By Devin Partida, technology writer and the editor-in-chief, ReHack.com.
The medical industry’s growing reliance on digital technologies has come with some increased risks. That became painfully evident for thousands of patients in the wake of a recent ransomware attack on CaptureRX, a healthcare administrative service provider.
On February 6, hackers accessed sensitive patient data from multiple CaptureRX clients, affecting at least 1 million people. The company started investigating after noticing unusual activity, and by February 19, it could confirm that someone had stolen patients’ personally identifiable information (PII). CaptureRX started alerting affected clients on March 30, and the full scope of the incident is still unclear.
Health IT’s Growing Ransomware Problem
This is far from the first instance of a ransomware attack on a health IT company. Ransomware as a whole has become much more common in the past few years, and medical businesses are more at risk than most. Hospitals have more to lose in these attacks, given the sensitive nature of their data, so a successful breach could be more profitable for hackers.
In 2020 alone, there were 92 ransomware attacks against healthcare organizations, affecting more than 18 million patient records. That represents a 60% increase over 2019 in the number of attacks and a 470% increase in records affected. Since 2016, these attacks have cost the industry more than $31 billion.
The CaptureRX attack is the latest in a troubling and growing trend of ransomware attacks against health IT. If industry leaders aren’t already aware of this problem, the sheer size of this incident will likely get their attention. With these attacks becoming more frequent and expensive, the sector will likely shift in response.
The COVID-19 pandemic has created a number of personal health data challenges for both healthcare organizations and private businesses alike. From vaccine passport requirements and businesses handling incredibly sensitive information on their employees, to healthcare workers accessing sensitive patient data while working from home, the health crisis has created unprecedented data security and compliance challenges for employers and healthcare providers.
COVID-19’s Impact on Data Security
When COVID-19 first hit, many healthcare organizations shifted to a partially remote workforce overnight. This meant that healthcare administrators were using personal devices and had access to systems and data that they previously could only access on their employers’ network. The focus was on productivity and business continuity, not cybersecurity.
However, over a year later, we are still using this makeshift IT environment and the increased cyber risks have not been addressed. By accessing patients’ private healthcare information from personal devices or home networks, administrators are doubling or tripling the risk of a breach.
Why Do Criminals Want Healthcare Data?
There are several regulations designed to protect personal data, but health data presents unique challenges. For example, if my credit card were stolen, I can be assured that PCI would cover any losses due to my banks’ contractual obligations with credit card companies. However, my health data – including DNA, disease history and medical conditions – are fully unique. No one can reimburse me with a new set of personal health information!
Criminals understand this, which has led to a rise in personal health data being stolen. Many hackers are now breaching health systems’ networks for personal information, and demanding ransom from individuals to keep that data private.
Furthermore, healthcare workers have been under increased pressure due to the pandemic, which has made hospitals and health systems a more appealing and “softer” target for hackers.
Response from Sarah Johnson, RN and the health ambassador, Family Assets.
I’m an RN and the health ambassador for Family Assets, an eldercare and senior living resource for older adults and caregivers.
Working in eldercare and watching how telehealth technology has radically reshaped geriatric care during the pandemic, I think the most important question healthcare technology professionals should be asking themselves right now is: given that hospitals and healthcare facilities have been prime targets for cybercriminals, largely because of aging infrastructure, what needs to be done to make the rapidly expanding healthcare tech industry more secure?
I think the obvious answer to this is the development of much more robust digital security protocols at individual institutions and a massive educational initiative for healthcare providers and workers. This should include, among other things, scheduled stress testing that probes for cybersecurity vulnerabilities.
Too many organizations, within and outside of healthcare, are completely unprepared for the cyberthreats they face and are not diligent enough when it comes to monitoring and probing for weaknesses.
All healthcare technology professionals should have this issue front and center
Netwrix, a cybersecurity vendor that makes data security easy, released predictions about key trends that will impact organizations in 2021 and beyond. Most of them arise from the digital transformation and new workflows required by the rapid transition to remote work in 2020.
Ilia Sotnikov, cybersecurity expert and Netwrix vice president of product management, recommends that IT and security professionals refine their risk management and business continuity strategies with these seven predictions in mind.
