Protecting ePHI medical information
The global healthcare industry has gone through turbulence over the past few years. The COVID pandemic has affected not only administrative aspects such as the exhaustion of medical teams but has exposed the cyber security weaknesses of health services.
Oftentimes, health organizations, especially public ones, do not have the resources or awareness to maintain their cyber security, which makes organizations in the global health industry an easy and popular target for hackers. A study by the cyber company Protenus for 2021 shows a rather alarming picture – a 44% increase in cyber attacks on organizations belonging to the health industry, and more than 50 million medical records were exposed in the United States alone.
The most significant challenge that organizations have in the healthcare industry is safeguarding electronically protected health information (ePHI), which is considered sensitive and private information.
The Health Insurance Portability and Accountability Act, or HIPAA for short, is an American legislation that aims to establish a unified standard for the management and storage of patient’s medical information to prevent data leakage to unauthorized parties.
The legislation recognizes the use of new technologies to improve the service given to patients, and it seeks to regulate patient privacy among organizations that use these technological systems.
The individual’s right to privacy is at the core of this standard.
The regulation itself is relatively flexible and allows each organization to determine the compliance process according to the technological infrastructure, organization size, unique risks, and other considerations that are taken into account by cyber security providers.
Ransomware attacks on the healthcare industry
Ransomware attacks have become one of the most common cyber threats for all sectors, but the situation in the health sector is quite bleak – 66% of all organizations that participated in Sophos’ annual survey for 2022 announced that they were affected by ransomware during the year. The healthcare sector is also the industry whose percentage of payment to criminals is the highest – 61% of all healthcare organizations affected by ransom attacks paid the demands of the criminals.
Ransomware attack begins with the installation of malicious software. This malware is designed to lock our data and hold it “captive” until the hacker’s demands are fulfilled. The malware can encrypt the information or lock our device, thus preventing us access.
After the requirements are met, usually in the form of cryptocurrency payment, the victim only has the attacker’s promise to rely on.
Types of ransomware:
- Encryption – This type of malware locates files that seem important to the user – texts, documents, images, PDF,s and more. It encrypts the information, thus preventing access to it. When the victim is an individual, the ransom usually amounts to several hundred dollars, and the requirement includes a transfer of the payment up to 72 hours, otherwise, the data is permanently deleted.
- Lock-When the user is locked out of the device, and the ransom message appears on the screen.
- Scareware -This virus mimics software that scans for security issues, such as antiviruses, and alerts us of critical findings. The error messages that appear to detect faults mimic legitimate antivirus software, and give a sense of reliable source by providing the IP address and geographic location information, or using the names of reputable and trusted companies. Afterward, access is denied until the victim allows the malware to repair these issues, for an additional fee.
- DoxWare – Ransomware that threatens to leak victims’ data to sites on the Dark Web. the attacker might sell this information or leak it to sites for free.
Vulnerabilities in cloud infrastructure containing ePHI
In recent years, many healthcare organizations have adopted cloud services as part of a broad digitization process taking place all over the world, in particular, due to the Corona epidemic, which resulted in an increase in demand for remote healthcare services. Patient health information (PHI) and other sensitive data are stored in multi-vendor cloud environments.
Healthcare organizations often use multiple providers and cloud services with different security standards and practices, making it difficult for them to implement consistent data protection policies in the cloud environment, according to Anthony James, a senior executive at platform company Infoblox.
Common ways to hack cloud infrastructure:
- Stealing user information for cloud accounts by phishing, XSS attack, systematic password guessing, and more.
- Unsecure API, provides an entry point for hackers who exploit this vulnerability to carry out DDOS attacks.
Attacks on applicative assets
The OWASP project is an online community that provides information, technologies, methodologies, and tools in the field of web application security. Perhaps the most known document of the community is the OWASP Top 10 – detailing the most critical security risks of web applications.
SQL Injection – This common web application security vulnerability allows an attacker to interfere with the queries that an application makes to its database.
DDOS – An attempt to make an Internet service – like a website – unavailable to its users, usually by temporarily disrupting the server on which the site is located. There are many types of DDoS, but the essence is flooding the site and its server with malicious traffic that will cause it to shut down due to overload, sometimes by using many devices that were once hacked and exploited without the knowledge of the device owner.
MITM – Occurs when a hacker inserts himself between the user and the service provider, whether as a bystander listening or as an imposter of one party. The purpose of the attack is to steal personal information – credit card details, passwords, and account information – most often occurs in communications between users and financial companies, SaaS, online stores, and sites that require login to an account.
Phishing in the healthcare industry
Phishing is an attempt to steal sensitive information by impersonating the Internet. It is a method of deception aimed at making the user perform an action that will endanger his computer, either by installing malware or stealing sensitive information.
- Phishing email – Emails that seem to have come from a reliable source (generally Facebook, eBay, etc.) like professional organizations, institutions and service providers, but were sent from a malicious hacker.
- Whaling- A subcategory within targeted fishing, this type of fishing focuses on senior executives
- Vishing- using social engineering tactics over the phone, by pretending to be an authorized person such as a bank teller, technical maintenance person or credit card company representative.
To protect organizations against phishing use of multi-step verification for accounts, which includes not only two-step verification by an additional device but also the consideration of additional data such as location and user behavior. In addition, you can use email filtering systems, and phishing tests for organizations that are performed by an information security company, and are found to be the most effective for increasing awareness.
Medical Internet of Things/ Healthcare IoT
The Internet of Things in the healthcare field refers to medical devices and applications related to IT systems – sensor communication via mobile devices, Wi-Fi, Bluetooth and even external networks such as cloud connectivity for data storage and analysis. Examples include smart infusion pumps, smart insulin pens, and the Continuous Glucose Monitor.
ForeScout research demonstrates exploitable IoT vulnerabilities, such as erasing or altering patient medical test results, and cutting off access to devices such as patient monitors.
The manufacturers of medical devices that ignore the principles of information security in the design phase, or fail to address such problems after the release of the product are of great concern to medical device customers. The implication of these risks refers to unauthorized access by third parties to critical healthcare systems.