Healthcare data now more valuable than financial information
The healthcare data breach outlines a new reality. In today’s world, we are beginning to see a new and scary fact, healthcare data has grown its value so much that hackers are now willing to go the extra mile to obtain it.
Author: Olli Jarva, Managing Consultant at Synopsys' Software Integrity Group
Recently a cyber attack caused a major security breach in Singapore’s government health database, stealing approximately 1.5 million people’s private information, including that of Singapore’s Prime Minister Lee Hsien Loong. The government has called it ‘the most serious breach of personal data’ that Singapore has experienced, and the country is reportedly making cyber security a priority in the wake of this attack.
This has been a growing trend over the past few years, that healthcare data has outgrown the value of credit card or social security numbers. Are healthcare providers aware of the value of the data they are storing?
Reporting on the breach, the news pointed out that ‘Unusual activity was first detected on July 4, 2018, on one of the SingHealth’s IT databases’. When we are designing and building the systems to be resilient for cyber attacks, we have to start building security from within, rather than only relying on perimeter defence.
This means that before a single line of code is written, we have already started to map down our potential security problems from the design stand point. Application security problems can be divided to two parts; Flaws and Bugs. To catch most of these software security problems, we need to identify them early on so that they do not come back to haunt us later.
We have to stay vigilant when it comes to understanding how and what kind of data we are protecting, where it is located, and what kind of security controls we have in place to protect it. We need to ‘shift left’ with our thinking when it comes to security and tackle those issues earlier on in our Software Development Lifecycle. If we leave these problems for later, the cost of fixing and reacting to breaches would be extremely costly and the effects may not devastating.
Typically large computer systems are part of a bigger project developed and delivered by System Integrators (third parties), where the supply chains can get complicated. This compounds the challenge to manage security, as different parts of the system may have different third party software components and inherent vulnerabilities, and often, may not be properly identified and patched early enough. This isn’t a challenge that is unique to healthcare, it is a challenge that every large organisation goes through.
When it comes to cyber security challenges in the healthcare industry, it is a different environment to defend and secure.
From a security standpoint, the healthcare industry shares the same shortcomings as other enterprises, but with some added obstacles:
- Lack of security resources, financial resources, and expertise, to correct this weakness.
- Dealing with an extremely heterogeneous environment. While healthcare organisations may standardise on laptops and IT servers, providers also manage multiple devices that are attached to the network. These can include drug infusion pumps, imaging devices like MRI and CT scanners, and treatment software (such as those used to manage implantable pacemakers).
- Systems in different parts of a healthcare organisation may not play well with each other. Like any large organisation, a healthcare organisation may have multiple business or operations units, and each unit may procure software solutions that best meet their needs, but may not have uniform cyber security effectiveness. Electronic Health Records (EHRs) promise to help practitioners and patients by simplifying the sharing of information.