In early April, INTERPOL warned of “a significant increase” in ransomware attempts against organizations responding to the pandemic, including hospitals. Since then, a steady drip of alerts and attacks have only heightened the unease.
Microsoft recently sent an alert that dozens of ransomware deployments had occurred in the first two weeks of April. The Department of State made a remarkable flex in the aftermath of cyberattack on a Czech Republic hospital, and attackers leveled the most significant stateside “detonation,” as cybersecurity experts sometimes say, during the COVID-19 era by locking up systems at the Parkview Medical Center, in Pueblo, Colorado. At least one of the cybercriminal enterprises that vowed not to target medical facilities during the pandemic wasn’t exactly firm on its word.
Cybercriminals around the country are “absolutely taking advantage” of the pandemic.
It’s troubling but true — cybercriminals around the country are “absolutely taking advantage” of the pandemic, Erik Decker, chief security and privacy officer at University of Chicago Medicine, told Built In.
Cybersecurity vulnerability is of course nothing new in healthcare. Hospitals traffic in reams of personal (and valuable) data. They also operate on razor-thin margins — that was the case even before the pandemic — which means some facilities skimp on cybersecurity resources.
“A dollar that goes to administration is a dollar that doesn’t go to care,” said Decker, adding that many smaller systems are stretched so thin that they don’t even have IT security personnel.
That leaves hospitals with big targets on their backs.
Decker co-led the Health Industry Cybersecurity Practices report, released in 2018, that pinpoints the five most prevalent kinds of healthcare cyberattack:
Cyberattacks in Healthcare
- Email phishing
- Ransomware
- Loss or theft of equipment or data
- Insider attack or accidental data breach
- IoT medical device attacks
Right now, ransomware and phishing remain at the top of the worry list. (Many ransomware launches start with a phishing lure.) The reason is simple — they’re the easiest to pull off.
“Bad guys are inherently lazy,” said Caleb Barlow, CEO of Austin-based CynergisTek, a healthcare cybersecurity consultancy that works with a thousand facilities in the country. “Why attack a medical device when you can go after somebody in their home office?”
Remote Threat Control
Just as the pandemic pushed non-essential workers to work from home, it also pushed hospital staff that were able to work remotely — departments like vendor support and administration — into the home office. Healthcare cybersecurity experts usually warn against this kind of “expanding the footprint” — that is, organizations should try to keep as much activity inside the firewall of the facility as possible. In this instance it was a necessary public-health measure, but it nevertheless increased vulnerabilities.
Barlow underscores small but important steps in this regard: segmenting networks, implementing two-factor authentication across the board and using VPNs — and, just as importantly, making sure the VPNs are always configured correctly with the network.
Failure to do so risks a cyber version of other shortcomings in safety measures during the pandemic, Barlow said. “It’s too late to do once the attacks start.”
It’s too late to do once the attacks start.”
There’s no doubt that, broadly speaking, VPN adoption has shot up. According to a recent Okta report, the only app that grew faster than two connection-security tools between February and March was Zoom. But in healthcare, “security wasn’t at the top of the list” of concerns, said Kelvin Coleman, executive director of the National Cybersecurity Alliance.
Even with VPN implementation, cybersecurity experts suspect activity log-monitoring on hospital networks may have become less rigorous as facilities had to adapt quickly. Barlow describes a simple, potential route of attack: a quick Google search reveals the identity of a hospital administration worker, who’s now likely working from home. Their VPN lacks two-factor authentication, the username/password combination is the same as, say, one being used for a retail account, and the bad actor is suddenly inside.
“Unless somebody is really watching that VPN exit node, [the attacker] is probably not even traceable,” he said.
“You’d be astounded at how many people have no locks on the endpoint,” he added. Indeed, some of the most disastrous healthcare cyber attacks were allowed to foment due to a failure to square away simple fixes. The WannaCry ransomware attack, in 2017, was allowed to perpetuate as long as it did because some hospitals had failed to download an available Microsoft patch.
Maintaining the Security Health of Telemedicine
The same vulnerabilities that surround remote healthcare work also extend to telemedicine, which has boomed in the wake of the pandemic as patients still look to visit doctors but must avoid unnecessary contact.
