Our health data is under attack

Mikko Hypponen
Chief Research Officer, F-Secure

For many years, our clients and customers have asked me about personal health data. “Isn’t it true that health data is one of the prime targets of evil hackers? Isn’t it true that they’re after my medical history?”, they have asked. For years my answer has been: “No, it’s not.”

Around 99% of the cases we investigate at F-Secure Labs are criminals who are trying to make money. My thinking has been that if you’re trying to make money, your prime target is financial information like credit card data, not X-ray images. 

But now I’m changing my mind. 

The reason is the rise in attacks against hospitals, medical research units, and even patients that we’ve seen during the pandemic – in particular, the October attack against the Psychotherapy Center Vastaamo in Finland, in which sensitive information related to tens of thousands of patients was compromised. 

The Vastaamo case is a prime example of an attacker who is motivated by money and attempting to monetizing personal data by directly blackmailing patients instead of institutions. It takes a ruthless attacker to target heath data in general, but we have only seen a handful of attackers around the world who are evil enough to target patients directly.  

Going after individuals as opposed to institutions and companies is not a trend yet, but we are seeing indicators that it could become a trend in the near future. I’m worried about this. The Chief Research Officer at F-Secure is worried about this trend, so you probably should be too. 

The bulk of attacks targeting the healthcare sector are still perpetrated against institutions, and most are ransom Trojans. This usually involves a disruption like shutting down operations and demanding: “Pay us money if you want to continue saving lives.” We have seen a number of ransom Trojan attacks during the pandemic, most importantly Ryuk. Ryuk attacks have hit dozens of hospitals and healthcare organizations during the pandemic, particularly across the US, where COVID-19 has pushed hospitals and health care organizations and staff to the brink of collapse. 

If you’re purely looking for profit, targeting hospitals in the middle of a pandemic is a great idea because they have to continue operations no matter what. Clearly, there are people out there who are willing to capitalize on this opportunity. 

When the pandemic hit in March of 2020, I posted a public message to ransomware gangs telling them “Stay away from hospitals during the pandemic.” I wasn’t expecting much of a response, but I did get a response. Five organized crime gangs went on the record saying “Ok, fair enough. We won’t go after hospitals during the pandemic.” This was a nice surprise, but you can’t really trust a response given by professional criminals. And indeed, we have seen attacks against hospitals, medical institutions and patients and patients.

A massive challenge

Health data has always been an easy target for threat agents because it’s typically not well protected. Most medical systems are publicly funded, which means the world’s health data is often stored in old legacy systems running outdated operating systems. Attackers have always had easy access to these systems. Now that they are beginning to use it, the need to protect some of our most private and sensitive data is more urgent than ever.

So what will it take to keep the world’s health data safe in the future? Money, for starters. But it’s complicated.

In 2017, WannaCry ransomware hit the UK’s National Health Service (NHS) particularly hard. The root cause was obvious – decades of budget cuts. Most of the systems in use by the NHS were running Windows XP in 2017, which is inexcusable. As a result of WannaCry, the NHS was forced to cancel some 19,500 appointments and 600 surgeries. Hospitals, staff and, most importantly, patients suffered.

The WannaCry attack caused such massive problems that the NHS was granted a sizable budget increase to fix the biggest problems that had allowed the attack to happen. The fact that it took a huge failure for politicians to deliver the budget the NHS needed highlights one of the biggest conundrums in cyber security: Freeing up needed budgets in response to a disaster instead of as a means of preventing disasters from happening in the first place. When we do our job right as cyber security experts, our successes are invisible. When we fail, our failures are highly visible. It’s a hard game to play when you need to fail in order to get recognized.

Another problem is that health data isn’t like corporate data, which is stored for a relatively short period and can then either be destroyed or made public. Health data needs to remain accessible, secure and private forever. And with limited budgets and legacy systems, this is a massive challenge that we are only now beginning to grasp. 

The bottom line is that our health data is now a target for blackmail and other types of attacks. Solving this massive challenge will require a shift in attitude on many levels. And it is definitely not a problem that anyone can tackle alone. It will require both a deeper understanding of this emerging and growing threat and the willingness to address it on all possible levels. 

The knowledge, insight and actions of cybersecurity professionals are a big part of the solution, but the only way to solve the problems we face is together. 

“If you think about corporate emails, they become historical records in around 20 years. Health data needs to be accessible and safe forever.”