Cyber security a critical risk to health care
IMAGINE being able to adjust your enemy’s pacemaker or insulin pump remotely. Seem ridiculous? It’s not. Yvette du Toit, senior manager at Ernst & Young, warned delegates at the Healthcare Innovation Summit in Sandton of the many cyber-security threats faced by medical equipment and health-care organisations.
“(Former US vice-president) Dick Cheney’s doctor asked for the wireless function of his pacemaker to be disabled for fear it would be used in an assassination attempt,” she said.
Hacking neurostimulators planted in patients’ brains to treat diseases such as Parkinson’s and depression could be bypassed by hackers, changing their behaviour to cause conditions such as hypersexuality.
Du Toit spoke of a case where two patients hacked their insulin pumps to increase their dosage.
But she said it wasn’t only medical devices that were targeted.
As the health-care industry increasingly adopted technology, institutions were hacked and patient health records accessed.
Another speaker, Jakes Wolfaardt, a systems engineer at Fortinet, said gaining access to medical records was 10 times more valuable than to a credit card number.
Fortinet’s channel accounts manager Andre van Zyl explained another reason why having someone’s health records was valuable.
“If I know someone is sick and I know his health record, I can market all kinds of medicines to him and make a lot of money from it.”
Du Toit pointed out that data from the US showed that over the past two years, 89 percent of health-care organisations had suffered a security breach and were twice as likely to suffer a breach than other organisations.
On top of that, the average breach cost $2 million and took 46 days to resolve.
“That’s a pretty long time, especially if your devices or access to your data becomes unusable.”
The data breaches have cost the health-care industry in America nearly $6.2 billion in the past two years.
Methods used to gain access to data included ransomware, which encrypted the data on a device and demanded a payment to re-access it.
“The US is looking to put a law in place so these people can be (charged with) murder,” said Du Toit.
Data analytics and social media were increasingly being used by companies to develop and improve their services, monitor patients and to share information, news and trends.
Hackers were able to dis- rupt these various online platforms to get what they wanted.
As technology became more complex, the adversaries became more sophisticated.
“The rising level of sophistication in the attacking realm is increasing. We don’t necessarily know how to protect ourselves any more. The moment we figure it out, the adversaries change their tactic.”
Du Toit pointed out that law governing cyber security could not keep up with the rate at which technology was increasing and that although regulators such as the Food and Drug Administration (FDA) in America were paying attention to it, there was not enough regulation around cyber security in the health sector.
“Manufacturers and the FDA aren’t really looking at it, they leave health-care organisations to deal with it and they don’t necessarily have the skills to deal with it.”
On top of this, organisations needed to take a broader look at their cyber security and not just limit it to their IT departments.
“You need to invest in security awareness. Even doctors and nurses need to understand what the information means and how they need to behave around it,” she said.