76% of devices in healthcare facilities in PH infected by malicious code

YANGON, Myanmar – The rapid advancement of technology is transforming the healthcare industry tremendously. From the use of artificial intelligence in medical diagnostics to 5G-powered remote surgeries, the hospitals of today boast a level of interconnectivity that in previous years only seemed possible in science fiction movies.

These innovations, however, have given cybercriminals opportunities to target the industry and exploit its vulnerabilities for their own gain.

“We’re definitely entering the era of the ultra-connected medicine. And I have to say that, while we welcome these advancements, we cannot deny that these will open wider doors for cybercriminals,” said Yury Namestnikov, head of global research and analysis team for global cybersecurity research firm Kaspersky.

In 2017, the so-called WannaCry ransomware locked down over 200,000 computers in various countries around the world, rendering them unusable. Some of the computers that were hit by the attack were from hospitals across the UK, cancelling more than 19,000 doctor’s appointments. Last year, Singhealth, Singapore’s largest healthcare network, was the victim of a data breach that compromised the personal data of 1.5 million of its members, including the country’s Prime Minister Lee Hsien Loong.

State of infection

The overall number of medical devices attacked worldwide in 2019 have since declined at least a third than in previous years, according to Kaspersky.

These numbers are not observed everywhere however, as the Philippines is said to have had the most number of infected medical devices in Southeast Asia this year and second among countries in the world, behind Venezuela.

At the firm’s annual Cyber Security Weekend gathering in Yangon, Myanmar, Namestnikov said 76% of devices in healthcare facilities in the Philippines were infected by malicious code. More than 7 in 10 medical devices, he said, had some sort of cybersecurity problem. These devices include servers, computers, tablets, gadgets, and hospital machines connected to the internet.

He explained these aren’t necessarily intentional or orchestrated attacks from cybercriminals – most of the infections they found are likely the result of people using USB drives that they might not have known contained viruses – but they are still believed to be capable of doing damage.

For instance, infections can cause machines to malfunction, which can lead to a potential medical misdiagnosis, a shutdown of facilities, or the death of patients. It can also spread to other devices and make them vulnerable to other attacks in the future.

Projections point to health organizations incurring economic losses of around $23.3 million from cybersecurity incidents.

Bangladesh and Thailand were two other Asia Pacific countries that were in the top 15 countries with the most detected infections, logging 58% and 44% respectively.

Kaspersky’s findings appear to confirm a suspicion that the threat is creeping towards the region – a threat which shares something in common with a nuclear fallout, according to Vitaly Kamluk, Kaspersky's director of global research and analysis team for Asia Pacific.

“A naked eye cannot see how the radiation from the decades-long incident have been affecting human health until present times. Likewise, the healthcare sector has yet to clearly diagnose the plague that has been causing damage to the industry and potentially affecting human health,” explained Kamluk.

The question is: Why are cyber criminals targeting the healthcare industry?

Data-driven industry

Without question, data, in whatever shape or form it takes, has in recent years become one of the most valuable and sought-after commodities in the world. This includes medical data, which Kaspersky security researcher Seongsu Park said is even more valuable than a person’s credit card.

When a person loses his credit card, he can always have it deactivated and sign up for a new one. It’s not that simple with medical data because records, test results, medication, and other important patient information cannot be easily changed. Losing them could mean patients have to take some tests again to get medicated, for example. And for some patients, the information in their medical data could mean life or death.

What’s even more problematic is that medical data is not just limited to medical records, but can also include patients’ personal and financial credentials as hospitals generally ask for this information before check-up or admission. That means cybercriminals are getting a “package deal” when they steal patients’ data. Pharmaceutical companies are similarly being targeted for their intellectual properties and top secret research projects.

Park said that there’s a steady demand for medical data in the dark web, creating a marketplace of criminals who either buy or sell this information. The dark web is an untraceable part of the internet that is only accessible via a special software.

The seller’s motive is to profit off of the data while the buyers look to use it to conduct other illegal activities such as call scams, blackmail, and identity and monetary theft, to name a few. It’s not entirely clear how much medical data sells for as it could vary depending on who’s buying or selling.

When it comes to the profile of the buyers, meanwhile, Park said the anonymous nature of the dark web opens the possibility that it could be anyone from a lone hacker, to an enterprise, or perhaps even a nation-backed cyberespionage group.

“It is quite alarming that we are increasingly coming across such active advertisements, which can either mean this illegal practice has turned into a normal type of business or the demand for such attacks are becoming increasingly high,” said Park.

Easy target

Despite various high-profile cybersecurity incidents in healthcare grabbing headlines in the past few years, Kaspersky believes the industry is still not equipped enough to deal with incoming threats, making it an easy target against capable hackers.

“In as much as we want to believe that everybody was awakened by the damage brought about by the Wannacry attack, the reality is that some countries are still lagging behind securing their medical devices,” Namestnikov said.

For one, cybersecurity is currently not a priority in the healthcare industry, which stems from a host of reasons including employees having a low level of cybersecurity awareness and lack of funding to hire people with the know-how to handle these types of problems.

What’s more is that computer systems and networks in hospitals and other healthcare organizations are not as protected as those from the financial sector that need to meet regulatory requirements to operate. Currently, there are no cybersecurity regulations for medical devices, allowing them to be freely used without going through any form of security assessment.

There are also a lot of loopholes in these devices with most running outdated software. Namestnikov noted outdated Microsoft Office accounts for 59% of all exploit attacks they found this year. Operating systems like Windows and Android which have stopped receiving security patches are likely to be exploited too.

A number of healthcare devices like insulin pumps, defibrillators, scales, and oxygen pumps are connected to the Internet of Things (IoT), allowing them to send real-time information online. This creates more entry points for cybercriminals and widens their attack surface.

Healthcare’s defense

When it comes to defending against these threats, Kaspersky managing director for Asia Pacific Stephan Neumeier emphasized that prevention is always better than a cure.

Of course, it should start with healthcare companies and organizations acknowledging that threats exist and that they should be taken seriously. Human lives can be at risk so it’s important for them to address these problems professionally.

Kaspersky suggests conducting security awareness training and seminars for employees of hospitals, clinics, and other healthcare facilities to educate them about what to do and what not to do to prevent cybersecurity incidents. There are basic rules that can easily be followed to decrease the risk of attacks such as keeping all software up to date and instituting a strong password policy for all devices connected to the web.

They also have to identify the important data they are storing and come up with a plan to best protect them. Healthcare facilities must consider hiring a dedicated cybersecurity team to beef up the systems against attacks and conduct periodic security assessments, which involves reviewing who has access to the data and checking the safety of devices and networks. For added security, Kaspersky also recommends investing in services with threat data feeds and threat intelligence reports to monitor potential cyberattacks before they even happen.

Meanwhile, the manufacturers of medical machines should look into building a secure-by-design hardware that is ready for future vulnerabilities. They may also need an incident response team in case of cyberattacks, who can work with affected healthcare facilities and the authorities in handling the situation.

At the event, the speakers agreed government regulation for the healthcare sector with regards to cybersecurity is a must to address the escalating threats they were seeing. Similar to the financial sector, having a set of laws that dictate what medical devices need to fulfill in order to operate can help lessen the number of infections and increase overall security in the sector.

Kaspersky hopes healthcare facilities across the globe can take its advice and work towards protecting themselves from them.

“Helen Keller once said that the only thing worse than being blind is having sight but no vision. In cyberspace, most of us are deaf-blind, because of the invisible nature of the threats,” said Kamluk. “But the question is are we working hard enough to be able to envision how those threats can affect our health and our lives?” – Rappler.com