Securing patient data: the new critical national infrastructure?

Securing patient data: the new critical national infrastructure?
© iStock/Pe3check

David Higgins, from CyberArk, discusses the rise of hacking, how the health industry may be at risk and more importantly, how patient data could potentially be threatened.

A couple of weeks ago, it was reported that NHS patients’ genetic data was targeted as foreign hackers attempted to attack Genomics England. Rumours even went as far to suggest that the sensitive patient data had to be moved to a high security MOD unit.

Genomics England has since denied that it has had to move data due to attacks, but nevertheless, this sheds light on the incredibly worrying and rising trend of hackers trying to steal our identities. Stealing passwords or credit card details is one thing but stealing details of genetic makeup reveals a bleak new reality in the world of cybercrime.

Are we going to have to move to a future where critical patient data, such as DNA records are in fact going to have to be moved to high-security, government-owned facilities?

As hackers look to steal sensitive medical records, we should change our attitude to health data and treat it as critical national infrastructure (CNI). There is too much at stake if this critical data falls into the wrong hands.

Attacks on human identities on the rise in 2019

We expect to see attempted hacks of this nature to rise in the year ahead, across a range of sectors and industries. Biometric fingerprint, voice and face ID authentication controls have proven effective in consumer devices, and organisations will look to new authentication methods – like embedded human microchips, for example.

Attackers will increasingly target these identities to gather massive amounts of biometric data for future modelling purposes and nefarious use. Genetic consumer-services, biometric stores, such as Genomics England and within organisations and more will become key targets, further elevating privacy concerns.

CyberArk’s Global Advanced Threat Landscape report revealed that 52% of healthcare IT decision-makers believe that they cannot prevent hackers from infiltrating their networks, and a further 59% believe that customers’ PII could be at risk. So, what does this tell us?

There is a lack of confidence to being able to prevent a cyber breach. A member of staff may unknowingly, be exposing their organisation to risk. It has to come down to education as well as a change in technology focus. Healthcare professionals need to be armed with the tools and knowledge to play their part in securing the network. Furthermore, healthcare organisations must couple this by implementing strong privileged access security measures to make sure the right people have access to the right software and data at the right time. This limits the possibility of a hacker wreaking havoc once they penetrate the perimeter.

Data as CNI

The topic extends beyond hospitals and individual organisations, though.

As the threat landscape for cyber crime evolves, governments need to rethink how critical data, such as patient data is stored and managed. We typically think of CNI as physical – power plants, dams, electricity networks. But in the Fourth Industrial Age, we need to class data as CNI. Data is the commodity that is sparking the new era of espionage and indeed 21st century warfare.

In 2019, we expect to see a new round of nation-state attacks designed to steal intellectual property and other trade secrets to gain competitive market advantages. Nation-state attackers will combine existing, unsophisticated, yet proven, tactics with new techniques to exfiltrate IP, as opposed to just targeting PII or other sensitive data.

Whilst these attacks will predominantly be carried out by malicious external attackers, we’ll also see an uptick of insider attacks, especially in cutting-edge industries like autonomous cars (much like that which occurred at Apple in June 2018). We’ll see attacker dwell times extend as nation-states spend more time conducting reconnaissance and carrying out these trade-driven attacks. We’ll also see the emergence of nation-state weapons being commercialised on the black market. This same phenomenon happened after Stuxnet, Petya and NotPetya – where cyber criminals take pieces of code from massive nation-state attacks and incorporate them into their attacks.

The road ahead

It is no doubt a concerning time in the world of cyber security. Hackers, whether operating individually or as part of a nation-state attack, are increasingly going to look for ways to target the data which means the most to us. Whilst a mass data breach wouldn’t cause damage or panic to the nation in the same way that a poisoned water supply or power outage would, let’s make no mistake that data can increasingly be used as the ‘route in’ for hackers to exploit critical systems. Genetic data theft could be the stepping stone for hackers to target government organisations and CNI, by specifically targeting employees at these organisations. The key for governments and organisations is to equip employees to better understand how to protect data, as the first line of defence.

David Higgins
Director of Customer Development EMEA
Tweet @CyberArk


Please enter your comment!
Please enter your name here