The landscape in 2017
In 2017, Kaspersky Lab research revealed the extent to which medical information and patient data stored within the connected healthcare infrastructure is left unprotected and accessible online for any motivated cybercriminal to discover. For example, we found open access to around 1,500 devices used to process patient images. In addition, we found that a significant amount of connected medical software and web applications contains vulnerabilities for which published exploits exist.
This risk is heightened because cyber-villains increasingly understand the value of health information, its ready availability, and the willingness of medical facilities to pay to get it back.
What can we expect in 2018?
The threats to healthcare will increase as ever more connected devices and vulnerable web applications are deployed by healthcare facilities. Connected healthcare is driven by a number of factors, including a need for resource and cost efficiency; a growing requirement for remote, home-based care for chronic conditions like diabetes and ageing populations; consumer desire for a healthy lifestyle; and a recognition that data-sharing and patient monitoring between organizations can significantly enhance the quality and effectiveness of medical care.
The threats facing these trends over the coming 12 months include the following:
- Attacks targeting medical equipment with the aim of extortion, malicious disruption or worse, will rise. The volume of specialist medical equipment connected to computer networks is increasing. Many such networks are private, but one external Internet connection can be enough for attackers to breach and spread their malware through the ‘closed’ network. Targeting equipment can disrupt care and prove fatal – so the likelihood of the medical facility paying up is very high.
- There will also be a rise in the number of targeted attacks focused on stealing data. The amount of medical information and patient data held and processed by connected healthcare systems grows daily. Such data is immensely valuable on the black market and can also be used for blackmail and extortion. It’s not just other criminals who could be interested: the victim’s employer or insurance company might want to know as it could impact premiums or even job security.
- There will be more incidents related to ransomware attacks against healthcare facilities. These will involve data encryption as well as device blocking: connected medical equipment is often expensive and sometimes life-critical, which makes them a prime target for attack and extortion.
- The concept of a clearly-defined corporate perimeter will continue to ‘erode’ in medical institutions, as ever more workstations, servers, mobile devices and equipment go online. This will give criminals more opportunities to gain access to medical information and networks. Keeping defenses and endpoints secure will be a growing challenge for healthcare security teams as every new device will open up a new entry point into the corporate infrastructure.
- Sensitive and confidential data transmitted between connected ‘wearables’, including implants, and healthcare professionals will be a growing target for attack as the use of such devices in medical diagnosis, treatment and preventative care continues to increase. Pacemakers and insulin pumps are prime examples.
- National and regional healthcare information systems that share unencrypted or otherwise insecure patient data between local practitioners, hospitals, clinics and other facilities will be a growing target for attackers looking to intercept data beyond the protection of corporate firewalls. The same applies to data shared between medical facilities and health insurance companies.
- The growing use by consumers of connected health and fitness gadgets will offer attackers access to a vast volume of personal data that is generally minimally protected. The popularity of health-conscious, connected lifestyles means that fitness bracelets, trackers, smart watches, etc. will carry and transmit ever larger quantities of personal data with only basic security – and cybercriminals won’t hesitate to exploit this.
- Disruptive attacks – whether in the form of denial of service attacks or through ‘ransomware’ that simply destroys data (such as WannaCry) – are a growing threat to increasingly digital health care facilities. The ever increasing number of work stations, electronic records management and digital business processes that underpin any modern organization broadens the attack surface for cybercriminals. In healthcare, they take on an extra urgency, as any disruption can in real terms become a matter of life or death.
Last, but not least, emerging technologies such as connected artificial limbs, implants for smart physiological enhancements, embedded augmented reality etc. designed both to address disabilities and create better, stronger, fitter human beings – will offer innovative attackers new opportunities for malicious action and harm unless they have security integrated from the very first moment of design.