By Justin Fier, director of cyber intelligence and analytics, Darktrace
As the healthcare sector struggles against the COVID-19 crisis, working tirelessly to protect staff and patients while struggling with worsening economic realities, cybercriminals around the world are seeing a golden opportunity to attack.
Overwhelming demand, exhausted staff, IT teams pulled in multiple directions, and a critical reliance on technology to treat patients mean that adversaries have never had more opportunity or incentive to attack healthcare organizations.
By locking healthcare providers out of critical systems at this critical time, attackers can force them to pay a ransom to recover access or face adding to the already grim death toll.
Recently, an advisory was jointly issued by CISA and the UK’s National Cyber Security Centre (NCSC). This joint alert stemmed from the increase in state-sponsored attacks against organizations connected to COVID-19 research and response. These include pharmaceutical companies, hospitals, government agencies, research institutes, and more.
With the spread of COVID-19, strict social distancing and shelter-in-place policies, the practice of working remotely and implementing applications that limit in-person interaction have become the new norm.
Hospitals and health systems are at the forefront of this shift, and many are struggling with managing the IT infrastructural challenges created by the sudden massive demand for remote technology needed to cope with the global crisis.
Those able to work remote may not be used to working outside of the office, nor do they have the proper equipment or office space to comfortably and efficiently work from home.
We assume that in 2020 each employee has access to a decent internet connection, but how can you really make sure they do? What about your infrastructure? Are you confident that your systems currently in place can withstand a different workflow? Do you have the right security measures in place? How do you trust that your employees are still being productive?
As health organizations continue to provide the same high quality of care and service while also keeping clinicians safe and healthy, we see IT challenges arising in numerous areas. While there is a great deal of depth to this topic, the following outlines a few of the major considerations for health organizations and IT teams shifting to a remote workforce.
When was the last time you evaluated key areas and were provided with recommendations for improvements in your IT environment? Take this opportunity to ensure you have the systems in place to facilitate strategic shifts and new initiatives like working remotely.
Network and remote access: to meet dynamic business needs, an organization’s network environment needs to be efficiently architected to facilitate high-performance at the right cost. As end users and devices accessing a network remotely increase, this service becomes a more important and critical responsibility. Optimize and manage bandwidth to ensure your network can withstand the rapid influx of traffic. Also, don’t forget to account for the number of licenses you will need to support your remote connections.
Virtual desktop infrastructure: remote workers can be deployed faster and supported more easily by using a Virtual Desktop Infrastructure (VDI). VDI allows for a consistent and simplified computing environment both locally and remotely. With VDI, IT support staff are better equipped to manage desktop computing due to centralized management tools that ease the burden of software updates, endpoint security, end-user support, endpoint replacement and future expansion
In the past few months, telehealth services have helped many to obtain medical services and avoid exposure to COVID-19 while freeing up resources for those facing graver conditions. This is a great example of an unexpected circumstance quickening the adoption of new technology that will remain after the crisis has passed, but the rapid adoption has also overwhelmed telehealth services, illustrating the importance of network resilience.
Telehealth is just one relatively new application of technology that’s part of a constantly growing repertoire of connected tools. To provide optimal patient care, healthcare ecosystems require constant connectivity to many other bandwidth-intensive applications, such as IoT devices, systems to process patient data via electronic health records (EHR) and picture archiving systems (PACS). With experts predicting the Internet of Medical Things (IoMT) market to be worth $158.1 billion USD by 2022 (Deloitte), we can only expect this trend to grow.
With all these new advancements come new risks. Healthcare systems are comprised of multiple facilities, such as hospitals, labs and urgent care units that all have multi-point connectivity requirements. This requires higher capacity wide area networks (WAN) – often in the form of software-defined wide area networks (SD-WAN). If one of these points loses connectivity for reasons like a cyber-attack, an interoperability issue or a bad SD-WAN router update, the entire network could go offline.
To keep healthcare networks running, organizations need intelligent systems and processes to monitor every piece of equipment, prevent issues, and recover from incidents quickly. This will ensure the secure, always-on availability needed to decrease costs, meet strict regulatory requirements, and improve patient experiences.
