The medical field is a prime target of hackers. These aren’t nation-state hacks with the best tech, these are “average” hackers on their own attacking weak targets to steal patient data to exploit.
Front-line medical staff frequently communicate back and forth using outdated communication technology, leaving clients vulnerable to some of the easiest hacking attacks. Patient data security must be a priority to protect these patients, your colleagues, your business, and your reputation.
Secure communications for patient data security
The statistics on the hacking of patient data in the medical field are truly shocking:
- 25% of all digital security breaches in the world are committed against medical facilities.
- The University of Texas Cancer Clinic paid a fine of $4.3 million as a result of poor encryption of the files of 33,500 people.
- 25 million patient records in the USA were compromised in 2019.
- Hacking incidents against health care facilities have risen every year since 2010.
Hackers target the medical industry to steal useful data—such as social security numbers—to sell to other criminals or to use to commit fraud. They also steal patient data which can be used to extort the medical practice into paying the hackers or they’ll release the data. One of the worst incidents of cyber-extortion is what happened to London Bridge Plastic Surgery.
The hack against London Bridge Plastic Surgery (LBPS)
This may be one of the more infamous hacks against a medical facility ever. The hack was orchestrated by the notorious The Dark Overlord (TDOL) hacker collective, and involved regular people and celebrities. LBPS is a plastic surgeon in London with a number of high profile clients. Here’s what happened:
- Security configurations on their network were set up improperly, jeopardizing their patient data security. There has been no statement on which settings, but chances are default passwords were used or other Security 101 steps were missed.
- The misconfiguration allowed TDOL to gain access to and steal patient photos (including some faces), records, and a complete patient list.
- TDOL then extorted LBPS to pay them or they’d release the stolen records to the public, including records related to the Royal Family.
- LBPS did not pay immediately, causing TDOL to send samples of the data to a reporter at The Daily Beast to put pressure on LBPS to pay the ransom.
- LBPS confirmed that their network was breached and verified that the photos sent to The Daily Beast were genuine.
LBPS refused to pay the ransom, but TDOL escalated the hack by ‘crowdfunding’ for the release of the photos unless the ransom is paid. This has been going on for over two years now, and is a constant headache for LBPS to deal with.
How SKY ECC helps patient data security
In instances where vast troves of information are stored together, there is the opportunity to segment data. Those working with high-profile clients are especially vulnerable for the news value alone, which is exactly what happened with LBPS. Here’s what SKY ECC can do:
- All digital communications about high-profile clients internally would be done on SKY ECC. This would have kept corroborating conversations about clients off servers which could be breached.
- Conversations between high-profile clients and the clinic done over SKY ECC would’ve been protected by our 521-bit ECC encryption.
- Fear of contact list theft with high-profile clients would’ve been protected by SKY ECC’s contact list security measures.
- SKY ECC messages are expire at least within a week, if not sooner, so there would be no trove of older data to find. Hackers can’t steal conversations which no longer exist.
LBPS put all of their data, from not-so-sensitive to highly sensitive, in one place which made it a big target. Hackers saw that target and went after it until they exploited it. Segmenting sensitive conversations would have given the hackers less data to access and exploit, and potentially eliminate some corroborating evidence they used to extort LBPS.
SKY ECC could be used by clinicians, patients, and the entire organization to have crucial conversations in complete privacy.
They could, for example, agree on code names for high-profile people for patient data security in SKY ECC and there would be no way for hackers to find the match up of code names to records. Secure notes and secure images can be stored on SKY ECC devices breaking up the data into less useful chunks that would take more work to try to assemble into something useful (to a hacker).
The fallout from this attack
The hack of LBPS is a drop in the bucket compared to the tens of millions of patient records hacked and stolen every year. While LBPS has been dealing with this hack for over two years, medical facilities the world over have been hacked consistently for over a decade.
Both internal and external communications can be better secured with SKY ECC. Your practice doesn’t need to deal with two years of extortion attempts like LBPS. Contact us using the button below to see how we can help you secure patient data and secure your medical practice.