Healthcare lagging when it comes to infosec

As more and more health-related data moves from analogue to digital, there are new risks introduced to our healthcare. Farah Magrabi, from Macquarie University, spoke at AusCERT 2016 about the risks involved in using digital technologies.

Magrabi says IT systems in healthcare is relatively immature compared to other sectors and security is rarely integrated into processes and system.

Technology is being used in decision making says Magrabi. “Across the board we’re looking at everything from email… to pathology results’” she says. Electronic record keeping by providers ranging from doctors to hospitals through to individuals introduces new risks.

Increased automation is also significant she says. “IT systems are supporting important clinical processes. they are now playing a mission-critical role,” says Magrabi. “It’s significant when these systems are taken down by a hack”.

With increased networking between devices, the threat surface is expanding.

Magrabi says 97% of general practitioners use electronic records with more than 80% of care delivery in NSW hospitals supported by electronic records. And 2.7 million consumers use the national My Health Record service. Once you add personal health monitoring, it becomes a complex task to ‘join the dots” she says.

Citing the example of diabetes, Magrabi notes that the management of this disease requires coordination between many different health care providers. This creates a complex ecosystem with money points of connection and potential vulnerability.

Cyber risks on the Rise

Magrabi says that compromises of health data are running at a rate of about four per week with over 3.5million records compromised this year in the US alone.

The consequences of these increased risks are broad says Magrabi. Of particular concern is the volume of the data breaches. As a result of a series of large scale attacks in the US, such as the Anthem breach, means that about one in three US citizens have had their health data compromised in some way. In 2015, 113 million records were compromised in the US, up from 13 million the year before.

Medical record data is more valuable, by a factor of about 10, than credit card data on the black market says Magrabi. The data is then used by hackers to either buy medical equipment or drugs. In some cases, the data is used for Medicare fraud.

Unlike credit card theft, where the loss can be detected quite quickly, medical data theft might go undetected by the victim for many months. It’s often found only when the victim receives a bill for services they never received.

Ransomware attacks are on the rise in healthcare, as they are in many industries, resulting in significant operational disruption. For example, a GP clinic on the Gold Cast was hacked recently. Fortunately, they were able to recover quickly as they had a robust backup system. Others, such as MedStar in the US, suffered a week of disruption as they were forced to return to a paper-based system until they were able to recover systems.

DDoS, spear-phishing and other attacks are also common, says Magrabi.

Patients at risk

Magrabi noted that there have been demonstrations of hacks that directly access insulin pumps and pacemakers. Although there are not any known “in the wild” attacks, the potential does exist as many deivces have unsecured wireless connections.

Any cyber-attack that alters or deletes patient information can result in patient harm.

What can be done?

Magrabi says this is about the triangle of people, process and technology.

There are multiple stakeholders in healthcare that are distributed in space and time. All of the different users of the data have different requirements. For example, clinicians and patients want different things from systems. And different users of healthcare systems often work under some pressure resulting in looking at multiple records at the same time or moving to different tasks without logging off from systems. Policies and procedures governing these systems may have gaps. For example, causal staff may not undergo the same level of training as permanent staff.

At the same time, parties have a requirement for high availability as delayed access can impede clinical work and endanger patients.