Medical data is moving to telemedicine, but security hasn’t kept up

By Ash Patel, General Manager for EMEA, Zimperium.

  • 1 year ago Posted in

The last few years have borne witness to a mobile revolution. It is now a centrally important piece of technology for seemingly every industry, upholding the next flexibility and speed which we now expect of a modern workforce.

Unfortunately, attackers will go where there are targets to attack. With that growth, mobile devices have also become one of the main attack vectors. As so often happens with rapid adoption of new technologies - security has not kept up.

The Growth of telemedicine

Telemedicine seems to be growing in all directions. Patients can now get check-ups from their doctor via their own mobile phones and doctors can share sensitive medical information with patients and other medical specialists quickly and easily.

In the meantime, consumer focused healthcare apps are enduringly popular. From calorie counters to sleep tracking apps, to water consumption apps - people seem highly interested in measuring and tracking their own health metrics.

This can be especially useful for those with long term health problems. For example, diabetes patients are now using apps to track their intake of sugars and carbohydrates, thus allowing them to better manage their condition.

The amount and richness of that data is proving marvellously useful to legitimate users and medical practitioners. However, it's this kind of data which is coveted by cybercriminals, and so often, easily within their grasp.

The healthcare sector is in a unique position when it comes to cyber-risk. It both possesses some of the most valuable data that a cybercriminal can steal, and is often not well positioned to fend off those attacks. Its full-throated adoption of mobile devices, may ultimately provide another attack vector through which threats can exploit the sector.

The value of medical data

Medical information is some of the most sensitive data that one can give out, and one of the most lucrative that a cybercriminal can get their hands on. According to one 2019 report from Trustwave, healthcare data can be sold at up to $250 per record, set against the comparably small $5.40 for payment card records which is the next highest value data category.

That could be one of the reasons why the previous years have seen a precipitous rise in attacks on this sector. According to Sophos’ 2022 report - The State of Ransomware in Healthcare - 66% of healthcare organisations were attacked in 2021, up from 34% in 2020.

Healthcare organisations are also more also likely to pay those ransoms - 61% - compared to the cross sector average of 46%.

Vulnerabilities in medical environments

On the other hand, medical environments are often not designed for security, but ease of access. Hospital IT systems will often be filled with a diverse collection of endpoints and designed so that doctors, nurses and other medical practitioners can easily find what they want, when they need it. These are also typically large networks, in which multiple parties might need access to the same data quickly. Security controls are often perceived as an obstacle to quick access, thus, they can sometimes be side lined in the perceived service of enabling quick access to data.

A powerful example of exactly this was revealed when the WannaCry attacks hit in 2017. The ransomware attacks - which eventually spread all over the world - paralysed 42 of the UK’s National Health Services (NHS) trusts. Many of those trusts were running outdated versions of the Windows Operating System, which could no longer be updated to avoid attacks like WannaCry.

Mobile devices and the threats they pose

One of the principal values that has ushered mobile devices into the medical sector is the ease with which both healthcare professionals and patients can access data. This is undoubtedly a valuable asset to possess, it also represents an enduring problem within medical IT - easy access for users often means easy access for criminals too.

BYoD

One of the main challenges arrives when medical practitioners use their personal devices in a Bring Your Own Device (BYoD) scheme. In fact, a recent Zimperium survey found that nearly half - 44% - of all healthcare professionals do indeed access patient data with a mix of organisational and personal devices.

This represents a stark problem for the security of that patient data. When using personal devices, medical practitioners are exposing patient data to the variety of threats - through software vulnerabilities, malicious applications and more - that may exist on their device.

Compliance

Given the sensitivity of medical data, there are a range of regulations which govern it and punish noncompliance.

The European General Data Protection Regulation (GDPR), for example, lays out strict rules for the handling of personal data and threatens harsh fines for those that don’t follow them. In the US, a variety of state-level regulations - such as the California Consumer Privacy Act (CCPA) - perform a similar function.

Other regulations compel organisations to engage in forms of telemedicine. For example, the Health Insurance Portability and Accountability Act (HIPAA) and the 21st Century Cures Act demands that healthcare organisations adopt Application Programming Interfaces (APIs) in order to allow patients to access their health information through apps.

How to secure mobile devices in medical environments

Telemedicine grants both patients and medical practitioners incredible capabilities and benefits. However, in order to capture those benefits - security needs to be a central concern of healthcare organisations. Even if a security breach or regulatory fine never happens to an organisation, patients will turn away from Telemedicine if they don’t believe it to be secure. In one 2021 survey from Arlington Research, 52% of organisations said that Telemedicine patient numbers declined directly because of security concerns.

Securing those devices requires intervention at several stages of the device supply chain.

The manufacturers of devices - both medical and personal - need to think about the security of the broader ecosystem and how their devices share data. Their communications should be continuously monitored and transport security should be established to prevent Man In the Middle attacks from altering or corrupting data in transit.

At the application level, medical apps need to be secured against potential device vulnerabilities. If, for example, it detects that a phone has been rooted - that app can prevent itself from starting up - thus protecting the medical data that the app would otherwise handle.

Developers of medical mobile applications also need to think about the security of their code too. Cybercriminals will often download apps from app stores in order to reverse-engineer and thus exploit them and organisations need to guard against this possibility.

Healthcare providers will need to do thorough risk assessments of the products and devices they use, so as to ensure both compliance and privacy. Furthermore, they can look to Mobile Device Management (MDM) to secure the personal devices that medical practitioners will be using and the data that they’ll exchange. By permitting the central management of a healthcare organisation's mobile devices - MDM can automatically enforce policies around data handling, ensure that the correct practices are being carried out and encrypt sensitive data. Furthermore, it allows for the remote installation of the necessary settings, policies and security applications and while blacklisting apps and devices it deems unsecure.

By Frank Catucci, CTO and Head of Security Research, Invicti Security.
By Jim Downey, Senior Product Marketing Manager, F5.
The State of API Security in 2024 Report highlights how APIs and their increased usage are...
By Sairam T A, enterprise analyst, ManageEngine.
By Marco Pozzoni, EMEA Storage Sales Director at Lenovo.
In a world where quintillions of bytes of data are generated and collected every day, it can...
By Chris Rogers, Senior Technology Evangelist at Zerto, a Hewlett Packard Enterprise company.
By David Corlette, VP Product Management, VIPRE Security Group.