Top challenges that can bring your healthcare network down
Three large challenges healthcare organizations face are protecting data, staying online during network consolidations, and unexpected incidents like natural disasters or physical equipment disruptions. These could all bring the primary network offline.
Cyber criminals constantly seek to breach data networks and harvest patient data. In this regard, ransomware attacks, which are primarily transmitted through spam/phishing or other manipulations of unprepared users operating in the primary data plane, cause many healthcare enterprises to shut down computer systems, including their EHR. No topic is off limits to hackers, and even in the past few months, research has revealed phrases like “corona” or “covid” have been featured in spam emails (RiskIQ).
Weather a health system is seeking to modernize its infrastructure or a merger has led to a large transformation, consolidating networks can also be a challenge, requiring the migration of a multitude of apps and hardware components that must stay online at all times and integrate with one another in a cohesive system.
Lastly, unexpected outages from physical events can bring a system offline by disrupting vulnerable points like last mile connections. In this regard, a wide range of network components, such as cable interconnects, switches, power supplies, storage arrays, or chillers could present problems. To support new technologies, network environments are only becoming more complex, which means more software stacks that are frequently updated and susceptible to exploits, bugs and cyberattacks.
Healthcare employees are on the frontlines of the coronavirus pandemic, in many cases working extended hours under extremely taxing circumstances in an effort to treat the growing number of infected patients. In this environment, it’s critical that everyone is cognizant of an unfortunate reality of our times: hackers are always looking for ways to capitalize on a crisis.
As such, it’s important that hospitals and healthcare institutions help employees safeguard their data and ensure they are cognizant of the increased security threats associated with the pandemic. Following are a few tips to consider:
A rise in phishing scams. As mentioned above, many hackers are employing phishing scams to pose as companies offering a legitimate coronavirus-related service in an attempt to trick recipients into sharing credit card information or other personal data. The good news is that there are some common characteristics associated with phishing attacks that people can use to vet these communications. For example, encourage employees to check for grammar, punctuation and formatting errors as these are often phishing red flags. It’s also important to review links before actually clicking on them and look for things that appear odd such as dashes, extra characters, or additional letters and numbers. Another good practice is to check the email address itself to see if it contains multiple numbers or letters. Finally, encourage employees to always reach out to the company in question to determine the authenticity of an offer before clicking on any links if they harbor doubts.
Increased online shopping: With more shopping taking place online, particularly for healthcare employees working long hours, the importance of strong, unique passwords is more critical than ever. It’s extremely common for people to create simple passwords that they share across multiple accounts. However, if those credentials have been leaked in a previous breach, hackers can easily use them to access these accounts and all the data they contain. Healthcare institutions must stress the significant vulnerability of this poor password practice, and encourage employees to review existing passwords and ensure any new accounts they create are protected by strong, unique credentials. Password manager solutions can be extremely helpful, particularly for people who are setting up numerous new online accounts in response to “Stay Home” orders.
An uptick in connectivity: With people working from home or participating in remote learning programs, many families are experiencing an increase in internet connectivity. This undoubtedly puts a strain on bandwidth, but it also introduces some security vulnerabilities. For example, what if a child accidentally downloads malware on the home network? And are connected devices like voice assistants or smart TVs protected by unique passwords, or do they still have the default factory settings? It’s important that employees are aware of the threats that can arise with greater connectivity and ensure they take steps to address them. It’s also essential that hospitals insist employees use their VPN whenever accessing work-related systems or data from home to keep this information protected.
In addition to the considerations outlined above, it’s also important that healthcare employees keep an eye on the evolving cybersecurity landscape as it relates to the pandemic. It’s likely that hackers will continue to find new ways to exploit the situation for their own nefarious purposes. As employees work diligently to combat coronavirus, it’s essential that hospitals remind them to keep their personal information safe.
