Cybersecurity for health devices is now predicted to be a $1.2billion annual market by 2025 amid increasing data breaches. We investigate the increasing number of cybersecurity players who are targeting the health tech space and changing the way we protect healthcare data
Russian gang hacking the Irish Health Service Executive, probably did not feature highly in many people’s pandemic bingo.
The May 2021 ransomware attacks by The Wizard Spider group, which brought down the HSE’s computer systems, were the largest ever known attack on a health service computer system.
But it was far from the only one, and won’t be the last,” says Paul Dwyer, the Dublin-based Chief Executive of Cyber Risk International. And health devices are increasingly coming into hackers’ crosshairs.
Paul Dwyer
The health hackathon
“Data the health sector holds is some of the most valuable data to criminal enterprises,” says Dwyer, as it is useful for frauds and scams and sometimes a treasure trove of embarrassing details.
The Wizard Spider group, operatingfrom St Petersburg, is one of a number of murky organisations who undertake hacking tasks. These can have unintended consequences.
In Singapore in 2018, an attempt by a state-sponsored hacking group to get prime minister Lee Hsien Loong’s health records saw the online records of 1.5million other Singaporeans stolen too.
The Whitefly espionage group’s raid on SingHealth, the country’s largest group of health providers, was one of several it has launched against the island nation.
And it all began with a phishing attack sending an executable ‘.exe’ file to people within the organisation.
After all, health organisations can be especially easy targets. Busy clinicians can be loath to change their habits to upgrade their security hygiene.
“You just have to walk around any hospital in Ireland and you’ll see passwords written on post-it notes on walls,” Dwyer says. And documents on the HSE website “have outlines of legacy systems, descriptions of challenges from an IT perspective,” he adds.
“If I was a cyber criminal, I’d say, hmm, you’re an easy target.”
Part of this, he says, is because health professionals think “we’re in the keeping people alive business,” and aren’t necessarily inclined to see their providers as becoming technological organisations, which are what health organisations are now.
Case of the hacker who ransomware
If you haven’t heard so very much about the HSE attack since last year, this is partly because it falls into an uneasy grey area involving criminal organisations.
There’s no Geneva Convention for cyber, Dwyer observes.
When President Joseph Biden met Russian President Vladimir Putini n June 2021, the newly-elected US President’s first agenda item was to set aside certain cyber attacks, including ones against critical national infrastructure, as “off limits”.
One problem is that instead of a “cyber Pearl Harbour” event which is likely to propel state-linked cyber attacks into the public consciousness, the reality is “people are getting desensitised,” says Dwyer.
No one’s measuring how many people have missed operations or perished after cyberattacks, meaning both the public and politicians underestimate the problem.
And just like in the 2018 attack on Singapore, hacking targets have a way of affecting other unintended victims, too. Like if you just happened to be a Singaporean using a provider in the SingHealth network.
Or the 2017 NotPetya attack, which saw hackers target a Ukrainian medical software provider which works in transcribing notes from voice dictation. “The target was Ukraine, but it took down all of Maersk Shipping,” Dwyer notes.
Health organisations like Ireland’s HSE and the UK’s NHS have critical funding challenges.
“How do you make the tradeoff between upgrading the cybersecurity infrastructure, and bringing in a new MRI machine?” asks Oliver Brew, cyber practice lead at the London reinsurance firm Lockton Re.
If those aren’t quite enough problems yet, another is that there are six million unfilled cybersecurity vacancies around the world.
At the high end, roles like a bank’s chief information security officer “pay over a million a year, and it often takes a couple of years to identify someone qualified,” Dwyer says.
The International Cyber Threat Task Force (ICTTF), a non-profit which Dwyer is also president, offers cyber training free of charge to groups including women, charity workers, and Ireland’s Garda Síochána.
I hacked the regulator … but I did not hack the deputy
Devices in particular, for a long time, have been a cybersecurity weak link, says Brew.
“If you can get insulin readings without coming to hospitals, if you can have pacemakers updated remotely, you can have huge benefits in outcomes for patients, and huge savings in healthcare delivery,” he says.
Maybe 10 or 15 years ago, there was a rush to market for game-changing devices where cybersecurity considerations were frankly quite low down the list, he adds. This is changing.
There are six million unfilled cybersecurity vacancies around the world… and, at the high end roles, it often takes a couple of years to identify someone qualified.
In 2022, the US FDA circulated a set of guidelines which expected medical devices to include “security by design”, and an expectation that medical devices would meet security objectives which it described as authenticity, integrity, authorisation, availability, confidentiality, and secure and timely updatability and patchability.
For all this, Brew observes, the “end user on a laptop”, like the SingHealth employee who opened the executable file, remains the most important security actor.
“Educating healthcare staff about the risks of phishing, and opening email attachments, and using multi factor authentication” could be worth all the other cybersecurity efforts put together.
And putting “air blocks in the way”, so when someone in shipping does click on a file, a thousand kilometres away, Maesk’s shipping systems don’t all simultaneously start asking for a ransom.
