By Ziad Nasr
General Manager, Acronis MENA
Hospitals, nursing homes, doctor’s offices, and other medical facilities typically sit at the top of the food chain for cybercriminals and malware purveyors. That’s because while hospitals face pressure to optimize and improve patient care by leveraging more advanced technologies like the Internet of Things (IoT), hackers are busy exploiting these “open doors”. Cybersecurity has risen to military-grade protection in this battle to shield a patient’s sensitive information and avoid hefty penalties and class action lawsuits.
What does it mean for medical service providers (MSPs) and IT service providers? Opportunities for modernizing a healthcare provider’s security and backup systems with integrated protection create an impenetrable barrier between a patient’s personal information and cybercriminals looking to exploit system weaknesses.
Hackers are way ahead of the game
During the pandemic, people shared personal information with virtual doctors, clinic visits, and remote testing like never before. Both digital and physical healthcare activities became prominent and widespread. A detailed report published in the Journal of Global Health regarding the response of the UAE Government to combat the coronavirus pandemic highlighted some significant points, such as:
- The use of the ALHOSN UAE app for digital COVID-19 test reports
- Testing services in most healthcare facilities across the nation as established by the Department of Health – Abu Dhabi and SEHA
- UAE citizens, domestic workers, people of determination, pregnant women, residents over 50 years, those with chronic diseases or with coronavirus symptoms, and even the contacts of the coronavirus patients were all provided free testing
Some countries in the MENA region didn’t have the same level of efficient and prompt response to the pandemic. However, according to the 2020 OECD report, more than 2 million COVID-19 infections were registered in the region, and hospitals were crowded in many of these countries.
This influx of the general public and infected patients led to a massive spike in public health records, which proved to be a goldmine for hackers and cybercriminals. Patient data is a prime target for criminals. Protected health information (PHI) is one of the hottest commodities on the dark web. According to an IBM report, the average cost of a single data breach in the Middle East was $6.93 in 2021 which rose to $7.46 in 2022. And although the UAE has advanced technology, a ransomware group was still able to attack Moorfields Eye Hospital – one of the oldest ophthalmology centres in the country – in 2021, gaining access to about 60 GB of sensitive data.
How are cybercriminals infiltrating practices, clinics and hospitals?
- Email. Phishing scams are one of the most frequent entry points for cybercriminals. The Khaleej Times reported a 230% increase in the rate of such attacks in the UAE during the second quarter of 2022, compared to the previous quarter, with a total of 3.4 million phishing attacks detected in this period. Recently, Kaspersky organized the 8th annual cybersecurity forum for the Middle East, Turkey, and Africa (META 2023), with Daily News Egypt reporting the findings shared during the event. It was stated that the first quarter of 2023 saw a 49% increase in phishing attacks in Egypt, around 27% increase in both Oman and Kuwait, and an 88% increase in Qatar, compared to the first quarter of 2022.
- Medical Devices. These same bad actors are finding other ways to creep into network servers. A study by online marketplace vendor Capterra late 2022 found that healthcare organizations with connected medical devices also experience a greater number of cyberattacks. Nearly half (48%) of those breaches affected patient care and two-thirds (67%) patient data. Several related studies have shown devices from MRI machines to heart rate monitors as a weak link in a hospital’s cyber defence in most data breaches.
Healthcare organizations must act now
Cyberattacks, ransomware, and data breaches seriously hurt the credibility of healthcare institutions in the UAE and MENA region and put both the general public and medical organizations at great risk. But most often, the biggest issue is that such attacks lead to huge financial losses for healthcare organizations, whether ransom to hackers or hefty fines imposed due to non-compliance with healthcare and data privacy regulations.
The issue, however, is that laws and regulations regarding Protected Health Information (PHI) are not up to standard in the Middle East. The UAE has implemented the Federal Law No 2 of 2019 (Health Data Law), which strictly regulates the handling of patients’ medical records by healthcare institutions. However, countries such as Kuwait, Oman and Saudi Arabia still do not have well-established, clearly defined laws and policies to protect healthcare data. In such countries, medical organizations must take it into their own hands to implement necessary measures to protect healthcare data from cyberattacks.
Cybercriminals continue gaining unauthorized network access through email phishing and exploiting weak passwords. External-facing servers and databases without the proper cybersecurity practices and technology also provide easy access to sensitive records. Implementing staff/awareness training programmes and locking down easily accessible systems are two steps MSPs can take to better protect their healthcare clients.
These are just a few of the healthcare-related protection concerns that Acronis can help MSPs address. For example, Acronis Cyber Protect helps IT services firms detect and block the malware typically used in data breaches and ransomware attacks. With an integrated disaster recovery option, the platform’s multi-layered behavioural and AI-powered detection engines help ensure business continuity for any organization – including doctors’ and dentists’ offices, hospitals, clinics, and other healthcare facilities.
