24 | FORENSIC ACCOUNTING & FRAUD

HOSPITAL

Danger lurking

in the c loud

Hackers can target medical, pharma data By CHRISTOPHER GULY

ALL IMAGES BY ISTOCKPHOTO.COM

FORENSIC ACCOUNTING & FRAUD | 25

HOLDING INFORMATION HOSTAGE is becoming one of the most common cyber-criminal capers.

Ransomware, that nasty malware which prevents or limits authorized users from accessing a computer system and de-mands a ransom to lift that restriction, is a major and “rap-idly growing” threat this year, according to Intel Security’s McAfee Labs.

In its 2016 threat prediction forecast, the computer security researcher reported that more than two million new samples of ransomware were detected in the first half of 2015 alone and expects remediation will be made more difficult as attackers will increasingly encrypt files before they are backed up.

McAfee identified financials and local government as indus-try sectors likely to be targeted and pay ransoms to restore criti-cal operations. But other sectors have been victimized.

In March, information stored on four of 9,800 computers in The Ottawa Hospital’s network was encrypted and rendered inaccessible through a ransomware attack. The hospital said patient information wasn’t obtained through the hack and that the unidentified information was restored through backups — and no ransom was paid.

The Ottawa incident resolved more positively than a ran-somware attack in February on computer systems at Holly-wood Presbyterian Medical Center in Los Angeles. Although the hospital said that patient care and hospital records were never compromised, it had to pay a ransom of 40 bitcoin, worth about US$17,000, to obtain a decryption key to unlock the medical centre’s computer systems.

Sometimes, hackers get what they want beyond payment.Last year in the U.S., data breaches at both UCLA Health

System and major health-insurance company Anthem Inc. may have resulted in access to the patient records and personal information of more than 100 million people.

Theft of this type of confidential data could increase as the medical, biotechnology and pharmaceutical industries begin using cloud services to store information, warns Abhay Raman, a partner with Ernst & Young LLP in Toronto where he leads the cyber-risk services practice group.

“Anything hooked up to the Internet can be compromised in terms of the integrity of the data shared, and now there’s the potential to cause harm to patient safety,” says Raman.

He expects that rather than just hacking into computers to steal such patient-related information as insurance policy numbers or prescriptions, cybercriminals will use ransomware to monetize attacks against the computer systems at hospitals, medical research facilities and pharmaceutical manufacturers. Either these targets pay a ransom to have the information re-leased, or that data is sold in a black market hungry for com-petitive intelligence on the efficacy of drugs in development, or the potential for new medical treatments.

“These are well-organized hackers-for-hire who have buyers in mind before they compromise computer networks, as op-posed to putting stolen data up for sale in the underground marketplace,” Raman explains.

He says although overall cloud adoption across industries is “still in its infancy,” a 2016 global survey of 1,060 IT profes-sionals by California-based cloud management pioneer Right-Scale found that 95 per cent of them are using the cloud.

(However, RightScale also reported a significant change in its fifth annual State of the Cloud survey. Lack of resources or expertise increased from 27 per cent last year to 32 per cent this year, supplanting security as the biggest concern since the 2013 report).

Canadian health-services data is already on the cloud, such as in Ontario where the Institute for Clinical Evaluative Sci-ences (ICES) allows researchers to access anonymous patient records and clinical databases on a remote computer server. However, ICES insists that privacy and confidentiality of per-sonal health information is maintained through the use of various physical safety measures and technological safeguards, including encryption.

That same rigorous level of controls is even more critical for medical-pharma organizations transmitting wirelessly on to the cloud confidential information about actual patients or data on a drug or treatment under development, says Raman.

“Data integrity is a huge concern, so hospitals and pharma-ceutical companies have to ensure that their cloud environ-ment is secure, trusted and audit-ready.” He explains that the cloud also has to be “available and resilient” to hacking, par-ticularly in instances where a physician needs access to patient information to make a diagnosis within minutes.

