The following is my personal opinion on what the most popular healthcare attacks based on past events.
Over the last couple of years, the most popular healthcare attacks reported include: Denial of Service, Patient Data Theft, Asset Damage Attacks, and Therapy Manipulation Attacks. Here is how each of them fare against the proposed security model.
Denial of Service
Denial of Service (DOS) attacks are aimed to reduce access to information. This type of attack is a popular choice and the healthcare industry is no stranger to it. Not too long ago, Boston Children’s Hospital headlined cyber security news as a victim of a Denial of Service attack. In this situation, famous hacking group Anonymous, took action against Boston Children’s Hospital shortly after a story broke out that a young patient was being separated from her parents. Although these attacks do not lead to any theft of data, they can cause serious damage by taking the healthcare systems offline and disrupting the care of many patients.
To safeguard against DOS and preserve the availability of data, hospitals need to have a plan in place. This is similar to the physical recovery plan mentioned above for physical security. In the example above, Boston Children’s Health did a good job in reducing the damage done because it had a plan in place. Boston Children also had alternatives to email and used “Voice Over IP communications” to communicate securely with each other. Lastly, knowing your system and knowing how to access the same data through different channels can help reduce damage caused by a DOS attack.
Patient Data Theft
These types of thefts prove to be most costly to a hospital as it usually includes information that cannot be easily replaced such as a credit card number or a password. These types of attacks will cost hospitals more than $305 Billion over the next five years. If that is not frightening already, it has also been reported that 1 in 13 patients-roughly 25 million people- will have personal information such as social security or financial records stolen from technology systems over the next five years. Another study conducted by Brookings Institution predicts that one in four data breaches this year will hit the healthcare industry. Considering the severity and looming threat of patient data to the healthcare system, it is important for hospitals to safeguard against it.
Highlighting the proposed security protocols above, having strong Authentication and Authorization protocols and up-to-date application security can help mitigate this risk. To add on, hospitals require that a password change be done every 60 days. From an application standpoint, I would highly recommend that updates be conducted as soon as they are released and that antivirus is present if possible. As we have seen in the past (ex. Target in 2015), any applications or third party vendors are capable of causing a massive breach.
Asset Damage Attacks
This type of attack is an example of a physical threat that can negatively impact a hospital. They involve physical damage to hospital equipment or facilities needed to ensure smooth business operation. These attacks can occur for many reasons and are not limited to angry patients and disgruntled employees. One example is a patient who is not happy with his service and decides to trash the waiting room. Another example is a patient who decides to tamper with equipment in his use and ends up breaking it, rendering that equipment useless for future patients. These types of attacks can cause a hospital tons of money every year if not properly handled.
The physical security protocols highlighted above should circumvent most instances of these attacks. For instance, with proper access control, patients and certain employees should not have access to important equipment that is costly and difficult to replace. As well, surveillance and other notification systems can help notify enforcement when these type of attacks are beginning to occur.
Therapy Manipulation Attacks
This type of attack is directly aimed at a healthcare device or tool by changing its purpose or usability. Due to the Internet of All Things (IoT) the threat of devices getting controlled by hackers is a reality. The issue that is present here is that most of these devices do not come with security protocols. Unlike normal systems, they do not have the same resources that can detect and defend threats that occur. In fact, Yong-Gon Chon, CEO of Cyber Risk Management summarizes it the best when he states This equipment saves lives and can’t be taken offline like laptop that goes back to IT for a week to be wiped and re-imaged.” The best way to battle these types of attacks are with encryption and secure networks. Applying these security protocols down to the chip level can help minimize these threats.