Hackers affiliated with the Chinese government have been making a concerted effort to steal medical research, particularly cancer research, from institutions in the United States, according to a recent report.
The step-up in medical research theft by Chinese APT hacker groups appears to be linked to China’s growing concern over cancer mortality rates and increasing healthcare costs, FireEye reported Wednesday. Cancer in the leading cause of death in China.
“As the PRC continues to pursue universal healthcare by 2020, controlling costs and domestic industry will surely affect the PRC’s strategy to maintain political stability,” the researchers wrote in their report Beyond Compliance: Cyber Threats and Healthcare.
“Another probable motivation for APT activity is financial: The PRC has one of the world’s fastest growing pharmaceutical markets, creating lucrative opportunities for domestic firms, especially those that provide oncology treatments or services,” the report notes.
Targeting medical research and data from studies may enable Chinese corporations to bring new drugs to market faster than Western competitors, it states.
“Similar to other examples we have witnessed, cyber-enabled theft of medical data and research is likely one component of a broader strategy by China at acquiring key innovations and technology,” the researchers wrote.
Rise in Nation-State Attacks
“For some entities in this space, the key research being conducted to develop new drugs and medical technologies can be an attractive target for cyber espionage groups supporting national priorities, especially for groups with a nexus to China,” explained FireEye principal analyst Luke McNamara.
“While the interest by criminals in PII and other patient data is probably unsurprising, what may be new to many in the healthcare space is the range of motivations for targeting healthcare — including nation-state actors,” he told TechNewsWorld.
It appears there has been an uptick in nation-state attacks on the healthcare sector in the past few years, noted Ken Underhill, a master instructor at Cybrary, a provider of free and crowdsourced IT and cybersecurity learning in Greenbelt, Maryland.
Smaller companies can be ripe pickings for those kinds of attacks.
“Smaller healthcare companies may not use industry best practices for securing data in transit and at rest, so these are prime targets for nation-states,” Underhill told TechNewsWorld.
Compliant but Not Secure
Chinese hackers are just one group of many bad actors attracted to the healthcare industry’s data jewels, according to the 2019 Verizon Data Breach Investigation Report.
The healthcare industry had the second-highest number of reported data breaches during the report period and consistently has been among the top five targets of cyber adversaries over the last decade.
Yet the industry is one of the most regulated in the country, subject to the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act.
“Those regulations create a much higher standard of scrutiny than other verticals with regards to privacy and disclosure requirements,” said Torsten George, a cybersecurity evangelist at Centrify, an authentication and access control company in Santa Clara, California.
“However, being compliant doesn’t mean you’re secure,” he told TechNewsWorld.
Healthcare providers are high-value targets for threat actors.
“The monetary value of healthcare records is higher than it is in other industries,” explained Ryan Smith, director of product marketing at Armor, a cloud security company based in Richardson, Texas.
“If you look at the black market, the cost of a medical record compared to a credit card is about 3.7 times more,” he told TechNewsWorld. “It’s around (US)$408 a record rather than $110.”
What’s more, healthcare records contain very complete information on people.
“If you get hold of data from a healthcare breach, it’s going to have all the data you need to launch any other type of attack,” Smith said.
Healthcare providers can be not only value-rich targets, but also easy targets.
“The free flow and exchange of information is critical to a successful care outcome,” explained Stan Lowe, global chief information security officer at Zscaler, a cloud-based information security company in San Jose, California.
“Patient safety has been the guiding principal behind securing that exchange of information which has led to a less than optimal implementation of cyber principles,” he told TechNewsWorld.
“We also continue to see an increase in ransomware attacks against healthcare industry where the chances of pay-out is pretty high,” Lowe added.
Legacy systems also can be magnets to healthcare hackers.
“Criminal hackers often target healthcare organizations because many organizations are using antiquated technology,” Cybrary’s Underhill said.
“They use an already taxed IT staff to perform critical security functions and have a non-IT staff base that may not fully understand how security fits into their day-to-day life,” he continued.
“I have seen a healthcare organization that was running Windows 95 on a machine,” Underhill said. “Yes, Windows 95.”
The healthcare industry’s information security problems are not all its own fault, maintained Lowe.
“The certification environment that healthcare has existed in over the years has contributed significantly to the current state of vulnerability of the tens of thousands of medical devices that are deployed and haven’t been patched or protected because of FDA certifications,” he said.
The industry and government are making progress tackling its security problems, Lowe continued.
“The manufacturers of healthcare devices and a realization by the FDA that cyber needs to be more easily implemented and maintained are helping to solve this problem in the future,” he noted. “However, tens of thousands of incredibly expensive legacy devices will be out there for the foreseeable future and will need to be addressed.”
The industry has been making progress securing its information, said Itzik Kotler, CTO of SafeBreach, a data breach and cyberattack simulation company in Sunnyvale, California.
“It’s just a question of a linear progression or quantum leap,” he told TechNewsWorld.
“Healthcare, due to the nature of the business, has difficulty making quantum leaps,” Kotler continued. “It has trouble enforcing security rules on third-party vendors and equipment, and it has to deal with legacy systems.”
Whether the industry can tighten up its security belt or not, one thing will remain certain.
“As healthcare is a PII-rich environment, it will likely continue to face threats from cybercriminals looking for data to enable fraudulent activity,” FireEye’s McNamara said.”Some healthcare organizations, particularly in key research areas, will also have to continue to deal with less frequent, but potentially high-impact threats like cyber espionage.”