Michael Lucas, senior manager of the technology risk prac-tice group at Crowe Horwath LLP in London who advises the world’s top pharma and life sciences companies on IT security issues, says that organizations in those sectors have critically sensitive information involving intellectual property, such as molecule development (essentially the recipe for the way a drug is made) and clinical trial data, which if lost or stolen could have devastating consequences for a patented product.

That valuable intelligence is often sold on the black market to drug competitors in Russia and China, although Lucas adds that identities of employees and patients (if a clinical trial is involved) have a high resale value too.

Therefore, validating cloud-service providers is crucial.Says Lucas: “Organizations must do a detailed assessment of

their IT provider, including employee background checks and a thorough review of that third party’s IT controls and how they will protect data.”

He explains that while using the cloud comes with risk since posting information and data to it is no longer within an orga-nization’s enterprise firewall, it is easier, simpler, quicker and less costly to maintain than building and maintaining the solu-tion in-house.

As an extended enterprise, the cloud is also becoming a cy-ber-hub for medical and pharmaceutical devices.

Electronic lab notebooks used to track progress on research, experiments and procedures are moving to cloud-based envi-ronments, as are devices worn by patients.

Swiss drugmaker Novartis is working with U.S. technology company Qualcomm to develop an Internet-connected in-haler than can send information on the frequency of its use by patients with chronic obstructive pulmonary disease to the cloud by 2019. Novartis is also collaborating with Google to create a smart contact lens to monitor diabetics’ glucose levels through the cloud, while Microsoft and Swedish medical de-vice company Aerocrine have joined forces on a cloud project

26 | FORENSIC ACCOUNTING & FRAUD ALL IMAGES BY ISTOCKPHOTO.COM

to analyze data from asthma sufferers.These types of wearable medical devices in a telemedi-

cine environment will proliferate based on their potential to provide valuable data for both physicians to make more accurate diagnoses and patients to track the state of their health, predicts Raman.

If the medical industry wants to ensure its increasingly popu-lar devices are as hacker-proof as possible, it should look to the tight security measures the financial services and nuclear industries employ with their devices to ensure they are “fully reliable,” says Raman.

Cloud-connected devices carry unique risks. Compromised or manipulated data could lead to a false diagnosis and po-tentially improper treatment. But devices could also be ripe for corporate espionage, where hackers could obtain valuable intelligence for marketers and advertisers on the wearer’s pat-tern of behaviour in terms of “what they’re doing and at what time of day,” beyond passing the raw scientific data gathered to medical or pharmaceutical competitors, as Raman explains.

He says device manufacturers must not only ensure appro-priate security features are embedded in their wearable gadgets, but also inform the wearers of what types of data are collected and shared through a “privacy label” similar to “nutrition facts” labelling on food.

Lucas says that cloud-service providers could, as the banking industry does as a regulatory requirement, obtain independent certification — such as ISAE (International Standard for As-surance Engagements) 3402 or ISO 27001 that indicate wheth-er an organization has adequate information security manage-

ment systems. “A granular review of a third-party’s controls would give the life sciences and pharmaceutical industries the assurance that if they send highly sensitive information to the cloud it’s going to be safe because there has been a thorough review of the provider’s infrastructure,” he explains. “Essen-tially it’s a chance to look under the hood and confirm every-thing is sound before starting the engine and driving away.”

Toronto health lawyer Elyse Sunshine says health profes-sionals must ensure that any policies and guidelines from their regulatory bodies regarding electronic health records must be reflected in any agreement with a cloud service provider.

“Any contract needs to comply with the highest prescribed standards for encryption, firewalls and passwords,” explains Sunshine, a partner with Rosen Sunshine LLP.

She adds that healthcare providers are also required to have a privacy policy and must disclose to patients how they plan to collect and use information on the cloud and obtain patients’ consent.

Raman says that with more than one billion personal elec-tronic records available for sale in the underground market, all organizations relying on the cloud for data storage need to have strict security protocols in place that include who is au-thorized to access the information.

However he notes that as cloud adoption increases, the ex-pectation is that it will always be patched and remain current in terms of its “overall hygiene,” says Raman.

“That’s a significant security benefit because it will make it more difficult for hackers to compromise information uploaded by every tenant in that cloud environment.”