Ransomware will do more damage to motivate payments
Next-gen ransomware will be designed to do damage that is more difficult to recover from in order to force organizations into paying the ransom. One example is “bricking” devices by modifying the BIOS or other firmware. Cybercriminals will also be expanding to new targets, such as operational technology and IoT devices, which may have a much more visible impact on the physical world.
Cloud misconfigurations will be one of the top causes of data breaches
A lack of clear understanding of the shared responsibility model due to the rapid transition to the cloud will backfire in 2021. The speed of transition coupled with prioritizing productivity over security has made misconfigurations inevitable, resulting in overexposed data.
Hackers will increasingly target service providers
The shortage of cybersecurity experts will lead more organizations to turn to managed service providers (MSPs). In response, hackers will conduct targeted attacks on MSPs in order to get access to not just one organization but all of the MSP’s customers.
The rapid digital transformation in 2020 will have a delayed impact on cybersecurity in 2021
In 2020, organizations were forced to quickly adapt to new ways of working and implement new technologies; and through their own admission via the upcoming Netwrix survey with little experience and nearly no time for planning and testing. In 2021, the security gaps caused by the inevitable mistakes during this rapid transition will be exploited, and we will see new data breach patterns like the recent Twitter hacks.
The coronavirus pandemic has impacted us profoundly as most nonessential businesses stay closed, and the nations worldwide stay indoors. The hospital staff is under tremendous stress, and all non-critical medical treatments and procedures are on hold until further notice. The pandemic has halted all industrial activity, and the medical field, the frontline warrior against the virus, has been disrupted the most.
Sadly, whether an opportunistic trend or organized crime, critical situations have always given criminals a favorable moment to strike. Owing to their large payouts and increased public interest in it, medical facilities have emerged as a prime target.
Healthcare: A target of organized fraud
While the health sector has always been a dominant area in case of fraud, the situation intensified after the COVID-19 outbreak. One of the biggest battles that the medical facilities needed and still need to combat is the trafficking of substandard and falsified medical products. These items usually included hand sanitizers, test kits, face masks, and other medical equipment. As the demand for such products spiked, criminal activities attempt to take advantage of the public health system’s capacities.
Besides this major threat, healthcare facilities need to prepare their infrastructure for various cyberattacks. The COVID-19 lowered the resistance of many facilities. INTERPOL reports a significant increase in the number of ransomware attacks against companies and organizations that battle the COVID-19 crisis.
Ransomware virus is one of the deadliest infections as it is capable of stealing or encrypting medical data. Then, if facilities want to retrieve the decryption key or prevent the data from being disclosed publicly, they need to pay large ransoms. During this situation, when hospital staff needs to have access to medical records and patient histories, losing all this confidential data can lead to death. Hence, hospitals need to consider whether their infrastructure is capable of resisting a ransomware infection. One of the options is to perform frequent penetration tests. They help organizations discover their weak points and evaluate the resistance against cyberattacks.
By Justin Fier, director of cyber intelligence and analytics, Darktrace
As the healthcare sector struggles against the COVID-19 crisis, working tirelessly to protect staff and patients while struggling with worsening economic realities, cybercriminals around the world are seeing a golden opportunity to attack.
Overwhelming demand, exhausted staff, IT teams pulled in multiple directions, and a critical reliance on technology to treat patients mean that adversaries have never had more opportunity or incentive to attack healthcare organizations.
By locking healthcare providers out of critical systems at this critical time, attackers can force them to pay a ransom to recover access or face adding to the already grim death toll.
Recently, an advisory was jointly issued by CISA and the UK’s National Cyber Security Centre (NCSC). This joint alert stemmed from the increase in state-sponsored attacks against organizations connected to COVID-19 research and response. These include pharmaceutical companies, hospitals, government agencies, research institutes, and more.
With the spread of COVID-19, strict social distancing and shelter-in-place policies, the practice of working remotely and implementing applications that limit in-person interaction have become the new norm.
Hospitals and health systems are at the forefront of this shift, and many are struggling with managing the IT infrastructural challenges created by the sudden massive demand for remote technology needed to cope with the global crisis.
Those able to work remote may not be used to working outside of the office, nor do they have the proper equipment or office space to comfortably and efficiently work from home.
