Cybercrime is targeting the health sector more and more due to the potential for financial or political gain, or to expose vulnerabilities by cybercriminals, hacktivists and political activists [1].

There is a growing demand for medical records in the black market. Citizen healthcare data is an intangible asset representing a value for various businesses: the health of the citizens, the care of patients, the growth and the enrichment of the drug market, the increasing interest of the insurance companies for the healthcare and life insurance policies. Healthcare data are highly valuable. In addition to the health information taken from medical records, the stolen medical identities can be used to obtain health services and medication prescriptions by assuming someone’s identity or insurance credentials. Sometimes, there is even enough information in medical records to open bank accounts, apply for credit cards, procure loans, collect refunds or obtain passports.

In addition to citizen’s health and personal data, other assets can be indirectly hit such as reputation, brand and customer (citizen) trust. In case of losses or damages of data, other related and usually very high costs occur, due to the interruption of service (be it total or partial, on all or part of patients, and taking into account its duration), the reduced quality of service offered, the recovery costs to restore pre-attack situation (such as ransom money in case of ransomware attacks, and additional work of ICT people), and the loss of customers caused by definitive unavailability of unrecoverable data.

However, in most cases these costs are only the emerging part of an iceberg, since other additional costs, significantly higher, may result. In particular, according also to the new General Data Protection Regulation (GDPR), new preventive investments are needed, regarding:

  • deep analysis of the business processes (including care services provider, software solutions providers, citizen);
  • re-thinking the data management procedures, taking into account the “privacy by design” and the “privacy by default”;
  • defining and supporting efficacy and efficient recovery procedures.

In addition, after an adverse event, companies have to consider costs regarding the notification procedures, the possible fines dictated by the GDPR, the increasing forensic fees and the legal procedure expenses. Furthermore, when the attack has an impact on critical cases (emergency, operating theatre) where the reduced patient safety puts at risk patient’s lives, the effects will be even more relevant with an enormous rise of the total costs.

Another interesting aspect is that, in terms of technological solutions, the healthcare sector is not still a mature market such as for example the financial and military ones. This contributes to increase the efforts and the investments for adapting the technological solutions in order to guarantee security of the electronic protected health information (ePHI). There is above all a lack of sound information security management processes [2]. Therefore,  healthcare organizations are facing increased cybersecurity threats due to:

  1. the adoption of digital patient records and the automation of clinical systems (large increment of cyber personnel and of treatment and storage of ePHI);
  2. the use of antiquated electronic medical record and clinical applications that are not designed to securely operate in today’s networked environment (legacy systems);
  3. the ease of distributing ePHI both internally (laptops, mobile devices, thumb drives) and externally (third parties, cloud services) and the habit of heterogeneous device access (access with personal devices, corporate devices used for personal purposes);
  4. the heterogeneous nature of networked systems and applications (integration, interconnection and segmentation).

In addition, in most cases the time needed to discover a security incident is higher than in the financial sector, giving enough time to threat agents to exploit and take advantage from the stolen patient data, making the healthcare sector even more attractive to threat actors than other sectors: in the last years, cyber-attacks in the healthcare sector largely increased.

To achieve an “adequate” level of cybersecurity a healthcare provider should identify the cyber risks by examining the vulnerabilities, the probabilities of their successful exploitation, the overall costs of the outcomes, including the so-called cascading effects, and the costs of vulnerability mitigations. The incentives for security arise from the evaluation of the possible costs and other losses that are uncovered [3]. When mitigations for a specific risk, acting on existing and assessed vulnerabilities, cannot provide an effective solution in terms of cost vs benefit analysis, then the healthcare provider should evaluate the transfer of the specific risk to a cyber insurance.

To address these issues, Hermeneut is developing a dynamic cybersecurity risk assessment tool for integrated governance, able to not only establish a company’s vulnerability level considering human, organisational and IT factors, but also able to automatically update itself whenever something in your organisation changes.

[1] L. Coventry and D. Branley (2018). “Cybersecurity in healthcare: a narrative review of trends, threats and ways forward.” Maturitas, 113 (2018) 48–52.

[2] Health Care and Cyber Security: Increasing Threats Require Increased Capabilities, KPMG.

[3] S. Dynes, E. Goetz and M. Freeman (2008). “Cyber Security: Are Economic Incentives Adequate?” In “Critical Infrastructure Protection” E. Goetz, S. Shenoi (Eds.), Springer, 2008.