This autumn, the healthcare sector was affected by several cybersecurity-related incidents: the University Hospital Düsseldorf in Germany, a hospital chain in the US with more than 250 facilities, and most recently, a private Finnish psychotherapy center, Vastaamo, where thousands of patient health records were posted on the dark web when the company refused to pay the ransom.
These crimes and production stoppages have had serious consequences—deaths, suffering and personal tragedy—when sensitive information, shared with a psychotherapist in confidence, has been published for everyone to read. Beyond the known cases, the number of unrecorded incidents where hospitals have paid the ransom and not disclosed the incident is huge.
When a company is struck by a ransomware attack, they try everything possible to avoid paying the ransom. Everyone knows that organized cybercrime will not decrease if it is publicly known that companies will pay.
Companies are prepared to take greater losses than what it costs to pay. However, when a hospital is attacked it is a matter of life or death—or, in the case of the Finnish center, a devastating consequence for each individual patient. For this reason, hospitals often choose to pay, which of course the cybercriminals know. Therefore, the healthcare system is now a prime target for organized cybercriminals.
This is something our company is noticing, as Sectra is both a cybersecurity and medtech company. Demand for our security products and services in the healthcare sector has dramatically increased. However, awareness of the risks is generally low among healthcare staff.
A year or so ago, I heard about a region that banned all CD and DVD readers following a Trojan virus attack, but did not disable its USB ports. A USB port is more vulnerable than a DVD reader.
Protection from hacker attacks or cybercrime will never be 100% effective. There is simply no way to be completely secure.
A few years ago, the Iranian nuclear weapons program suffered a devastating Stuxnet attack without any computers connected to the internet. The malicious code was spread via USB flash drives and the infected computer simply copied the whole Stuxnet program to all other memory sticks that were inserted into the computer. That way, Stuxnet jumped through several carriers until reaching the final target: the computers that controlled the centrifuges that enriched the uranium.
Stuxnet changed the speed of the centrifuge rotors so that the enrichment of the uranium was not good enough, but no one noticed. All other computers were only carriers. It is still not known who created Stuxnet, but the US and/or Israel are suspected. The attack is estimated to have delayed the Iranian nuclear weapons program by at least one year.
These examples illustrate the kinds of threats that are possible. However, most successful attacks today are not as sophisticated. Most attacks, such as the worldwide WannaCry ransomware attack in 2017, enter the system when a user mistakenly clicks a spam email or link, usually because they look completely harmless. Alternatively, by someone leaving entry points wide open, such as naively configured VPN connections. In these challenging times, with a large proportion of the population working from home, this is a growing problem.
The latest scandal in the news outside the healthcare industry was a data leak during a cyberattack on the Swedish security company Gunnebo. The company had left the gates to its network open and exposed the password to its RDP account—password01. And this was a security company…
The consequences were devastating here as well. A lot of descriptions and schematics of vaults, locks, etc. are now on the dark web. We must realize that many intrusions happen via temporarily connected systems, and that we suppliers run the same risk as employees in the healthcare sector. It is our responsibility to not make an already problematic situation in the sector worse by using bad systems and procedures ourselves.
How can this be avoided? As I have already said, it is not possible. But you can greatly reduce the probability of someone succeeding, and mitigate the consequences if someone does happen to break in.
The easiest and most obvious measure to minimize the risks is education. Broad training of all staff who work with computers, which basically means everyone. Often, you reach 80 percent of the benefit at 20 percent of the cost to reach 100 percent. These kinds of courses are available as self-study online training and just one hour can make a difference to start with. And yet, to my surprise, this is rarely done.
The next step is to realize that the bad guys will get in no matter what you do. You can increase the complexity, but you cannot prevent it completely. After that comes the next step: to construct a multi-layered security defense.
A good security structure is like an onion, layer upon layer of protection with intrusion detection in each layer. The idea is that you discover an intrusion before the bad guys reach the inner levels, which gives you time to stop them.
One possible test is to hire a hacker and place them inside your own firewalls, without telling anyone they are there. Their mission would be to gather sensitive information inside the first layer. You should prevail with an onion-layer approach but if not, you will know it before the real bad guys get there. And one day they will.
Archiving and storage should preferably take place in completely different environments. So even if the criminals manage to encrypt and ruin a file system, they will not reach the other databases with a different architecture pattern. The latter does not prevent data theft, but it does protect against ransomware.
However, extremely few of the healthcare sectors’ computer systems and hospitals are built that way. It’s time to face facts. As a medtech and cybersecurity company, we and our healthcare customers are prime targets in this new and unpleasant world, and we must all work proactively to minimize the risk as best we can. To quote Benjamin Franklin:
By failing to prepare, you are preparing to fail.
This article was originally published in Swedish in MedTech Magazine: Datasäkerhet – ett akut, allvarligt och snabbt växande problem