We assume that in 2020 each employee has access to a decent internet connection, but how can you really make sure they do? What about your infrastructure? Are you confident that your systems currently in place can withstand a different workflow? Do you have the right security measures in place? How do you trust that your employees are still being productive?
As health organizations continue to provide the same high quality of care and service while also keeping clinicians safe and healthy, we see IT challenges arising in numerous areas. While there is a great deal of depth to this topic, the following outlines a few of the major considerations for health organizations and IT teams shifting to a remote workforce.
When was the last time you evaluated key areas and were provided with recommendations for improvements in your IT environment? Take this opportunity to ensure you have the systems in place to facilitate strategic shifts and new initiatives like working remotely.
Network and remote access: to meet dynamic business needs, an organization’s network environment needs to be efficiently architected to facilitate high-performance at the right cost. As end users and devices accessing a network remotely increase, this service becomes a more important and critical responsibility. Optimize and manage bandwidth to ensure your network can withstand the rapid influx of traffic. Also, don’t forget to account for the number of licenses you will need to support your remote connections.
Virtual desktop infrastructure: remote workers can be deployed faster and supported more easily by using a Virtual Desktop Infrastructure (VDI). VDI allows for a consistent and simplified computing environment both locally and remotely. With VDI, IT support staff are better equipped to manage desktop computing due to centralized management tools that ease the burden of software updates, endpoint security, end-user support, endpoint replacement and future expansion
In the past few months, telehealth services have helped many to obtain medical services and avoid exposure to COVID-19 while freeing up resources for those facing graver conditions. This is a great example of an unexpected circumstance quickening the adoption of new technology that will remain after the crisis has passed, but the rapid adoption has also overwhelmed telehealth services, illustrating the importance of network resilience.
Telehealth is just one relatively new application of technology that’s part of a constantly growing repertoire of connected tools. To provide optimal patient care, healthcare ecosystems require constant connectivity to many other bandwidth-intensive applications, such as IoT devices, systems to process patient data via electronic health records (EHR) and picture archiving systems (PACS). With experts predicting the Internet of Medical Things (IoMT) market to be worth $158.1 billion USD by 2022 (Deloitte), we can only expect this trend to grow.
With all these new advancements come new risks. Healthcare systems are comprised of multiple facilities, such as hospitals, labs and urgent care units that all have multi-point connectivity requirements. This requires higher capacity wide area networks (WAN) – often in the form of software-defined wide area networks (SD-WAN). If one of these points loses connectivity for reasons like a cyber-attack, an interoperability issue or a bad SD-WAN router update, the entire network could go offline.
To keep healthcare networks running, organizations need intelligent systems and processes to monitor every piece of equipment, prevent issues, and recover from incidents quickly. This will ensure the secure, always-on availability needed to decrease costs, meet strict regulatory requirements, and improve patient experiences.
Top challenges that can bring your healthcare network down
Three large challenges healthcare organizations face are protecting data, staying online during network consolidations, and unexpected incidents like natural disasters or physical equipment disruptions. These could all bring the primary network offline.
Cyber criminals constantly seek to breach data networks and harvest patient data. In this regard, ransomware attacks, which are primarily transmitted through spam/phishing or other manipulations of unprepared users operating in the primary data plane, cause many healthcare enterprises to shut down computer systems, including their EHR. No topic is off limits to hackers, and even in the past few months, research has revealed phrases like “corona” or “covid” have been featured in spam emails (RiskIQ).
Weather a health system is seeking to modernize its infrastructure or a merger has led to a large transformation, consolidating networks can also be a challenge, requiring the migration of a multitude of apps and hardware components that must stay online at all times and integrate with one another in a cohesive system.
Lastly, unexpected outages from physical events can bring a system offline by disrupting vulnerable points like last mile connections. In this regard, a wide range of network components, such as cable interconnects, switches, power supplies, storage arrays, or chillers could present problems. To support new technologies, network environments are only becoming more complex, which means more software stacks that are frequently updated and susceptible to exploits, bugs and cyberattacks.
Healthcare employees are on the frontlines of the coronavirus pandemic, in many cases working extended hours under extremely taxing circumstances in an effort to treat the growing number of infected patients. In this environment, it’s critical that everyone is cognizant of an unfortunate reality of our times: hackers are always looking for ways to capitalize on a crisis.
