A 'bittersweet' wake-up call for the healthcare IT industry
Security must be improved in order to mitigate the threat from cyber criminals
Almost a year after Wannacry took control of the NHS IT infrastructure; Orangeworm has been identified as a new threat to healthcare.
Device makers and care providers alike need to stop treating care and security as two separate entities. They aren’t
The hacking operation has already targeted a number of countries – 32% of which are in Europe (5% in UK) and is primarily targeting the lucrative healthcare industry (39%).
Commenting on the news; Sara Jost, a former nurse and now the global healthcare industry lead at BlackBerry, said the heart of the healthcare industry’s vulnerability is due to the lack of IT experts and cyber security being seen as an afterthought, which could have consequences as harsh as loss of life.
She added: “Healthcare security still lags behind other industries, but it is a hacker’s heaven as they contain all the information necessary for medical identity fraud – an extremely-lucrative crime, and selling up to 10 times the price of stolen credit card numbers on the black market.
She added: “Healthcare is an industry under siege.
“Care providers are targeted by cyber criminals with greater frequency than any other organisation. And, thanks to old equipment and flagging security standards, these attacks find success far more often than they should.
“From a criminal’s perspective, healthcare records are a golden goose.”
Ensuring health data is safe from people who’d misuse it is just as much a part of effective patient care as efficient treatment
This is compounded by the fact that healthcare security still lags well behind other industries.
“It is easier for a criminal to lift medical data from several small clinics than it is to steal money from a bank, for example,” Jost said.
“Given the potential for a much-greater payoff, it isn’t difficult to see why so many criminals have hospitals and clinics in their crosshairs.”
And she said the ‘heart of healthcare’s cyber security woes’ can be traced to a single cause – ‘the men and women who run healthcare organisations are clinicians, not IT professionals’.
She told BBH: “Though brilliant physicians and businesspeople, they are not security experts.
“They allot most of their organisational budget towards excellent patient care and medical advances. IT is often an afterthought, even as more and more healthcare data is digitised.”
From a criminal’s perspective, healthcare records are a golden goose
And she warned: “The entry of connected devices into hospitals and clinics will make things even worse if left unaddressed.
“Internet of Things (IoT) medical devices like infusion pumps and cardiac implants frequently contain vulnerabilities with the potential to be life-threatening. As for regulations and security standards – which many providers already have difficulty adhering to – they have failed to evolve as quickly as the threat landscape.
“Device makers and care providers alike need to stop treating care and security as two separate entities. They aren’t.
“Ensuring health data is safe from people who’d misuse it is just as much a part of effective patient care as efficient treatment.”
Jalal Bouhdada, founder and principal ICS security consultant for Applied Risk, added: “It is perhaps no surprise that a new attack group has been discovered targeting the healthcare industry.
“There have been repeated warnings that healthcare systems are easy pickings for cyber criminals, and although there has been an understandable desire within the industry to press ahead and unlock the benefits of IoT technology, a lack of consideration regarding the security ramifications of this has begun to concern many.
“While innovation in the healthcare industry is having a great impact on the quality of life for many people, what if the opposite is also true?
Medical device manufacturers must come to terms with the idea that the security of the healthcare equipment itself is also a life-and-death issue
“While in the case of Orangeworm it seems the attackers were only looking to learn about the inner workings of a system, could this often life-saving medical equipment be turned against us?
“There has been much speculation over potential scenarios in which devices such as insulin pumps are hijacked and held to ransom; or terrorists attack connected pacemakers en masse. Sadly, this is no longer the stuff of fiction, as made clear by the FDA’s recent warnings regarding exploitable flaws in connected cardiac pacemakers.
“Medical device manufacturers must come to terms with the idea that the security of the healthcare equipment itself is also a life-and-death issue. >
The security industry and medical device manufacturers must develop a closer relationship, ensuring that new devices are developed with security defences baked in
“Medical device manufacturers must now begin adhering to best-practice security advice.
“The security industry and medical device manufacturers must develop a closer relationship, ensuring that new devices are developed with security defences baked in.
“The ethos of ‘secure by design’ must become entrenched within all product developers."