In a recent webinar, Andy Sheret, head of business development at ITHealth, and Chad Holmes, security evangelist at Cynerio, shared insights around securing patient data for safer care, highlighting the impact and risks of data breaches on hospitals, and the steps that need to be taken to proactively identify and secure healthcare systems.
Cybersecurity in healthcare: outlining the issue
To set the scene on the need for cybersecurity around electronic patient data, Chad talked about the current state of patient data security, highlighting how “cyber attackers have found a very profitable source of data in healthcare”. He highlighted that a cyber attack takes place “roughly every seven minutes” across the globe, with the UK suffering nine healthcare cyber incidents from 2021-2023.
The good news is that “there are technologies out there that can help”, Chad said, such as microsegmentation. This is one of the core components of the Cynerio platform and has been shown in other industries to “effectively prevent the spread of attacks”.
Referring to the WannaCry attack of 2017 as “the opening of Pandora’s box”, Chad next looked at why the NHS and the UK healthcare system is “particularly susceptible” to the attack. “The good thing to come out of the breaches is the increased research and development on tailoring security tools to the specific needs of healthcare environments,” he acknowledged.
“We’re also seeing more resources and training now; which doesn’t mean that hospitals have everything they need in this regard, but they do have more than they did a few years ago. A we are getting more resources to help protect against these attacks, things are slowly getting better. We’re also seeing improved guidance.”
He noted that the motivation for hackers in healthcare is the financial value of the data they can retrieve, which “can’t easily be cancelled” in the same manner as credit card data, for example, and is “incredibly easy to commit fraud with”. Chad cited that healthcare data is worth roughly 25 times more per record than credit card data on the black market.
“When you’re getting these records millions at a time or terabytes of data at a time, that becomes incredibly lucrative on the black market, to the point where ransomware gangs leave instructions behind for their followers to go and pick up where they left off if they get caught. There is a massive amount of money at stake, and nearly all of these attacks are financially driven.”
Chad highlighted factors which have led to the healthcare system’s particular vulnerability, including a traditional underinvestment in security, and emphasised that responsibility should not lie with nurses. “Nurses should be providing care and saving patients lives, not worrying about protecting data from hackers. We have to make sure that institutionally, we know who is responsible for making sure that security is getting implemented correctly.”
At a technology level, Chad continued, “We’ve onboarded thousands of devices that provide improved care; that’s why we have CT machines that are connected and why I can get an X-ray of my knee in New England and have it read in maybe the Philippines, and have that radiologist report within hours. But by putting those online and not securing those devices and holding manufacturers to a higher standard, we’re putting our environments at risk, our patients at risk, and their data at risk.”
Vulnerabilities in healthcare data
Moving on to discuss the specific vulnerabilities of healthcare data and points of exposure within the healthcare system, Chad talked about picture archiving and communication systems (PACS). The problem with PACS can be, according to Chad, is that “there it the potential to be insecure, and one of the reasons for that is because they’re focused on sharing data and not necessarily securing it. We found one example where a user manual for a PAC system contained a hard-coded URL in one of the screenshots; we could actually take that URL, change some parameters, put it into a web browser, and get admin level access to all the data.”
This kind of breach, Chad continued, does not count as “advanced hacking”. He noted that there are other similar examples of “fairly simple ways hackers can gain access to data” and cited an example with cardiovascular information systems where hackers could run a port scanner to see what data was going back and forth; when they find an open port, they can get full access to the system without credentials. Another example is that of smart whiteboards which also had a mobile interface being used by hospital staff. If you knew that the mobile interface existed on a certain URL, with certain endpoints, you could easily gain access to it. These are “very rudimentary, very basic attack techniques,” Chad said, but can lead to the capturing of high numbers of patient records.
Another area where challenges exist is in medical devices, since “a lot of devices we see in healthcare environments can’t have endpoint protections installed in them”, like CT machines and IV pumps. He added that the nature of healthcare-specific devices and their environment means that “you cannot have these devices restarting and putting patients at risk simply because of a security error”; this presents an additional challenge compared with other industries.
Chad stated that these vulnerabilities are “exposing patient data at volumes that just aren’t acceptable any more”, and highlighted that Cynerio has been focusing on learning where these vulnerabilities exist in different systems over the last few years.
“We focused on the network traffic, and we realised that all these systems are openly communicating, that traffic is freely flowing; but if we start analysing that traffic in a way that protects patient data, we can start to see what data is going where. As we got more and more into this, we identified ways to actually identify the exposure points before data was being stolen, so we could be proactive in our protections, rather than having to be reactive.”
As well as the common exposure points already mentioned, Chad shared that his team is seeing “a drastic increase in the number of APIs and interfaces that are built into systems which are not locked down by default”, creating another potential point of exposure that could be vulnerable to hackers.
“As we gathered this information, we realised we could build very helpful dashboards that will show you the systems you have, how they’re exposing data, what data is being exposed. For example, if you have the same credentials logging in within a minute of each other but 200 miles apart, it’s probably not a good use case. There are common patterns in how this data can be protected, so not only can we detect all this, we can also automate and then validate to help secure those systems.”
User experience
Chad went on to discuss the Cynerio user experience, including a dashboard presenting information about current systems and any potential data exposures, and the ability to “dive deeper” into details including host names, IP addresses, vendors and more.
“We start to get a really good fingerprint of what this system is running and how it is exposed, as well as getting detail on how the system is interacting with other machines, other people – and with hackers in some cases. We see the services count, the number of clients, the number of data feeds. We can also see a high-level overview of the risks in the system.”
Chad went through the level of available detail when it comes to things like devices, and the number of services which are encrypted. “These issues we find within the system are incredibly achievable in a relatively short amount of time, and we’re able to address most of them within a few weeks. Then it’s a case of keeping up to date with new systems as they’re introduced and making sure they’re secured correctly.”
As a final note, Chad talked about three things that “everyone should be aware of”, including the data security and protection toolkit, which “is effectively doing self-audits and documenting with evidence the assets you have to properly implement security”. Additionally, he pointed to the national cyber security centre’s recently launch of its cyber assessment framework, and the US’s Health and Human Services’ HPH cybersecurity performance goals. These are “effectively the very basic things everyone should be doing as soon as possible, like email security and encrypting your data. I think it’s really important to point out resources that are available to anyone.”
To watch the recording of the session in full, please click here.
In a recent interview, we spoke to Peter Kelly, Cynerio’s global health of customer success, on the need to think about cyber security differently, how Cynerio can support organisations in this space, and what success looks like in his view.