at least fail to adequately protect it), but they also often interface directly with EHR and clinical data systems.
 
When everything from a home glucose monitor to an iPhone app can become part of the attack surface, it should become clear just how badly exposed healthcare institutions are, the company argued.
 
As with clinical devices, most of these new patient care modalities are designed for convenience and innovative functionality rather than security.
 
“The time to address healthcare security is not when medical record breaches start making headlines,” said Ong.
 
The healthcare industry as a whole needs to be proactive and begin deploying systems with security baked in, protected at both the network and application levels,” she added. “The stakes are simply too high to wait.”
 
Related Stories:
 
Security issue in fitness wristband, says Kaspersky researcher
 
How mobility can be a game-changer for healthcare
 
Cybercriminals more patient, eyeing bigger targets: Symantec
 
 
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.