While we may consider health largely a private concern in the United States, our nation depends on the continuity and availability of its healthcare system in a very public way, as evidenced by the current coronavirus outbreak. Our critical healthcare infrastructure is vulnerable at this time, no doubt, but it truly has been inspiring to see doctors, scientists, and other industry professionals from around the world come together to stop the spread of COVID-19. To fend off exploitative cybercriminals, we must employ the same sort of collaboration.
It’s no surprise that the healthcare industry wears a large target on its back for cybercriminals, given the treasure trove of data it holds. Credit card fraud is certainly a problem, but healthcare identity fraud can become an absolute nightmare. A successfully stolen identity can provide just enough information to enable criminals to fraudulently bill for fictitious and expensive treatment regimens, in order to collect thousands of dollars from health insurers or even government programs. Imagine finding out at a regular check-up that your health record indicates you’ve had a kidney transplant!
As with any crisis, cybercriminals are seeking to exploit the fear and uncertainty surrounding the coronavirus by, for instance, exfiltrating sensitive medical data or stealing intellectual property for financial gain. Already, bad actors are engaging in targeted phishing campaigns by spoofing credible health organizations and experts alike. In addition, the sudden shift to work-from-home environments has opened up a range of new cybersecurity vulnerabilities arising from consumer home networks. In most homes, uninstalled router patches, old hardware, and bad password practices are commonplace, and criminals know it.
However, the good news is that these issues are not tough to resolve. For the most part, it’s a matter of awareness and understanding – and following – cybersecurity best practices. Organizations should implement mandatory cybersecurity training if they haven’t already, to educate employees. Many security breaches are avoidable by taking steps that prevent your company from becoming the weakest link in the chain.
The healthcare industry is the second largest sector of the U.S. economy, accounting for 17.8% of the national GDP in 2019. Medical record data is a lucrative source of cybercrime, selling at a higher price on the dark web than your typical financial data because it contains so much valuable information, from dates of birth to social security numbers. As mentioned in the fictitious kidney transplant example, medical records used to instigate insurance and tax fraud can go unnoticed for a long time, generating a steady stream of revenue for cybercriminals.
Unfortunately, the healthcare sector poses a relatively easy target for cybercriminals, as evidenced by a 2019 national report on healthcare preparedness which found an average of only 47% of organizations conforms with the NIST Cybersecurity Framework. This number is startlingly low and shows that organizations can do more to help their cause. This lack of preparedness has led to an 150% increase in healthcare attacks in the last 60 days. The exfiltration of sensitive information represents not only a net loss for the U.S. economy overall but also presents an opportunity for hacker groups and nation-states to illicitly procure funds.
With the digitalization of more medical equipment, it is increasingly feasible for cybercriminals to remotely damage or manipulate these devices. Historically, most ransomware involved locking computers behind a password while extorting money from victims. Now, with computers in medical devices, nefarious actors have the ability to surreptitiously manipulate medical equipment.
Cybercriminals could also capitalize upon information stolen from medical data breaches and blackmail individuals based on their exposed health conditions – especially people of notable political/social status. An attack like this recently targeted Singapore Health Services, seeking access to Prime Minister Lee Hsien Loong’s medication data. The hack also exposed roughly 14,200 HIV positive medical records, including names, addresses, and HIV statuses. Attribution methods seem to suggest that a nation-state actor was behind the strike.
To combat threats such as these, in October 2018, the Department of Health and Human Services opened a new cybersecurity unit – the Health Sector Cybersecurity Coordination Center (HC3). It’s encouraging to see this first step that recognizes the significance of protecting America’s health sector against cyber-attacks.
In closing, there’s no doubt you’ve seen many other startling statistics regarding the coronavirus, cybersecurity, or both, but know that these are not intended to scare, but instead inform and provide insight into why we should take these issues seriously. In the words of author David Kessler, “the precautions we’re taking are the right ones. History tells us that. This is survivable. We will survive. This is a time to overprotect but not overreact.”
Stopping the spread of this virus requires a concerted, group effort, so whether that means doing your part through social distancing, or by heading out into the frontlines of the global cyberwar, we all have a role to play. Doing our part now to implement and practice cyber best practices will help to safeguard organizations against future attacks.
About Claire Umeda
Claire Umeda is Vice President of Marketing at 4iQ, where she leads go-to-market strategies, product marketing, sales enablement and brand management. Prior to joining 4iQ, Claire has held senior and executive marketing and product positions for startups in the security, communications, data management and social gaming spaces.