A recent MIT study revealed that the healthcare sector “has lagged behind other industries in protecting its main stakeholder (ie, patients)”.
One healthcare security professional highlighted the gap in a comment to the researchers lamenting that “When [I was] in banking, I would have had 25 employees at an organization of this size.”
Why is hospital security lagging behind other sectors such as banking? To answer this, it’s helpful to think about the basic cybersecurity methods used by banks:
On-site security: Inside a bank, the public can interact with a small number of highly-specialized machines like ATMs. More generalized computers are strictly for staff only and are never left unattended or unlocked.
Online security: banking was also an early leader in online access. Banking apps and websites often require strong passwords, secondary authentication, automatic log-outs and other security measures.
Multi-factor authentication: Banks routinely require Two-Factor Authentication. The most obvious example of this is at an ATM which usually needs a bank card (something you have) and a PIN (something you know). For many transactions with bank tellers, photo ID (something you are) is required instead.
Compare this with hospitals.
Lax on-site security: Hospitals are full of quiet corners and empty offices. Nurse workstations can be left unattended but logged in when the nurses have to rush to deal with a patient emergency. A cyber-criminal may be able to find opportunities to access a hospital’s network via an unguarded wall socket or an unlocked workstation. The constant, 24-hour nature of a hospital makes some forms of security close to impossible; in one recent case, a malware researcher was able to access a radiology department after hours and connect a malicious device without being challenged.
Chaotic online environment: Because healthcare is made up of interconnected providers from GPs and specialists to insurers and large medical centers, there’s a lot of different systems all exchanging patient medical records in different ways. These different systems and interoperability requirements create an enormous “attack surface” where hackers could exploit vulnerabilities and get access to private patient data.
Authentication woes: Hospitals are complicated environments, often with thousands of staff, patients and visitors. Hospitals have a wide variety of machines, which are often in use helping patients but without direct supervision. Some of these machines have no authentication at all; anyone can change their functionality.
Comparing the two, it’s pretty clear that banks have a more organized and systematic approach to security than hospitals, but the question becomes – why?
One reason for this becomes clear when we imagine what motivates a cybercriminal to try and breach an organization’s security in the first place.
When it comes to banks, it’s very obvious what criminals are after: money. Just as old-fashioned physical security in banks is primarily focused on preventing bank robberies, so too are bank cybersecurity solutions mainly concerned with preventing online heists. Stolen bank information could also be used for identity theft or blackmail, but those are less straightforward.
With hospitals, there’s no instant payday from stealing medical data. The most immediate path to cash is to sell the stolen data on the darkweb or black market. The black market value of medical information is believed to be at an all-time high; one hacker told the MIT researchers that “a hospital record costs 20x more than [a] social security number”.
Criminals can use this medical data like bank information for identity theft, or potentially blackmail if a patient has a medical condition that they don’t want revealed. Releasing private information about very high-profile people could be used to manipulate markets or for political gain. Alternatively, a hospital itself could be the target of blackmail or ransomware. Most worryingly, a cybersecurity attack on a hospital could disable or hijack medical equipment and harm patients.
In all these cases, though, the financial reward is at least one step removed and the hacker must wait on their reward, leaving more time for law enforcement to catch up with them.
Importance of trust
Everyone understands what a bank robbery means, so bank customers, employees and management all immediately expect that a bank’s cybersecurity should match its physical security. For many people, the whole idea of a bank is as a place to keep money safe. Trust is their core business.
On a deeper level, this trust underlies the whole banking system. Banks don’t have the cash to pay back every depositor; nevertheless, we trust in the bank that it will be able to pay out when we need it to. If that trust disappears, then a run on banks can cause the whole system to collapse.
That deep level of trust also applies to hospitals and medical centers. As patients, we invest our trust in hospitals, allowing them to alter our bodies materially via drugs and surgery. We rarely understand how a particular diagnosis is made and why it requires a specific course of treatment. We have to put our trust in the doctors, nurses, tests and machines.
For both institutions, if there isn’t trust, you’d never walk through their front doors. For banks, this trust relationship boils down to a matter of security: “will my money be secure?” For hospitals, it’s a matter of safety: “will I or my loved one be safe here?”
Hospital security can no longer be ignored
In today’s world of advanced, networked devices, with the development of the Internet of Medical Things (IoMT), safety and security are no longer distinct concerns; they are one and the same. An insecure respirator or infusion pump is a danger.
Hospitals are inherently more difficult to secure than banks. Machines will always need to be left unattended while doctors and nurses treat patients. There will always be multiple categories of connected devices, secluded corridors and thousands of strange faces.
Healthcare providers are quickly waking up to the need to protect their patients like banks protect their customers, keeping them both secure and safe. And it’s about time. How long can we really accept a situation where our hospitals, that protect our lives, are less secure than the banks that protect our money?
Safi Oranski, VP of Business Development and IoT Ambassador for CyberMDX