By Justin Fier, director of cyber intelligence and analytics, Darktrace
As the healthcare sector struggles against the COVID-19 crisis, working tirelessly to protect staff and patients while struggling with worsening economic realities, cybercriminals around the world are seeing a golden opportunity to attack.
Overwhelming demand, exhausted staff, IT teams pulled in multiple directions, and a critical reliance on technology to treat patients mean that adversaries have never had more opportunity or incentive to attack healthcare organizations.
By locking healthcare providers out of critical systems at this critical time, attackers can force them to pay a ransom to recover access or face adding to the already grim death toll.
Recently, an advisory was jointly issued by CISA and the UK’s National Cyber Security Centre (NCSC). This joint alert stemmed from the increase in state-sponsored attacks against organizations connected to COVID-19 research and response. These include pharmaceutical companies, hospitals, government agencies, research institutes, and more.
With the healthcare sector a top target of hackers, cybersecurity and privacy are of paramount concern—so much so that HIMSS20 has dedicated an entire track to the topic. According to its description, “Every organization must respect and maintain the privacy and security of patient information, no matter how small or large and no matter where they are located.”
While cybersecurity is clearly a primary area of focus, the frequency of attacks on healthcare institutions is on the rise—the HIPAA Journal found that the equivalent of 50% of the U.S. population has been affected by data breaches over the past decade. While there are several reasons healthcare institutions continue to fall prey to attacks, one of the most common ones may surprise you: employee password reuse and password sharing.
Risk Rises with Password Reuse
Most healthcare workers know better than to reuse passwords across multiple sites and applications. Still, this security best practice is often overlooked in the name of convenience and the urgency associated with providing high-quality care. However, password reuse puts the entire organization at risk when an unrelated third party is breached, as cybercriminals can easily obtain breached or leaked credentials via the Dark Web and use them against other online accounts or systems.
With breaches occurring on a daily basis, hackers can select from an unlimited supply of newly compromised passwords. If even just a handful of your employees reuse passwords across applications and accounts, it won’t be long before hackers leverage this password faux-pas for their own advantage. And if your organization is anything like the average company, it’s likely that password reuse is also pervasive. According to Google, at least 65% of people use the same password for multiple, if not all, sites and systems.
Password Sharing Increases Vulnerabilities
When every second counts in administering critical care, the last thing hospital staff have time for is issues with login. For this reason, many healthcare workers will share credentials, with 74% of respondents in one study admitting they had obtained a colleague’s password. The researchers state, “Apart from…large-scale mistakes and malicious acts… one of the most common breaches of PHI is the use of another’s credentials to access patient information, i.e., the use of the EMR password of one medical staff member by another.”
It’s easy to understand why healthcare workers would default to this practice, but it’s equally easy to visualize how password sharing substantially increases security vulnerabilities.
With threats inherent in everything from:
How the password is initially shared (i.e. is it stored in multiple email accounts?)
What else individual staff members may use it for (e. is it being reused for other work and/or personal accounts?)
What is the staff turnover (e. what happens if a disgruntled former employee can still access company systems?)
It’s evident that hospitals cannot afford the risks associated with password sharing.
The 2019 HIMSS Annual Conference may be over, but that doesn’t mean an end to the pressing challenges and trends discussed at Orlando’s Orange County Convention Center. More than 42,500 people attended the conference — the majority of whom were C-suite executives and HIT professionals taking full advantage of the healthcare IT industry’s largest opportunity for networking, product promotions, continuing education and major announcements.
As always, there were a few subjects during HIMSS19 that generated significant buzz. Here are four of those trends that will remain key topics throughout the next year:
Healthcare data exchange
The release of two long-anticipated proposed rules on information blocking came just as HIMSS19 convened. The Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC) unveiled proposals that would require healthcare providers and plans to implement open data sharing technologies to support transitions of care. The first focuses on standardized application programming interfaces (APIs) and carries forward provisions from the 21st Century Cures Act.
Those associated with Medicaid, the Children’s Health Insurance Program (CHIP), Medicare Advantage and Qualified Health Plans in the federally-facilitated exchanges would have to provide patients with immediate electronic access to medical claims and other health information by 2020. Under a latter proposal, health information exchanges (HIEs), health IT developers and health information networks (HINs) can be penalized up to $1 million per information blocking violation, but providers are not subject to fines.
The goal of the proposals is to consider care across the entire continuum, giving patients greater control and understanding of their health journeys. This is interesting, given that HIMSS attendees who responded to Stoltenberg Consulting’s seventh annual HIT Industry Outlook Survey noted “lack of system interoperability” as one of their biggest operational burdens, and “leveraging meaningful patient data” as the IT team’s most significant hurdle this year. Thus, overcoming these challenges to meet the newly proposed mandates will likely dominate discussions during the remainder of 2019.
Every person, from the newest employee to the CEO, can either strengthen or weaken an organization’s security posture. For this reason, healthcare companies need to help their employees take precautions against the latest ransomware scams, otherwise their organization may be the next ransomware victim.
One of the main reasons healthcare has become such fertile ground for ransomware hacks is the shift to digitalized personal healthcare records in a rapid time frame. Less than ten years ago, most physicians updated patient records manually and stored them in color coded file systems. By the end of 2017 industry data suggests that approximately 90 percent of office-based physicians have moved to electronic systems (electronic health records/electronic medical records) for the storage, retrieval and management of electronic health data. Virtually all of these systems are online and internet accessible. Electronic healthcare medical records really made the healthcare industry a perfect target for ransomware attempts.
But, the cost of a ransomware attack goes far beyond any extortion payment. When considering the associated costs including downtime, lost revenue, angry patients or customers, attack mitigation and recovery expenses, brand reputation damage, and non-compliance fines, in retrospect the cost of the ransom itself may seem trivial.
When United Kingdom’s National Health Service (NHS) was impacted by the global WannaCry outbreak of 2017, it brought hundreds of NHS facilities to a standstill for several days, resulting in the cancellation of thousands of appointments and operations, as well as the urgent relocation of patients from impacted emergency centers. In April 2017, Erie County Medical Center lost access to 6,000 computers due to a ransomware attack, which resulted in six weeks of manual operations and a recovery process that ultimately cost the medical center $10 million.
Unfortunately, security technologies can only do so much to protect your organization against an attack. Ransomware typically spreads through phishing emails or by visiting an infected website. Even the most advanced antivirus and anti-ransomware solutions can’t stop Fully UnDetectable (FUD) threats that were conceived by cybercriminals to directly evade existing security layers and harm data. In fact, the majority of ransomware victims have some traditional Anti-Virus and Anti-Malware protection in place and yet still fall prey to attacks.
Even if your organizations has backups, you may be surprised to find that you are still vulnerable. Today, many criminals do reconnaissance on their victim’s network and compromise backups before deploying the encrypting malware to increase the odds that the organization will pay the ransom.
But paying the ransom doesn’t always work out either. A study by the CyberEdge Group shows that of the 39 percent of ransomware victims who have paid, less than half recover their data. It also leaves the victimized organization vulnerable to another attack. If the root cause of the breach is not corrected, another day can bring another ransom request.
Ultimately, it is up to your organizational leaders to decide whether or not to pay. Healthcare organizations are a favorite target of cybercriminals because they are more likely to pay up when computer downtime can introduce life or death consequences. Regardless of your position on paying cybercriminals a ransom, the best strategy is to avoid being placed in a compromised position in the first place. But how?
Obviously, all healthcare organizations want to avoid being a ransomware victim, but cybersecurity is a complex problem that requires multiple layers of defenses. Small to medium size healthcare organizations are particularly vulnerable since many believe they don’t have adequate financial or technical resources to defend themselves against the onslaught attacks.
Industry experts estimate that a company with 50 employees may have to spend upward of $50,000 to deploy sophisticated endpoint technologies such as antivirus, anti-malware software and firewalls to keep intruders out and then thousands of dollars each year to keep everything up to date. Even when making this investment in security, it doesn’t guarantee a breach won’t happen. Just one wrong click by an employee is all it takes.
5 Ransomware Prevention Tips to Help Employees
In the face of this rapidly-growing threat, healthcare organizations should take concrete steps to deploy the technologies needed to protect systems from ransomware attacks. But employees need to educated on how ransomware is distributed and taught how to be cautious when clicking on online advertisements or email links, visiting a new website, and opening attachments from unfamiliar or suspicious senders.
One of the most recognized annual awards programs in the world today—the MedTech Breakthrough—has recently announced the results of its 2018 awardees. Evaluated by an independent expert panel, the nominees were carefully examined, and winners were selected based on various considerations. Awards were given according to the following categories: medtech leadership, clinical and health administration, patient engagement, electronic health records, genomics, internet-of-things (IoT) healthcare, medical data, mobile communication and telehealth, healthcare cybersecurity and medical devices.
This award program is a testament to the continuous innovations in the field of medicine brought about by the incorporation of various technological advancements in other fields of science.
The Progress of Medicine
The progress of medical science at present is obviously at its zenith as compared to its level of progress in the past. Medicine, for example has existed for several millennia, and most of it was largely non-scientific, for in earlier times medicine was closely associated with religious and superstitious beliefs.
In our contemporary time, however, every aspect of medicine seems to be innovating at an unprecedented pace, and other technological advancements in fields like physics, genetics, computer programming and engineering, and chemistry seem to be all contributing to the progress of medical science and medical institutions.
By simply looking at the above mentioned awards distributed by MedTech Breakthrough, for example, you would immediately see the inclusions of the internet-of-things, genomics, medical data, mobile communications and electronic records, all of which seem to have a somewhat detached relationship to medical science. Yet, it is obvious that the progress of medical science can no longer be isolated from other technological advancements.
Medical Science and Alternative Medicines
Medical science has slowly detached itself from alternative medicines by strictly subscribing to the scientific method in the diagnostic and treatment of diseases. If a medical practice, therefore, is based only on alternative medicines without the backings of scientific studies, it is presumed to be based on unwarranted assumptions without scientific merit. Scientific medicine, however, does not peremptorily debunk the efficiencies of alternative medicines, for that would be unwise. What it is debunking is the method by which alternative medicines assume the efficacious of their alternative methods of treatments.
A good point of reference would be the practice of chiropractic. Chiropractors for example, start with the premise that diseases are simply indicative of the effects of subluxations. They focus then on the detection and eventual correction of vertebral subluxation to heal maladies. Although there are mixer chiropractors who combine diagnostic and treatment approaches from different osteopathic viewpoints, most of them still solely attribute diseases to subluxation. Yet, subluxation and its relationship to a disease is really hard to prove scientifically.