Many different industries have a need for strong cybersecurity, but few have as strong of a need as the healthcare industry. While a data breach or a ransomware attack can have a significant impact on any business, the effects on a healthcare provider are much greater. The data contained in a patient’s medical records typically span the full range of sensitive information, and a ransomware outbreak on critical systems could render the organization incapable of providing potentially life-saving medical care to its patients.
As a result, healthcare organizations need strong cybersecurity in all areas, but especially application security. With the push toward Electronic Medical Records (EMRs) and the growing reliance of the average consumer on the Internet in every aspect of their lives, healthcare providers are increasingly allowing patients to access their medical records from the Internet. A failure to properly secure these online medical records systems can be the cause of a devastating data breach for a healthcare provider.
Introduction to Web Application Security
Web applications are the components of an organization’s website that provide interactivity to the user. They are designed to allow a user to easily access their account and manage their relationship with the organization. In the case of the healthcare industry, this includes the ability to look up medical information, current prescriptions, and communicate directly with the healthcare provider.
Web applications can be a significant asset for any organization, but they also represent a large potential hole in the organization’s cybersecurity defenses. Since the organization’s customers need to be able to access their accounts online, the web application must be exposed to the Internet. In order to be effective and useful, the same system needs to be able to access sensitive information that it can provide to authorized users.
This direct connection between the user and an organization’s internal databases of extremely sensitive data make web applications a common target of attack by hackers. A variety of well-known vulnerabilities in these applications exist, as listed in the OWASP Top Ten list of web application vulnerabilities, but hackers are also constantly working to develop new exploits. As a result, organizations with sensitive data exposed on web apps, like healthcare providers, need to deploy the best available defenses to protect their web applications. This should include a web application firewall (WAF) capable of detecting not only normal web application threats (like the ones on the OWASP list) but also the latest attacks being developed and deployed by hackers.
The Healthcare Security Landscape
With the amount of sensitive information stored on healthcare systems, it would seem logical that hospitals and other organizations in the healthcare industry would have the solid cybersecurity. Healthcare organizations are certainly the ones most targeted by hackers, and these organizations are twice as likely to be targeted by hackers as other industries. The value and sensitivity of the data held by healthcare organizations, and the requirements for protecting it laid out in laws like HIPAA and GDPR, should mean that healthcare organizations have the most effective protections available. Unfortunately, this is not the case. In fact, healthcare organizations accounted for 60% of data breaches in 2017.
Once a hacker has compromised a healthcare system, they often remain undetected for weeks at a time. As a result, hackers are able to steal a vast amount of sensitive patient data, which is then leaked or sold on the black market. This data could then be used for extremely targeted spear phishing attacks (who but your doctor would know the details of that last medical checkup?) or to commit identity theft (healthcare providers typically have access to a patient’s identifying information, including payment details).
In healthcare, the threat of cyberattack isn’t limited to leaks of a patient’s sensitive medical data. As the Internet of Things grows, medical devices are increasingly being connected to the Internet. As a result, these devices, if not properly secured, are also vulnerable to cyberattack
The implications of this are significant. Proof of concept exploits have been demonstrated that show that a hacker could take over a patient’s pacemaker, insulin pump, and vital signs monitor. With this capability, a hacker could go beyond the traditional ransom demand to end a Distributed Denial of Service (DDoS) or ransomware attack and actually threaten death or bodily harm if a target doesn’t pay the ransom demand. If an organization or individual is willing to pay a ransom to regain access to their data, they’ll certainly pay if it is a question of life or death.
The move toward Internet connectivity in the healthcare sector has both its pros and its cons. On the positive side, the increased accessibility of medical information and devices connected to the Internet allow patients to be much more engaged in managing their own health and medical information. Connection of medical monitoring devices to the Internet also allows a doctor to be immediately notified if something occurs that requires their attention.
On the downside, connecting devices and databases to the Internet can make them vulnerable to attack if they are not properly secured. Medical records contain a wealth of sensitive information about a patient, and the ability to hack into medical monitoring devices has chilling implications. The poor current state of cybersecurity in the healthcare industry demonstrates that there exists significant room for improvement. Deployment of cybersecurity defenses like web application firewalls (WAFs) to protect online medical records and runtime application self-protection (RASP) to monitor and protect Internet-connected medical devices can have a significant positive impact on medical cybersecurity.