Healthcare communities, cybersecurity professionals and governments must acknowledge these five stark realities as they seek ways to combat the persistent and ubiquitous threat of cyberhackers.
The three main targets of cybercriminals are electronic health records, healthcare infrastructure and individual medical records. Sensitive information has become a very powerful commodity in modern society. Just as gold, diamonds and printed money have attracted thieves for centuries, information has become one of earth’s most valuable assets. The more sensitive, damaging or revealing the information is, the more value it possesses. Details about how healthy, or unhealthy, individuals and groups are can be ransomed for astronomical prices.
In July 2018, ransomware targeted SingHealth, Singapore’s largest healthcare institution, and stole the information of 1.5 million patients, including the profile of the country’s Prime Minister, Lee Hsien Loong—who was identified as a specific target in the attack. These types of ransomware attacks are constantly being perpetrated against healthcare facilities as they struggle to implement comprehensive defense strategies. This trend will only escalate as cybercriminals and healthcare institutions attempt to outsmart and outmaneuver each other as bank robbers and banks have done throughout history.2
One of the most concerning current threats to health information privacy is a serious compromise of the integrity and availability of data. Those risks include possible harm to a patient’s safety and health, loss of protected health information (PHI) and unauthorized access to data. In fact, in 2013 The Washington Post reported that the doctors for Vice President Dick Cheney ordered the disabling of the wireless functionality of his heart implant out of fear that it could be hacked by terrorists.3
It’s arguable that cybercrimes in the healthcare industry can have much more drastic consequences to brand equity for institutions than major financial losses. The fear of not being able to access one’s critical health information is a legitimate, and intense, sense of unease. This anxiety is partially what gives the information its value and power. Data security breaches can directly impact the health and well-being of patients, and even result in fatalities. Destroying medical records and hijacking critical pharmaceutical prescriptions can quickly result in casualties and cause death. By stealing information and manipulating public fear, cybercriminals can leverage their stolen assets in unprecedented ways. The reality is these crimes have life-threatening consequences and can be perpetrated from across the world in the middle of the night.
The potential monetary gains for cyberhackers are enormous. Unsurprisingly, more than 70 percent of healthcare industry companies expect a breach from financially-motivated cybercriminals. However, the pervasive image of a lone cyberhacker working from a dark apartment in an anonymous city, or nefarious state-sponsored groups of squinting cyberthieves lined up in rows of bland cubicles, only represents part of the story. Internal employees also pose a great threat to healthcare institutions. Every employee is a human being, and whether or not they are disgruntled, financially distraught or simply unaware of how their behaviors can impact security protocols, there is the potential for corruption. Having the right security clearances, passwords and access to sensitive information may simply be too tempting for internal employees with an ulterior motive.