Patient critical – healthcare’s cybersecurity pulse

August 2019 News, Cyber Security, Healthcare (Industry)

The healthcare industry has become one of the leading cybersecurity attack vectors worldwide.

Case 1 – The patient and his family appeared horrified. What had begun as a seemingly routine medical examination had turned into a nightmare. The man appeared healthy but had complained of persistent headaches. The CT scan showed what was diagnosed to be a massive tumour on the brain. Declining surgery, he still managed to get a substantial disability pay-out from his insurers who were unaware of his brilliance at writing computer programs.

Craig Rosewarne
Craig Rosewarne

Pending his nomination he undertook a thorough medical check-up and was declared fit as a fiddle. A month later he collapsed at a fundraising function and died of a major arterial embolism in the brain. The underworld rejoiced.

Do the above case scenarios sound strange? Not if one considers that researchers in Israel recently announced that they’d created a computer virus capable of adding or removing images of tumours into CT and MRI scans, malware designed to fool doctors into misdiagnosing low- to high-profile patients. This short video is scary yet fascinating:

The healthcare industry has become one of the leading attack vectors worldwide for several reasons. Firstly, it maintains huge amounts of highly sensitive patient data, a juicy target for hackers who can use it for financial gain, humiliation or revenge. Access to a medical database would allow a miscreant to alter medical records, delete them or hold them hostage using ransomware.

Secondly, medical institutions are far more likely to accede to ransomware demands when patients’ lives are at stake. The healthcare industry increasingly relies on IoT (Internet of Things) technology that’s connected to the Internet, which ranges from patient records and lab results to radiology equipment. Even catering and down to maintenance of the hospitals are impacted. The 2017 WannaCry ‘epidemic’ caused chaos in the healthcare industry, the UK in particular being hard hit. Many institutions were found to still be running their systems on outdated, end-of-life, unpatched Windows XP devices.

Healthcare lags far behind other industries, experts say, unlike the financial sector, in the way it protects its information technology infrastructure. A healthcare failure can end with injury or even death, unlike finance which may involve a slap on the wrist or a fine.

Not a matter of when or if…

Medical institutions are being bombarded with malicious attacks every day. Many do not even know that they are already infected as many viruses can lay dormant or continue to seek new backdoors until activated. Advanced Persistent Threats (ATPs) are sometimes only discovered 18 months after breaching the system. Another major problem is that most medical personnel do not know what system devices are running on. Many service providers have gone out of business and patches, when provided, are often not implemented. Many small medical facilities do not have the budget for a full-time IT team and those in rural areas are at greater risk, especially if they are connected to the main urban centres. The country cousins can infect their city slickers – remember, everything is connected.

What other dangers do the health industries and medical devices face? Pacemakers have been proven to be easily hackable. The device can be instructed to speed up, slow down, behave in an erratic fashion or even shut down. ECGs, scanners and X-rays may give false readings or simply be unavailable. Hospitals’ and clinics’ emergency power generators can be disabled, preventing any tests, operations, etc. during a mains outage, which are a common occurrence here in sunny South Africa.

Why is the health industry lagging behind other enterprises? Low budgets play a major part, but the lack of awareness regarding the enormity of the threats from governments, decision makers down to grass-level employees is extremely worrying. The perceived attitude that no-one would be so callous as to attack a medical establishment and endanger human lives or cause fatalities is pervasive. Many hackers don’t care. The monetary rewards far outweigh any feelings of guilt or remorse.

There is a pulse, but it is very weak.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

TAPA: The role of an effective treasury function in business risk management
June 2019, Technews Publishing , News
Neil Le Roux, the Founder of Diligent Advisors will speak at the TAPA SA (Transported Asset Protection Association) annual conference on 26 July 2019.

iLegal 2019: Critical IT aspects of Augmented Surveillance
August 2019, Technews Publishing , News
iLegal is the surveillance industry’s premier one-day conference hosted jointly by Hi-Tech Security Solutions and Dr Craig Donald. iLegal 2019 will be held on 12 September 2019 at The Rosebank Crowne ...

iLegal 2019: Putting a face on surveillance services
August 2019, Technews Publishing , News, Conferences & Events
iLegal 2019 will be held on 12 September 2019 at The Rosebank Crowne Plaza in Johannesburg. iLegal is the surveillance industry’s premier one-day conference hosted jointly by Hi-Tech Security Solutions and Dr Craig Donald.

Residential Estate Security Conference 2019: Making AI work for you
August 2019, Technews Publishing , News, Conferences & Events
Gerhard Furter will deliver the keynote at the Residential Estate Security Conference 2019, providing a brief introduction into what AI really is and its application in estates.

From the editor's desk: The difference between potential and skills
August 2019, Technews Publishing , News
This issue of Hi-Tech Security Solutions includes our annual Local Manufacturing feature and it’s great to know that local security manufacturers are still going strong, even if the general manufacturing ...

A customised solution for backup power
August 2019, Specialised Battery Systems , News, Integrated Solutions
Specialised Battery Systems designed and implemented a bespoke solution for Stallion Security Electronics to deploy at almost any site.

Is security broken?
August 2019 , News
New VMware research reveals how South African businesses continue to try to battle sophisticated security threats in a digital age, with the same old tools.

Milestone partners prove their skills
August 2019, Milestone Systems , News, CCTV, Surveillance & Remote Monitoring, Training & Education
Within the span of one week in mid-May, the Milestone Learning & Performance group celebrated important benchmarks: 200 000 course registrations and tutorial views, and 10 000 certifications.

ONVIF Hosts 20th Developers’ Plugfest
August 2019 , News, CCTV, Surveillance & Remote Monitoring
ONVIF, the global standardisation initiative for IP-based physical security products, hosted its twentieth ONVIF Developers’ Plugfest in early June in Tokyo.

24-hour emergency response for staff
August 2019 , News, Security Services & Risk Management
The FirstRand Group has partnered with PanicGuard to create a 24-hour emergency response programme for staff.