Anyone who watches the news should be aware of the constant threat of identity theft. Every day, hackers create new scams and tactics to steal private information that they can sell to the highest bidder or use to take out loans and credit cards and put victims in debt. Unfortunately, few industries are as exposed to these threats as the healthcare industry.
Every time someone goes to the doctor, they are sharing personal details with their medical provider and other staff, which gets logged into a computer for later — and hackers are eager to unlock this treasure trove of private info. As technology advances, so will the threats, so extra precautions will be necessary. Below are the threats coming down the pike and how to prevent them.
Emerging Healthcare Threats
Healthcare will always be a huge target for cyber thieves simply because of the pure amount of information that is created with every doctor’s appointment or surgical procedure. An emerging threat that is gaining steam is ransomware attacks, where hackers take control of patient data with the hope of illegal profit.
Just one example includes how, early in 2019, hackers gained access and encrypted the data within the computer system of provider NEO Urology. Fearing the worst, the staff paid the requested $75,000, and the data was freed. It was a painful price to pay for a threat that could have been avoided.
All it takes is one successful scheme to bring the criminals out of the woodwork. Since the NEO hack, several other ransomware attacks have occurred around the country, including instances in New York and California, where thousands of patient records have been compromised. When these attacks occur, it is not only patients that face the consequences, but also the business, as the cost to repair a corporate image and fix the damage could cost a company millions.
New technologies are on the horizon, but they too must be safeguarded from cyber threats. Lately, the idea of integrating artificial intelligence into hospitals has been gaining steam, as experts believe that this technology could limit the number of hospital errors as well as assist with earlier detection of medical issues. However, while this technology continues to evolve, it is still open to the risk of cybercrime.
As a first step to securing your hospital systems, a penetration test should be completed. Penetration testing involves inspecting your system for vulnerabilities, such as weak firewalls or poor security policies, and creates a report, so you know what to fix to protect patient information involved. Your baseline security should be intact before adding any new features.
By Dena Bauckman, vice president of product management, Zix.
When you go to the hospital, you want to be under the care of the best personnel and state-of-the-art technology. It’s easy to assume that’s the case when you’re surrounded by astronomically expensive devices like MRI machines, CT scanners, and surgical robots.
Behind the scenes, however, systems might not be on the cutting edge. According to a report from the Institute of Global Health Innovation at the Imperial College of London, the National Health Service is plagued by inadequate cyber defenses that could put the service system’s patients at risk. The picture isn’t any rosier on this side of the Atlantic Ocean. In September 2019 alone, just shy of 2 million records were breached in American healthcare hacks.
Antiquated computers, insufficient funding, and a lack of necessary expertise in cybersecurity are all combining to create a dangerous situation in healthcare. Sensitive as patient data may be, its theft isn’t even the biggest risk. “A cyberattack on a hospital’s computer system can leave medical staff unable to access important patient details — such as blood test results or X-rays, meaning they are unable to offer appropriate and timely care,” one of the aforementioned report’s authors wrote. “It can also prevent life-saving medical equipment or devices from working properly.”
A Typical Diagnosis
Despite the plethora of healthcare cybersecurity breaches in the headlines, most organizations still aren’t prepared to defend themselves against the latest generation of cyber threats. That’s no surprise because the number of threats they must contend with is increasing each day. In order to provide the best care possible, healthcare organizations must also collect some of the most valuable data available to enterprising cybercriminals.
Birthdays, Social Security numbers, payment information, and health records all add up to an identity theft gold mine. Once they have the information, hackers can steal even more with targeted phishing campaigns (a practice called spearphishing) that are almost impossible for the average user to detect. If all else fails, the granular detail associated with healthcare information means that the data can fetch a large sum on the dark web — especially when records are stolen by the millions.
As healthcare organizations adopt exciting new technologies, the problem only becomes worse. Those new technologies come with new vulnerabilities, some of which won’t be discovered until they’ve caused a breach. With so many digital devices (including those owned by employees) being used to access, store, and transmit sensitive data, it’s no wonder hackers are having an easy time finding an entry point.
By Glenn Day, chief sales officer and practice leader of healthcare, HUB International.
True Story: An employee at one New England medical practice stayed after hours to search patient records for gossip on her neighbor. She found what she was looking for – evidence that the neighbor was seeking psychiatric counseling. She posted it on Facebook. As soon as the clinic discovered what happened, the employee was terminated.
But, the damage had already been done. The practice was named in a lawsuit for failing to properly supervise the employee and safeguard patient medical records. Without cyber coverage, the medical clinic was on their own for legal fees and settlements.
Healthcare data breaches are complex and this story is just one example. It doesn’t matter who the perpetrator of the breach is, the responsibility for regulatory-compliant breach response almost always falls upon the original data collector.
With more than half – or 63% – of healthcare cybersecurity breaches caused by criminal or malicious activity; hacking accounts for 20% and ransomware represents 10% of healthcare breach claims.
Data breaches have also brought new regulations and guidelines to healthcare, like the HIPAA and ransomware guidelines published by the Department of Health and Human Services. The rule requires HIPAA-covered entities that have suffered a ransomware attack to prove thorough a documented investigation that their data wasn’t actually acquired, but only frozen by the hacker.
These forces have contributed significantly to healthcare’s rising data breach costs. According to the Ponemon 2017 Cost of Data Breach Study, healthcare has the highest per capita data breach cost.
Having a robust healthcare cybersecurity policy, and understanding what’s covered and what’s not can help alleviate losses and put your healthcare institution into the driver’s seat post-breach.
Here are seven things you need to know about healthcare cybersecurity coverage:
Developments in technology have had a profound impact on nearly every aspect of our lives. We can hardly get through an hour without tech having an effect on what we’re doing, let alone a full day. From the morning alarm on our smartphones, to the Bluetooth sound system in our cars, to the social media accounts we share everything on, technology surrounds us.
Perhaps one of the aspects that many of us think the least about is how it has utterly transformed the way we manage our healthcare data. The development of electronic health records and, even more importantly, the cloud, have brought about all sorts of changes. Many have the potential to impact our lives in both positive and negative ways depending upon how they are managed.
When it comes to our health data, there is an added urgency in making sure everything is safe and secure no matter where it is ultimately stored. Well managed data can mean a more efficient and effective healthcare service, while mismanaged data can lead to the loss of personal information and an unraveling of the privacy most of us have come to expect in a professional healthcare setting.
Medical Records, HIPAA and the Cloud
In 1996, the United States government passed HIPAA, a landmark healthcare act that helped to create and enforce privacy and data security requirements associated with medical information. The act has since been expanded in an effort to keep up with modern technologies, and nearly everyone involved in the healthcare system is expected to follow the rules. Because of this legislation, one can expect that their medical records will be kept private unless they choose to release them, no matter where they are stored.
Cloud-based data storage and technology provides numerous benefits to the healthcare system including things such as better dataset analysis, improved efficiencies in individual patient care, and a much lower cost. However, it can also lead to a number of concerns, especially when it comes to HIPAA compliance. HIPAA rules not only apply to the medical facilities that are using cloud technology, but also to the tech vendors as well.
Unfortunately, just because cloud technology providers are not exempt from HIPAA rules, does not mean that they necessarily follow them. There is no real certification process and the government doesn’t exactly clear companies to work with healthcare organizations. It is completely up to the healthcare entity and the tech provider to make sure their services are meeting the necessary HIPAA standards.
Loopholes in the System
It may come as somewhat of a surprise to both patients and healthcare providers to learn that there are popular new aspects of medicine and technology that aren’t necessarily covered by HIPAA regulations. For instance, HIPAA does not cover anonymized data such as the data that is collected during genetic testing. Essentially, this allows for a patient’s anonymous information to be shared at will.
Only a few industries require resilient cybersecurity measures like healthcare. Yet, healthcare has a colossal cybersecurity problem. Data breaches continue to plague patients’ private medical records, in spite of their life-threatening conditions, spending large amounts of money, and entrusting financial information.
Healthcare remains a big target for cybercriminals, sitting firmly in their cross-hairs. Just for 2015, IBM reported more than 100 million breaches of medical records. Some organizations commit to privacy no matter what, but healthcare organizations are not keeping pace in adopting and promoting cybersecurity. But why do most healthcare organizations not have the latest cybersecurity tooling? Some of these reasons, we review in this article.
Why Hospitals and Care Facilities Lack of Robust Cybersecurity
The key reason why cybersecurity is not a conspicuous feature in may healthcare set-ups include:
#1 Limited cybersecurity awareness
Most hospitals concentrate on upgrading their medical technology and employing the best medical personnel and peripheral staff. They ensure they save lives more quickly and offer better overall care. While this is a reasonable practice, they soon relegate cybersecurity to the back-burner. The truth is, cybersecurity is a vital complement to these core values and priorities. Most of the time, hospitals can justify their need for an entire IT team, or at worst, a cybersecurity lead. However, directors may not have the necessary information to decide so.
#2 Lucrative healthcare targets
Hospitals are not always to blame, though. There’s an avalanche of attacks on hospitals. It is worth all of an attacker’s time to target a healthcare organization. As highly lucrative targets, these organizations can reveal data on a cast number of people at once. That is why standards are high to keep these organizations from the reach of attackers. But, what do you do when the attacker never quits chasing?
#3 Size of the specific organization
Many healthcare organizations are massive operations. It makes them increasingly vulnerable. Because more people are involved in the system, there are inevitable, more possible points an attacker can exploit. Imagine just one healthcare staff among several thousand falling for a phishing scam. It can compromise the whole system.
#4 Inconsistency with process
It often appears almost impossible to create and enforce consistent security standards and procedures. The reason is that the size of health organizations and hospitals means they may need to operate out of several buildings. Employees may then adhere to varying best practices, and in some cases, use different systems. Thus, it is hard to have a decent cybersecurity posture.
#5 Shared networks in healthcare organizations
Infosec revealed that one primary reason hospitals continue to appeal to cybercriminals is that most hospitals depend on shared wireless networks. Multiple devices on one network mean that one single point of vulnerability is all a hacker needs to access the whole system. It is a ticking time bomb.
Possible Solutions to Healthcare’s Cybersecurity Issues
What then can healthcare institutions and hospitals do to be on par with the latest cybersecurity practices? It turns out there’s so much they have control over:
Most hospitals can begin by adopting more advanced current technologies to protect patient information and keep their systems secure. Advanced software, monitoring systems, and futuristic tech such as biometrics are examples.
A cybersecurity budget is small fry for most healthcare organizations. It is merely a question of how much premium is on it like the infographic at the end shows across several industries. Prioritizing technological security features will add a decent layer of security around hospital operations. While hospitals may commit their entire budgets to cybersecurity, a hire, who knows their onions can promote substantial improvement.
We tend to have a negative view of risk, regarding it as a danger to the business. But, it also presents opportunities to push boundaries. If we reframe risk as a change-maker, then what degree of risk is acceptable? The healthcare industry faces this conundrum at every turn. Whether testing a toxic chemotherapy drug that could be lifesaving, or adopting IoT devices that provide detailed analytics, these advances can all expand the threat landscape.
Unlike testing pharmaceuticals in a controlled lab setting, the world of cyber and its risks are in constant flux. Healthcare data is at the top of cybercriminals’ lists, contributing to a record amount of breached health records in the past year. Full patient medical records are a valuable commodity on the dark web and?sell for up to $1,000?each.
Now, healthcare organizations can’t stay stagnant in implementing protections.
The reality of highly-regulated industries is that compliance mandates tend to govern security operations. But where regulations are cut and dry, risks do not fit neatly into boxes of “high risk” and “low risk.” Instead, risk is on a spectrum that requires a holistic cybersecurity strategy to appropriately prioritize and mitigate risk according to what is deemed as acceptable.
To help healthcare organizations mature security policies and become more comfortable with risk, here are three recommendations for 2020 cybersecurity planning: