[BreachExchange] Cyber security: an ‘indigestion problem’ in healthcare industry

Destry Winant destry at riskbasedsecurity.com
Wed May 10 23:53:59 EDT 2017


In August 2011, Marc Andreessen famously wrote an essay in The Wall Street
Journal, “Why Software is Eating the World”. It talked about the growing
significance of software in business across a wide swathe of industries.
Fast forward to the present day in 2017 and we can safely say that the
process of eating is complete. However, there is an “indigestion problem”,
which is becoming quite prevalent on account of cyber “insecurity”.

A case in point: last month the International Association of Athletics
Foundation (IAAF) publicly disclosed that they were victims of a massive cyber
attack <http://bit.ly/2p3QEsz>. It is interesting to note what was
stolen—no, it was not the credit card numbers of athletes but their
therapeutic use exemption (TUE) data. The IAAF attributed the attack to a
group called APT28 (aka Fancy Bear), which has been known for specialised
cyber attacks.

Then, the Anthem Inc. medical data breach of 2015 (now revised to 2014)
ensured that the organisation had to utilise the entire amount of $100
million of cyber insurance just to notify its customers
The name of the nation state behind the breach has still not been released
in public domain.

As an industry professional, I have always been used to headlines about the
financial industry being targeted and being in the news as a victim. The
rise in healthcare data breaches was at first surprising, but then, when
one starts to look at the big picture, it actually makes sense and even
becomes interesting to dig deeper into.

Mobile devices like smartphones and tablets are used by just about everyone
today to collaborate and communicate. Most individuals routinely spend up
to 4 hours a day on these devices.

So when you start leveraging smart applications on the phone that collect
and analyze more and more data of your daily life—where you go, when and
whom you meet, what you eat, how much you walk, how much you sleep—the
mobile device actually starts to know you much better than your best friend
of many years or perhaps even your spouse. And that’s when you get into the
crosshairs of an attacker.

Such a profusion of applications allows a hacker gain access to your mobile
device and thus your private data. Unlike the law enforcement authorities,
hackers really do not need to brute-force your personal identity number
(PIN) or clone your fingerprints—they can simply enter via the smart
application on your phone or, most probably, with a simple phishing email
requiring you to click to open your healthcare report. Anecdotally, most
individuals have fallen for this simple but effective technique with disastrous
consequences <http://bit.ly/2qHk2Sr>.

The issue of cyber security in healthcare is compounded by the fact that
today most smartphones provide a wide variety of applications on Apple and
Google stores. These applications enable users to perform anytime, anywhere
monitoring and even diagnose lifestyle diseases.

Medical devices such as patient monitors and medication-infusing pumps—many
of which are life-sustaining or life-supporting—often connect directly to
the Internet to enable quicker and affordable medical care. However, such
medical devices and other mobile health solutions are a double-edged sword.

They have the potential to play a transformational role in healthcare
management, but they can also become a vehicle to expose patients and
healthcare organizations to cyber security risks.

Among the unintended consequences of unregulated digitization and increased
networked connectivity are the risks of being hacked, being infected with
malware, and being vulnerable to unauthorized access. Take the case of
wirelessly connected and implanted defibrillators for controlling the
heartbeat. In the right hands, these are valuable medical aids, but
researchers have demonstrated that it is possible to glean personal
information by eavesdropping on the signals these implants emit.

Indeed, there is a possibility that such a device can be reprogrammed to
deliver a fatal jolt of electricity directly to the organ it is monitoring.
The Ponemon Institute estimates the cost of data breaches in the healthcare
industry to be about $6.2 billion per year <http://bit.ly/2pNcFZN>.

To address the multi-faced challenges of cyber security, the US National
Institute of Standards and Technology (NIST) formulated a cyber security
framework <http://bit.ly/2ePWDZM>. The framework’s building blocks are
Identify, Protect, Detect, Respond and Recover. It can be implemented by
companies in any sector and of any size for creating a cyber-resilient

In December 2016, the US Food and Drug Administration (FDA) released a
final guidance document regarding post-market management of medical device
cyber security. (The final guidance document is available here

In the Indian context, while we still discuss and debate the pros and cons
of linking Aadhaar cards for multiple-use cases, I would recommend that we
as individuals spend the next 30 minutes or so after reading this article
just to check what applications we have downloaded on our mobile devices
and make informed decisions about what personal data they are transmitting
and to whom.

Now, that should be something relatively easy to digest.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170510/1edffab0/attachment.html>

More information about the BreachExchange mailing list