Hospitals are increasingly at risk of cyber criminal gangs who seek to steal patient data and hold medical instruments ransom, experts warn.
As cybercrime grows in sophistication, online gangs are going after a diverse range of industries and healthcare institutions have become a prime target.
Medical records and patient data have emerged as a highly sought after commodity for hackers in recent years, and internet-enabled medical instruments have increased the threat that hackers could seize control of vital equipment and hold it hostage for ransom.
Richard Staynings is the leader of Cybersecurity Healthcare at Cisco Systems and has been in Australia this week meeting with executives from hospitals from around the country, to highlight the dangers the industry faces when it comes to cybercrime and offering advice on how to protect themselves, and their patients.
"A vast majority of patients have no idea how vulnerable they are when it comes to the delivery of their health services," he told news.com.au.
Traditional targets of cybercrime such as banks and other financial institutions have been working to combat the threat for the past two decades but other vital industries, such as healthcare, seldom have sufficient resources to fight cybercrime and are scrambling to catch up.
Healthcare is "probably one of the least secured industries across most nations," Mr Staynings said. But it's desperately trying to protect itself.
"I think there's been a convergence of clinical risk in hospitals and the cyber security risk such that there's a latent awakening among senior healthcare execs that they need to do something," he said.
According to a report released by the Ponemon Institute earlier this year, 90 per cent of healthcare organisations suffer data breaches. Close to 45 per cent of all data breaches in the industry are due to criminal activity such as nation-state cyber espionage units, ransomware, malicious insiders, and physical theft of patient information, clinical research and pharmaceutical formulations.
In January, the Royal Melbourne Hospital was attacked by a computer virus that caused major slowdown at the hospital as staff were forced into much slower manual workarounds.
In October, the Red Cross admitted a data breach led to the leak of personal information from more than half a million blood donors across Australia.
Attacks such as these are happening frequently around the world. Less than four weeks ago a National Health Service trust in the UK was infected with malware prompting the shutdown of major operations across several hospitals.
THE TREND OF INDUSTRIALISED HACKING
In 2014 hackers stole a record amount of medical records from US healthcare facilities, prompting the MIT Technology Review to predict2015 as "the year of the hospital hack".
Medical records are in such abundance on the dark web that it has led to a price collapse in recent months.
"The price is down," James Scott, a senior fellow at the Institute for Critical Infrastructure Technology in the US told Healthcare IT News in October. "The volume of availability is exceeding demand."
For sale: Your medical history
The dark web is awash with data stolen from the healthcare industry and it has coincided with a roughly five-year trend in cybercrime referred to as industrialised hacking, Mr Staynings said.
"It used to be that hackers would infiltrate an organisation and steal what they could and sell that on the dark net. What's happening now is the bad guys are getting much much smarter. They're organised in terms of different avenues of exploitation," he said.
"If I were to break into an Australian hospital and steal the patient records of 50,000 people, for example, on the dark net I would then break that information up into different components and then sell it for the maximum amount of money that I could."
Identity components of patient records could be sold to identity theft gangs keen to commit fraud including spending money on people's credit cards, insurance information could be sold to insurance theft gangs, and prescription information could be sold to people who then fill the prescription and sell the controlled substance on the street.
"These increasingly rich medical records have an awful lot of information about us, are electronic and therefore are relatively easy to steal unless we've got very proactive security controls in place," Mr Staynings said.
Sometimes such hacks can even go unnoticed by the hospital.
"If you were to steal money from a bank, that's immediately apparent in a balance sheet that the money is missing. If you steal someone's medical record, that medical record is valid for the life of the patient. I can use or cash in that information or leverage that at any time of my choosing."
However unlike the US which has had electronic medical records for years, many hospitals in Australia have yet to fully convert their paper records into digital records, meaning they are not yet as vulnerable as they will soon be.
"But I would say Australia is several years behind the US in terms of putting in place the cyber defences that US hospitals have had to do over the last few years," Mr Staynings said. "There's a catch up going on in Australia."
'GIVE ME 500 BITCOINS OR I START EXECUTING PATIENTS'
Use of medical devices in Australian hospitals are growing by about 20 per cent per annum. Many of them are connected to the internet and a lot of them are managed by external private companies, which means there's a VPN out of the hospital network to that provider.
"There's a concern those medical devices could be hacked and used to attack patients or used in the next level of ransomware attacks," Mr Staynings said.
Machines such as blood oxygen metres, morphine pumps, CAT scanners and other telemetry instruments could be used as attack vectors. Hackers could take control of them and effectively say "give me 500 Bitcoins or I start executing patients," he warned.
It's a chilling scenario but sadly not an entirely unrealistic one.
Just last month US company Johnson & Johnson said it notified 114,000 diabetic patients that a hacker could exploit one of its insulin pumps, causing an overdose.
Attacks of this nature have become a "big concern" in the industry.
QUESTION OF FUNDING
Unlike big banks, hospitals rarely have the budget to fight cybercrime and thus prevention methods can easily be neglected.
The perception is that every dollar spent on security is a dollar not spent on patient care, Mr Staynings said. But he sees the two as one in the same, and says others are beginning to as well.
"There's a direct correlation between patient care and IT service availability, right the way up to patient mortality."
Despite Malcolm Turnbull announcing the country's new cyber security strategy earlier in the year including 33 cyber security initiatives worth $231.1 million, Mr Staynings thinks healthcare retailers need to view cybersecurity as a core competency.
During his time in Australia his message has been met with a range of responses from hospital and healthcare execs.
While often in full agreement about the level of risk faced by hospitals, there has been a mixture of responses about what they can do.
"There's been a realisation that yes this is something we need to deal with but I've got too many other things on my plate, or too many other priorities I need to deal with right now so let's think about this one next fiscal year," he said.
"It makes it difficult for them to manoeuvre because they don't have much room."