For week #2’s blog post I decided to write about the state of cybersecurity awareness in the medical field. I chose this topic because I have seen a lack of knowledge about security personally from a medical professional. In this instance, I was at the hospital while the nurse was checking my vitals. We were making small talk, and she asked what I did for a living. I told her I was a cybersecurity operator. She being to make comments about how worried she was about things like the Equifax hack that may personally affect her. We discussed how lucrative that information is to a hacker. I then asked her what she thought the most lucrative files were to a hacker. She mentioned her financial records. I pointed out to her that it was actually our health care files. According to the FBI, electronic health records can sell for $50 on the black market compared to just $1 for a stolen social security number or credit card
This I find is a major problem. Someone who works in the healthcare industry should know what valuable information your medical record contains. While it is just a record of our health or medical history there is more to it than that. Looking at the image below, you can see what sections are in your file
As you can see, this is a wealth of valuable information for an attacker. The first section is something that hackers are always trying to acquire, since they can use them to steal your identity and create a lot of damage. However, the other information can provide even more vital information about you. Look at the medical history portion. The first thing mentioned is allergies. If you are a high valued target think about what a nefarious attacker could use it for. For example, I am highly allergic to bee venom. If someone wanted to cause me damage, they could make it look like a completely natural death. Albeit, this is an extreme case, and I am not valuable enough for someone to use that against me. However, if you have a pacemaker it would be included in this section. For example, doctors disabled former U.S. Vice President Dick Cheney’s pacemakers with the concern that someone could target him via the device
Figure 2 (Ackerman, 2018)
It has been proven that a pacemaker can be hacked. I have mentioned this is a previous blog a few years ago. Yet, it is still occurring. Two researches have proven that they can remotely control implanted pacemakers by installing malware on the device itself to deliver shocks that the patients don’t need or without the ones they do need
The easiest fix is just training to make the employees aware of exactly what they are protecting. There was no excuse for the nurse not knowing that my medical records were attractive to hackers. “The security level of a medical care facility is directly related to the extent to which employees participate in the security effort”
Hospitals need to create security programs too. These should focus on exposing the hospital workforce to the threats that their patients and their patient’s records face. These include cyber awareness training to prevent things like phishing emails. They could open these emails which of course could infect their system with malware like WannaCry. In fact, hospitals face the same threats that other companies face. Just now, they are a higher valued target. Nurses, doctors, and administrators need to understand this face. Typically, I know I currently get annual training for cyber awareness, yet I am always aware of current threats. I personally believe that the medical field should have to go through training twice a year. They should also receive notifications about any breaches just to let them understand the importance of the information and the value of that information they protect is. It has been found that employee training on cyber security reduced the risk of an attack by 25 percent
References
Ackerman, R. (2018, August 9). The healthcare
industry is in a world of cybersecurity hurt. Retrieved from Tech Crunch:
https://techcrunch.com/2018/08/09/the-healthcare-industry-is-in-a-world-of-cybersecurity-hurt/
Ashraf, A. (2016, September 27). Security Awareness for
Healthcare Facilities. Retrieved from INFOSEC:
https://resources.infosecinstitute.com/category/healthcare-information-security/security-awareness-for-healthcare-professionals/security-awareness-for-healthcare-facilities/
BBC News. (2017, October 27). NHS 'could have prevented'
WannaCry ransomware attack. Retrieved from BBC News:
https://www.bbc.com/news/technology-41753022
Fahey, R. (2016, September 8). Top Cyber Security Risks
in Healthcare. Retrieved from INFOSEC:
https://resources.infosecinstitute.com/category/healthcare-information-security/healthcare-cyber-threat-landscape/top-cyber-security-risks-in-healthcare/
Hicks, J. (2019, January 21). The Basic Components of a
Complete Medical Record. Retrieved from Verywell Health:
https://www.verywellhealth.com/importants-parts-of-a-medical-record-2317249
Newman, L. H. (2018, August 9). A New Pacemaker Hack
Puts Malware Directly on the Device. Retrieved from Wired:
https://www.wired.com/story/pacemaker-hack-malware-black-hat/
I like that idea of having security awareness training twice a year! That might help. We have many users reporting phishing emails now due to the bulletins we send. I worry about the end-users I don't hear from - wonder what they are doing with potential phishing emails?
ReplyDelete