Hospitals and the health care industry are being deliberately targeted by hackers, cyber criminals and spies seeking a treasure trove of personal and financial information, a business consultancy has warned.
Attacks by organised gangs and even state spy agencies are a growing concern as they hunt for details that can be used for extortion or even espionage.
The theft of personal details of 1.5 million people from a Singaporean health database, including that of the prime minister, by a state-sponsored espionage group has highlighted the threat, said BDO.
Hospitals and clinics are also often poorly defended compared to banks or government institutions, despite representing a “honeypot of valuable information” said Gregory Garrett, head of international cyber security at the firm.
He said: “The healthcare industry has the electronic healthcare records on individuals, they have the personable identifiable information on individuals and in most cases they also have their payment card information.”
The UK’s National Cyber Security Centre, an offshoot of the GCHQ electronic spy agency, said it is working closely with the health and social care sector “to ensure their platforms are as secure and resilient as possible”.
The damage that can be wrought was highlighted in the 2017 WannaCry attack that crippled NHS computers as they were hit alongside other businesses around the world.
The Department for Health later found the attack had cost the NHS £92m, as a third of hospital trusts and eight per cent of GP practices had computers digitally locked up and held for ransom.
The cyber attack caused 200,000 computers to lock out users with red-lettered error messages demanding the cryptocurrency Bitcoin. The ransomware attack was later blamed on North Korean hackers.
But attacks are targeted specifically at health care to steal information, experts at BDO said.
In the first half of 2018, US healthcare organisations reported 176 large-scale data breaches. While criminals seeking to steal or encrypt and then cash in on sensitive data are the greatest threat, nation-states could also be looking for research.
“They’re being targeted by hostile nation-states for theft of intellectual property related to medical research, innovations, cancer studies, population health studies, research for precision medicine and clinical trials, and also potentially for conversion for military use such as biological weapons,” said John Riggi, a former ex-FBI cyber specialist at the firm.
Sensitive medical details of business leaders, politicians or military figures could also be of use to spies.
When hackers struck a Singapore government health database they took names, addresses and – in some cases – details of medicines dispensed.
Details for Prime Minister Lee Hsien Loong, including his outpatient medicines, were “specifically and repeatedly targeted”.
A cyber security company in March 2019 blamed the attack on a well-resourced “state-sponsored espionage group” called Whitefly. Symantec said Whitefly had been operating since at least 2017 and had also struck targets in other sectors in the country to steal large amounts of personal data. The company did not say who was sponsoring Whitefly.
“There’s a real concern by the military cyber security community and the intelligence community all over the world about targeted attacks on the nation’s healthcare industries,” said Mr Garrett.
Targeting hospitals near military installations could give the sensitive records of military personnel, he suggested.
“If you were to be able to infiltrate one of those urgent care facilities and find out that a large number of troops had been in there recently to get a certain vaccination, that might give you insight into where the troops might be deployed in the not so distant future.”
Medical records of business leaders, wealthy figures, or their families could be of use in industrial and criminal espionage he said.
But healthcare institutions were often working with old computer systems and in the past may not have focused on security, even though they were a “target rich environment”.
“Information security has been low priority,” he said.