As such, it’s important that hospitals and healthcare institutions help employees safeguard their data and ensure they are cognizant of the increased security threats associated with the pandemic. Following are a few tips to consider:
A rise in phishing scams. As mentioned above, many hackers are employing phishing scams to pose as companies offering a legitimate coronavirus-related service in an attempt to trick recipients into sharing credit card information or other personal data. The good news is that there are some common characteristics associated with phishing attacks that people can use to vet these communications. For example, encourage employees to check for grammar, punctuation and formatting errors as these are often phishing red flags. It’s also important to review links before actually clicking on them and look for things that appear odd such as dashes, extra characters, or additional letters and numbers. Another good practice is to check the email address itself to see if it contains multiple numbers or letters. Finally, encourage employees to always reach out to the company in question to determine the authenticity of an offer before clicking on any links if they harbor doubts.
Increased online shopping: With more shopping taking place online, particularly for healthcare employees working long hours, the importance of strong, unique passwords is more critical than ever. It’s extremely common for people to create simple passwords that they share across multiple accounts. However, if those credentials have been leaked in a previous breach, hackers can easily use them to access these accounts and all the data they contain. Healthcare institutions must stress the significant vulnerability of this poor password practice, and encourage employees to review existing passwords and ensure any new accounts they create are protected by strong, unique credentials. Password manager solutions can be extremely helpful, particularly for people who are setting up numerous new online accounts in response to “Stay Home” orders.
An uptick in connectivity: With people working from home or participating in remote learning programs, many families are experiencing an increase in internet connectivity. This undoubtedly puts a strain on bandwidth, but it also introduces some security vulnerabilities. For example, what if a child accidentally downloads malware on the home network? And are connected devices like voice assistants or smart TVs protected by unique passwords, or do they still have the default factory settings? It’s important that employees are aware of the threats that can arise with greater connectivity and ensure they take steps to address them. It’s also essential that hospitals insist employees use their VPN whenever accessing work-related systems or data from home to keep this information protected.
In addition to the considerations outlined above, it’s also important that healthcare employees keep an eye on the evolving cybersecurity landscape as it relates to the pandemic. It’s likely that hackers will continue to find new ways to exploit the situation for their own nefarious purposes. As employees work diligently to combat coronavirus, it’s essential that hospitals remind them to keep their personal information safe.
Anyone who watches the news should be aware of the constant threat of identity theft. Every day, hackers create new scams and tactics to steal private information that they can sell to the highest bidder or use to take out loans and credit cards and put victims in debt. Unfortunately, few industries are as exposed to these threats as the healthcare industry.
Every time someone goes to the doctor, they are sharing personal details with their medical provider and other staff, which gets logged into a computer for later — and hackers are eager to unlock this treasure trove of private info. As technology advances, so will the threats, so extra precautions will be necessary. Below are the threats coming down the pike and how to prevent them.
Emerging Healthcare Threats
Healthcare will always be a huge target for cyber thieves simply because of the pure amount of information that is created with every doctor’s appointment or surgical procedure. An emerging threat that is gaining steam is ransomware attacks, where hackers take control of patient data with the hope of illegal profit.
Just one example includes how, early in 2019, hackers gained access and encrypted the data within the computer system of provider NEO Urology. Fearing the worst, the staff paid the requested $75,000, and the data was freed. It was a painful price to pay for a threat that could have been avoided.
All it takes is one successful scheme to bring the criminals out of the woodwork. Since the NEO hack, several other ransomware attacks have occurred around the country, including instances in New York and California, where thousands of patient records have been compromised. When these attacks occur, it is not only patients that face the consequences, but also the business, as the cost to repair a corporate image and fix the damage could cost a company millions.
New technologies are on the horizon, but they too must be safeguarded from cyber threats. Lately, the idea of integrating artificial intelligence into hospitals has been gaining steam, as experts believe that this technology could limit the number of hospital errors as well as assist with earlier detection of medical issues. However, while this technology continues to evolve, it is still open to the risk of cybercrime.
As a first step to securing your hospital systems, a penetration test should be completed. Penetration testing involves inspecting your system for vulnerabilities, such as weak firewalls or poor security policies, and creates a report, so you know what to fix to protect patient information involved. Your baseline security should be intact before adding any new features.