Threats lurking on medical electronic data

Cyberattacks on healthcare establishments are a growing threat

By Morand Fachot

Over the years the healthcare sector has become increasingly reliant on an IT infrastructure for the proper and safe operation of its equipment and to manage patients' medical records. Healthcare establishments, long spared cyberattacks aimed at stealing confidential information, are now facing unprecedented attempts to breach into their IT infrastructure. The IEC has been developing means to protect the integrity of IT systems and equipment in the healthcare environment for many years.

medical records Patients' medical records are less and less kept on paper files, more and more in electronic format (Photo: Whitfield Clinic, Waterford, Ireland)

Not so recent form of criminal activity

State and non-state actors as well as criminals have been actively targeting institutional IT systems and individuals for many years.

Targets of such attacks aimed at embezzling money or accessing confidential information have been primarily government agencies, financial services, media companies, manufacturers or retailers. The black market demand and prices for information, such as credit card or bank details, email addresses and other information useful in targeting individuals, companies and governments, are high.

The financial losses for affected parties may run into millions of dollars whilst the risks for wrongdoers are minimal.

Targeting new territories

The healthcare sector has been increasingly reliant on IT systems for years, with medical equipment dependent on software to operate more efficiently and reliably.

IEC Technical Committee (TC) 62: Electrical equipment in medical practice, and its Subcommittees (SCs), develop International Standards for electrical equipment, electrical systems and software used in healthcare.

The TC's remit is to focus on safety and performance (e.g. data security, data integrity and data privacy), among other aspects.

In addition to equipment, systems and software, the healthcare sector in many countries has been gradually transferring patients' details and history from paper or other supports (like films for X-rays) onto electronic files. This makes for easier processing, billing and archiving and gives medical practitioners easier access to patients' records when needed.

Unlike other industries such as finance many healthcare organizations have not invested sufficiently in robust IT security measures that can protect and encrypt data in systems, databases, connected devices and personal devices

Criminals have seized on the inadequately protected IT infrastructures of many healthcare organizations to target these, realizing that the trove of information held by the healthcare industry was considerable and very valuable.

Recent developments show the seriousness of the problem. In February 2015, Anthem the second-largest US health insurance provider, announced that its database had been hacked, exposing personal data on some 80 million personal records.

In March 2015, US health insurer Premera Blue Cross revealed that it had been victim of a large data breach that might have exposed 11 million customers' medical and financial data.

Between 2010 and 2014, approximately 37 million healthcare records were compromised in data breaches in the US, but in the first 7 months of 2015 alone, more than 105 million healthcare records had already been exposed through 153 separate attacks, according to the US Identity Theft Resource Center (ITRC).

What's the point?

At first sight one might wonder which benefit could be gained from accessing millions of medical records.

The answer is simple: the data compromised does not contain medical history only, which would be serious enough, but also personal information such as dates of birth, social security and bank account numbers and other details, which can be misused for identity theft or other illegal schemes.

The value placed on such information is reflected in the fact that it is now worth much more on the black market than financial details. More worryingly, according to cybersecurity strategy advisor J-B Rambaud, healthcare data can be used to steal the identities of children, who have clean credit records and are unlikely to uncover the fraud, or for extortion of celebrities or politicians hiding an illness.

More potential risks looming

As the attractiveness for wearable health monitoring and tracking devices and apps soars, some healthcare providers start offering patients the possibility of transmitting data to and from their health files.

The technology and the devices are relatively new and offer many benefits, but the data security implications are yet to be fully assessed. However it is likely that these will result in new challenges to protect patients' health records from access by unauthorized parties.

IEC standardization thwarting data security threats in healthcare

If attempts to gain access to electronic medical records through cyberattacks are relatively recent, awareness of the need to protect data security, integrity and privacy of medical electrical equipment has been central to the work of IEC TC 62 and, in particular, of IEC SC 62A: Common aspects of electrical equipment used in medical practice.

IEC 62A has issued International Standards and Technical Reports that cover medical device software and IT networks incorporating medical devices.

In addition to data security-related work carried out by SC 62A, significant international standardization in the field of IT security techniques at a general level is carried out by ISO/IEC JTC 1/SC 27, a SC of the Joint Technical Committee (JTC) set up by the IEC and the International Organization for Standardization (ISO) to work on International Standards for information technology.

The importance the IEC attaches to cybersecurity was further highlighted by the decisions taken last year to create new entities.

IEC Standardization Management Board (SMB) agreed to set up a new Advisory Committee on Security (ACSEC) at the 2014 IEC General Meeting. Its scope includes dealing with information security and data privacy matters which are not specific to a single IEC TC; coordinating activities related to information security and data privacy; providing guidance to TC/SCs for implementation of information security and data privacy in a general perspective and for specific sectors. ACSEC held its first meeting in May 2015.

IEC Conformity Assessment Board (CAB) set up Working Group, WG 17, and IECEE established a Policy and Strategy (PSC) WG, both focusing on cybersecurity..

These entities and specific publications on IT security techniques and data protection by ISO/IEC JTC 1/SC 27 and IEC 62A will contribute significantly to enhancing data security for the medical environment in the future.

medical records Patients' medical records are less and less kept on paper files, more and more in electronic format (Photo: Whitfield Clinic, Waterford, Ireland)
cybersecurity password Cyberattacks may compromise the confidentiality of medical records
data center Data centres holding millions of electronic medical records come increasingly under cyberattacks