Cyber attacks in the health care industry – time to wake up
Why we need a new mindset about cyber security
The threat of cyber attacks is notably high in the health care industry. Why is this the case - and does the industry respond adequately? What are the necessary steps to protect the sensitive personal data that health care professionals are processing?
Health care industry under attack
Over the last five years we have seen an increasing attention from both cyber criminal groups and aggressive state actors towards the health care industry in particular. The most notable incident of course being the WannaCry ransomware attack which hit 80 hospitals in the UK. However, this was only one of a number of similar attacks in health care clusters, which started in the US and then spread to Europe. Since then we have seen even more sophisticated ones aimed at large scale data breaches. Given the sensitivity of the data that health care professionals are processing, and given the great importance of ensuring that hospitals can function properly, these incidents should be taken very seriously.
Black markets and cyber-wars
So why is health care one of the main targets for cyber crime? Cyber criminal groups are interested in acquiring sensitive personal data to trade them on the black markets of the underground economy, since this type of data can be used to commit fraud. They know that personal health information is even more sensitive and profitable than e.g. banking data, so they can sell it at an even higher price (see the Skyscraper case below). State actors are another important threat to cyber security. These nation-states are equipping themselves for aggressive cyber-wars as well as industrial espionage and theft of intellectual property. Cyber criminals and state actors are also targeting potential vulnerabilities in Internet of Medical Things devices.
One of the complicating factors for cyber security in the health care industry is that there is not yet sufficient awareness in this sector about cyber risks. Therefore, cyber attacks continue at a very high rate, even in countries such as Singapore, with relatively advanced cyber security capabilities. The Netherlands compare quite favourably to many other European countries, and certainly to countries in other parts of the world, but there is still a way to go. What we need is a new mindset, particularly at the top. Cyber security requires recognition of the extent of the problem and proper investment in e.g. IT legacy systems and is therefore first and foremost a leadership issue. Of course, leaders in the industry are facing many challenges and budget is certainly one of them, but cyber security might be the most pressing issue, especially with the increase of eHealth solutions that generate even more sensitive data.
Recently, Deloitte has been looking into a cyber criminal group called Skyscraper. This group was targeting sensitive personal data in the health care sector, especially health care trusts that were processing pediatric information. On the Dark Web, personal data relating to children is quite valuable, as it is hard to retrieve. This example indicates how alert cyber criminal groups are to opportunities and vulnerabilities in target industries – and it should really be a wake-up call to all of us.
Fortunately, there are signs that some of the large companies in the field of medical devices are seriously investing in cyber security standards. Also, the General Data Protection Regulation will most likely enhance progress in the long run, although it might take some time before we will see its actual impact. Hopefully a kind of globalisation force will soon start, which will even out standards and best practices across countries as well industries (e.g. banking and defence). The health care industry will certainly benefit from these standards. As Deloitte, we will also take our responsibility. Since we work across different geographies and sectors, we are able to identify standards and best practices and migrate them to other areas – next to the work we already do in the field of cyber security. After all, this is an opportunity for us to live up to our ambition to make an “impact that matters” in an area that impacts all of us – health care.