Healthcare lagging when it comes to infosec

AusCERT 2016

As more and more health-related data moves from analogue to digital, there are new risks introduced to our healthcare. Farah Magrabi, from Macquarie University, spoke at AusCERT 2016 about the risks involved in using digital technologies.

Magrabi says IT systems in healthcare is relatively immature compared to other sectors and security is rarely integrated into processes and system.

Technology is being used in decision making says Magrabi. “Across the board we’re looking at everything from email… to pathology results’” she says. Electronic record keeping by providers ranging from doctors to hospitals through to individuals introduces new risks.

Farah Magrabi speaking at AusCERT2016
Farah Magrabi speaking at AusCERT2016

Increased automation is also significant she says. “IT systems are supporting important clinical processes. they are now playing a mission-critical role,” says Magrabi. “It’s significant when these systems are taken down by a hack”.

With increased networking between devices, the threat surface is expanding.

Magrabi says 97% of general practitioners use electronic records with more than 80% of care delivery in NSW hospitals supported by electronic records. And 2.7 million consumers use the national My Health Record service. Once you add personal health monitoring, it becomes a complex task to ‘join the dots” she says.

Citing the example of diabetes, Magrabi notes that the management of this disease requires coordination between many different health care providers. This creates a complex ecosystem with money points of connection and potential vulnerability.

Cyber risks on the Rise

Magrabi says that compromises of health data are running at a rate of about four per week with over 3.5million records compromised this year in the US alone.

The consequences of these increased risks are broad says Magrabi. Of particular concern is the volume of the data breaches. As a result of a series of large scale attacks in the US, such as the Anthem breach, means that about one in three US citizens have had their health data compromised in some way. In 2015, 113 million records were compromised in the US, up from 13 million the year before.

Medical record data is more valuable, by a factor of about 10, than credit card data on the black market says Magrabi. The data is then used by hackers to either buy medical equipment or drugs. In some cases, the data is used for Medicare fraud.

Unlike credit card theft, where the loss can be detected quite quickly, medical data theft might go undetected by the victim for many months. It’s often found only when the victim receives a bill for services they never received.

Ransomware attacks are on the rise in healthcare, as they are in many industries, resulting in significant operational disruption. For example, a GP clinic on the Gold Cast was hacked recently. Fortunately, they were able to recover quickly as they had a robust backup system. Others, such as MedStar in the US, suffered a week of disruption as they were forced to return to a paper-based system until they were able to recover systems.

DDoS, spear-phishing and other attacks are also common, says Magrabi.

Patients at risk

Magrabi noted that there have been demonstrations of hacks that directly access insulin pumps and pacemakers. Although there are not any known “in the wild” attacks, the potential does exist as many deivces have unsecured wireless connections.

Any cyber-attack that alters or deletes patient information can result in patient harm.

What can be done?

Magrabi says this is about the triangle of people, process and technology.

There are multiple stakeholders in healthcare that are distributed in space and time. All of the different users of the data have different requirements. For example, clinicians and patients want different things from systems. And different users of healthcare systems often work under some pressure resulting in looking at multiple records at the same time or moving to different tasks without logging off from systems. Policies and procedures governing these systems may have gaps. For example, causal staff may not undergo the same level of training as permanent staff.

At the same time, parties have a requirement for high availability as delayed access can impede clinical work and endanger patients.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attacksAusCERT2016spear-phishingCyber riskHealthcare securityHealthcarethreatscyber securityDDoS attacksIT systemselectronic records

More about Macquarie UniversityTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts