[BreachExchange] Healthcare data a growing target for hackers, cybersecurity experts warn

[Audrey McNeil]

http://www.abc.net.au/news/science/2018-04-18/healthcare-
target-for-hackers-experts-warn/9663304

In 2016 a Californian hospital desperately paid $US17,000 in bitcoin as
ransom to a hacker who had seized control of its computer systems.

But in making the payment, the Hollywood Presbyterian Medical Centre
unwittingly helped make the healthcare sector a growing target for hackers,
says a leading cybersecurity expert.

"They paid the ransom and they were public about it," said Denise Anderson,
president of the US National Health Information Sharing and Analysis Centre.

"It painted a target on the back of healthcare"

Ms Anderson works with health providers to share cyber threat information
and techniques for thwarting online attacks.

Speaking at the recent Australian Cyber Security Centre conference in
Canberra, she echoed a concern heard many times at the event — as we put
more medical information online, healthcare is becoming one of the
preferred targets.

The result is very real threats that range beyond privacy breaches to
delayed surgery, blackmail and identity theft and other criminal activity.

For Ms Anderson a security breach suffered by the American health insurance
provider Anthem in 2015, was also a turning point.

The personal information — including names, birthdays and social security
numbers — of about 79 million people was accessed by a hacker.

"Bad actors saw that and realised the value of the data that was there," Ms
Anderson said.

"Would they have been able to do that 10 years ago? Probably not."

Risk to operations

Australia's healthcare system, like transport or energy, is critical
infrastructure.

That's why the WannaCry ransomware attack in 2017 was a wakeup call, said
Alastair MacGibbon, head of the Australian Cyber Security Centre.

The malicious software locked up National Health System computers in the UK
and demanded a ransom, causing appointments to be cancelled and surgeries
delayed.

"That highlighted to some operators of hospital infrastructure that a
ransomware attack can actually have life and death implications," he said.

The industry is increasingly aware of cyber risks, added Dr Nathan Pinskier
of the Royal Australian College of General Practitioners and an e-health
specialist.

"In Australian cybersecurity, there are only two types of healthcare
organisations — those that know they've been hacked and those that don't
know they've been hacked," he said.

"Everybody's a target."

While large institutions may have systems in place to detect online
intrusions and deal with them, smaller general practices may not.

Dr Pinskier said his mantra is "protect, prevent, preserve", and most
importantly, "backup".

Your data is also a target

Hospital systems are not the only target — your own health records could
be, too.

These records are incredibly rich, Ms Anderson pointed out.

It's not just names and dates of birth, which can be used for identity
theft, but someone's blood type or even the prescription drugs they take.

"If you can get a set of data saying, 'all these people are being
prescribed opioids', for example, [you can] harvest their credentials and
get their prescriptions," she said.

According to Mr MacGibbon, online criminals are mostly "coin-operated".

"Their preferred ... target is cash itself. If you can't get the cash, then
you go for things that can be converted to cash. And personal data is one
of those things," he said.

Sensitive health information, for example could be used to blackmail a
public figure or extract a ransom from a medical provider.

And health data has what's called a large "threat surface" — many
vulnerable points where it could be accessed.

"So, a medical practitioner, my GP, shares information with a specialist,
shares information with a hospital ... then it has to be shared with
Medicare, my private health insurer in order to pay bills," Mr MacGibbon
explained.

Of course, not all security breaches occur as a result of access by hackers.

Figures for the first quarter of 2018 from Australia's data breach
notification scheme show that over all sectors, around half of breaches
were caused by human error.

The scheme found most breaches came from the healthcare sector.

What about My Health Record?

Ms Anderson also raised concerns about the Australian government's My
Health Record project — an online summary of personal health information
uploaded by care providers.

According to a report by the Australian Information Commissioner, 113
people were affected by unauthorised access of My Health Records by a third
party in 2016-17.

In late 2018, all Australians will have a record automatically created for
them if they don't already have one — unless they opt out. People will be
given three months to opt out but the dates for this are yet to be
announced.

Ms Anderson said she would personally be "nervous" about having such
information centralised and accessible in one place.

"No matter how good you say you are at doing stuff like that, and any
defensive measures that you put in place, eventually there's going to be
some kind of breach," she said.

An Australian Digital Health Agency spokesperson said, "My Health Record
balances safety and security with the benefits available to consumers and
healthcare providers".

Australians will have to decide for themselves

Professor Bronwyn Hemsley, head of speech pathology at the University of
Technology Sydney, has researched attitudes to My Health Record.

She said the scheme could make an important difference to patient care by
easing barriers to information access between doctors and patients.

"When health information is not shared appropriately ... then we see
mistakes happening," she said.

Because the system is opt-out, Australians will have to decide for
themselves whether the convenience of having vaccination and medication
information in one place outweighs any risk, and act upon it.

"When you connect data up, when you make it mobile, when you make it
accessible, by its very nature, that increases the threat surface of that
data," Mr MacGibbon said.

"There is no such thing as absolute security."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180419/cd6b22ba/attachment.html>