Ever since the first electronic health records (EHRs) were created, there have been concerns about security. Not only is patient privacy a significant issue (potentially fostering mistrust in the healthcare field if patient information is exposed) but so too is medical identity theft and theft of hospital financial records.
Clinical trial developers also aren’t immune from cyberthreats. As the healthcare industry experiences more cybercrime, clinical researchers are looking for ways to better protect their data. Here is why healthcare cybercrime is so lucrative and how you can reduce your organization’s risk.
Healthcare is at Risk for Data Breaches and Ransomware
The first type of cybercrime that most people think about in relation to healthcare is data breaches. These are instances when cybercriminals either steal sensitive data outright or manipulate it to render it useless. This can devastate clinical trials which rely on data integrity.
There’s also money involved when taking over the technology of healthcare systems.
“Data breaches aren’t the only cyberthreat facing the medical industry,” says Daniel Brettler, managing director at insurance brokerage Conner Strong & Buckelew. “Ransomware attacks, in which cybercriminals hold a network or database hostage in exchange for payment, have skyrocketed in recent years. Cybercriminals are even capable of hacking into a medical device currently being worn by an individual, putting patient safety at risk.”
Cyber attacks on the healthcare field can have devastating effects on patients. In September 2020, hackers took over 30 servers for a hospital in Düsseldorf, Germany. The hospital all but shut down and had to turn away emergency patients. One was rerouted to another hospital 20 miles away and died from treatment delays. She is potentially the first person to die from such an attack.
“Hospitals can’t afford downtime, which means they may be more likely to pay — and quickly with minimal negotiation — to restore their services,” says Brett Callow, a threat analyst at cybersecurity solutions provider Emsisoft in regard to the Düsseldorf attack. “That makes them a prime target.”
Healthcare providers need to be ready to prevent an attack and also have plans in place to deal with an attack. The time spent deciding whether or not to pay the ransom (and learning whether or not they would actually get their records back) can mean life or death to patients.
Cybercriminals Turn to Clinical Trials
Hospitals aren’t the only healthcare providers at risk for cyber attacks. Some criminals are looking at clinical trial management systems as potential targets for disruption and money.
A month after the Düsseldorf incident, a clinical trial software system was the victim of a ransomware attack. The hackers took control of AstraZeneca’s COVID-19 vaccine trial, along with trials by the drug manufacturer Bristol Myers Squibb.
“For large, profitable organizations, cybercriminals know that they have the means to pay the ransom after their data is stolen,” says James McQuiggan, security awareness advocate at security awareness training and simulated phishing platform KnowBe4. “Unfortunately, cybercriminals are stealing intellectual property to auction it to the dark web to increase their financial profits from the attack.”
For many clinical research organizations (CROs), their cyberattack response plans arrive too late. By the time management realizes the importance of cybersecurity, the firm’s data has already been compromised.
“The ability for companies to quickly withstand this kind of attack is completely dependent on how good your IT is to begin with,” says Eric Perakslis, chief science and digital officer at Duke Clinical Research Institute.
What Can Sponsors and Clinical Research Organizations Do?
Pharmaceutical companies and CROs need to be proactive in fighting cyberattacks. They must anticipate ransomware and data breaches and have systems in place to block them. This starts with investing a significant amount of time and resources into building a safe digital infrastructure.
“Financial organisations are better protected today because the industry has invested quite a bit of time and money into improving the situation – they spend approximately 15 percent of their annual IT budgets on cybersecurity,” says Azi Cohen, CEO at IOT security firm CyberMDX. “By comparison, most healthcare organisations lack dedicated cybersecurity teams and probably spend only around 4 or 5 per cent on this.”
Financial firms quickly understood that criminals wanted money and would try to access it digitally. This is why they increased their cyberattack prevention budgets.
In the world of clinical trials, it’s not enough to make sure your company is protected. You also need to make sure your vendors, suppliers and customers are all prioritizing cybersecurity. Peter Sullivan, principal at Sullivan Insurance Group, recently explained how hackers can work their way through a clinical trial to seize data and take control of a system. Cybercriminals use “touchpoints” including wearables, where they have easy access to data and keep working down the line of different connections to create new ones.
“They could travel down the internet to the CRO, the sponsor and their systems,” Sullivan says. “They would have touchpoints where the backups are connected. And if you’re connected to the FDA or any other vendor, those could potentially be a portal for this information.”
Just because your company is secure doesn’t mean a vendor you are affiliated with won’t succumb to a cyberattack. This was the case with AstraZeneca last year.
Additionally, cybersecurity isn’t an issue solely for your IT department. Any employee, in-office or remote and regardless of department or rank, needs to follow best practices to protect company data. Even experienced employees can make mistakes that create touchpoints for hackers.
“Cybersecurity professionals employ robust firewalls and other defenses, but the human factor remains a weak link,” says Bojana Dobran, product marketing manager at global IT services provider PhoenixNAP. “To minimize human error, system admins need to remind all staff about risky behavior continually. This can include anything from downloading unauthorized software and creating weak passwords to visiting malicious websites or using infected devices.”
Preventing cybercrime is an all-hands on deck effort. Senior leaders, interns, vendors and even patients can take steps to keep data out of the hands of criminals.
Understanding the Principle of Least Privilege
There is another aspect to keep in mind as you develop your cybersecurity plan: the principle of least privilege (POLP). This is the idea that employees and entities within your organization are only given access to what they need, which limits how much damage a cybercriminal can do if that employee is compromised.
Matt Miller, director of content marketing at privileged access management platform BeyondTrust, breaks down the differences between privileged and non-privileged accounts to demonstrate the principle of least privilege:
- Superuser accounts. These give users virtually unlimited access to any part of the system. They can read, write, and edit any aspect of the service and override standard users.
- Standard users accounts. These are accounts that only have access to a few aspects of an online service. They may be read-only to prevent them from making changes. They are also called least-privileged user accounts (LUA) or non-privileged accounts.
For a non-technical example, think of the amount of access a hotel manager has compared to a guest. The hotel manager can access any room plus offices and cleaning areas. The guest can only access their room and some common areas.
“The principle of least privilege applies not only to individuals but also to networks, devices, programs, processes, and services,” write Debbie Walkowski and Raymond Pompon, security threat research and director, respectively, at multi-cloud security and application delivery provider F5 Labs. “When it comes to access control, all of these are considered subjects (active entities) that request access to resources, or objects (passive entities that contain or receive information), such as systems, files, applications, directories, databases, ports, and more.”
This is how cybercriminals are able to create touchpoints and build webs through systems. Different entities request access to objects and open doors for hackers.
By following POLP, you can decrease the chances that a hacker will be able to gain access to your most sensitive information.
Be Prepared for Simultaneous Crises
Criminals aren’t going to wait for a convenient time to strike. They won’t sit back until everyone has returned from the summer holiday or hold off because of inclement weather. Your team needs to be ready to handle multiple issues at once without getting overwhelmed.
“Most hospitals have emergency response plans for each type of disaster: natural, cyber, active shooter, and so on,” says Michael Coden and Mike Czumak, managing director of BCG Platinion at Boston Consulting Group, and vice president and chief information security officer at Memorial Sloan Kettering Cancer Center, respectively. “But it’s key to have plans that can handle more than one emergency at the same time—a cyberattack, a hurricane, and a pandemic, for example.”
Remember, the easiest time for criminals to strike is when you are in a time of crisis. If you can train your team to handle simultaneous crises, then you can respond quickly when something bad happens.
For most healthcare providers, it’s not a matter of if a cyberattack will occur, but rather when it will happen. Take steps to build up your infrastructure and train your team, but also ensure you have plans in place if you fall victim to a data breach or ransomware attack that threatens to derail your clinical trials.