The Centers for Medicare and Medicaid Services (CMS) in March peeled back some of the regulations that had previously forestalled the widespread use of telemedicine. The most noteworthy shift saw CMS reimbursing far more providers for telemedicine visits.
But more significantly from a cybersecurity perspective was the Department of Health and Human Services’ notification of temporary “enforcement discretion” related to telehealth — that is, it wouldn’t bring the hammer down on providers who used, say, regular, old-fashioned Zoom (which is not HIPAA compliant) to connect with patients instead of Zoom for Healthcare (which is HIPAA compliant, but not free).
Hiccups aside, Barlow is among the majority who saw the relaxed guidelines as necessary given the situation. But how quickly providers can shift to firmer ground will be key. “The issue here isn’t the short-term use of commercial off-the-shelf technology,” he said. “It’s the speed at which we shore that up and get to more appropriate solutions that will pass the regulatory formats that are required.”
The issue here isn’t the short-term use of commercial off-the-shelf technology.”
The HHS move is intended to be temporary, but many within healthcare nonetheless expect this to be a turning point toward more long-term adoption of telehealth, even post-pandemic. Expect to see an “explosion” of investment in the telehealth industry and services that support it, Coleman said.
The Downside of Connectedness
Over the last several years, more and more medical devices have been designed to connect to the internet. That allows for the easy collection, monitoring and sharing of data, which is believed to help hospitals control costs and improve patient outcomes. But devices’ connectedness also leaves them prey to cybercriminals if not properly protected.
Cybercriminals tend to target lower-hanging fruit than connected medical devices, but that doesn’t mean attackers aren’t looking at their IoT options.
CyberMDX, a healthcare IT firm that helps more than 300 global hospitals monitor device security, has a research and analysis arm that watches the dark web for threat activity. Sure enough, the team has seen a spike in chatter in recent months. While luckily no attacks have materialized, “we know the threat is out there,” Tsafrir Oranski, vice president of business development at CyberMDX, told Built In. “We know they’re trying.”
There’s been a simultaneous uptick in questions from the field about the security of specific devices, he said.
Even though other kinds of attacks are more common, IoT medical devices pose unique security challenges. They’re often less visible to traditional firewall systems. Also, devices tend to kick around a long time, which means some of the main protocols are older and relatively insecure, Oranski said.
One notable vulnerability emerged in March, when the Food and Drug Administration warned that some Bluetooth-enabled devices — including some pacemakers, glucose monitors and ultrasound machines — were susceptible to being hijacked. Manufacturers work hard to release patches, but, as WannaCry proved, costly errors can still slip through.
There’s also a heated debate about who’s responsible when such an attack is levied — the provider who operates it or the manufacturer who made it? “Manufacturers offer guidelines, but once it’s deployed, it’s a whole new ballgame,” Oranski said.
The current moment has brought about some new challenges too. Some of the equipment hospitals are gathering is being rented and some is bought used. That means old patient data could still be sitting on a device before it’s transferred. That’s a low concern compared to saving lives, but one that will need to be addressed, Barlow said. “That is going to be an issue that we’re all going to need to deal with in a couple of months,” he said.
A Question of Funding
As the tides of the pandemic response shift, some focus areas will recede (many workers, though not all, will return to the premises) and others will expand (the telehealth boom). But all the experts with whom Built In spoke agreed: this moment is representative of a larger expansion of healthcare’s digital surface. Networks are more complicated, stretching into public and private clouds, through satellite services like urgent-care clinics and across remote monitoring devices. The footprint has grown, permanently.
At the same time, hospitals are struggling financially. Even with some federal aid having been distributed and more on the way, health systems face uncertain economic futures. There’s a constant “tug of war” of resources, Oranski said.
A forecast by Cybersecurity Ventures estimates that the healthcare industry will spend more than $65 billion on cybersecurity between 2017 and 2021. “We have realized we are big targets,” Coleman said.
We have realized we are big targets.”
The HICP report co-led by Decker outlines recommendations to help healthcare systems of all sizes beef up security. As one of the 16 designated critical infrastructures, healthcare enjoys a framework for public-private collaboration that some sectors do not. Decker and his colleagues at the public-health emergency division under the HHS will soon release a tactical response plan that will provide further cybersecurity guidance and benchmarks to follow in case of emergency.
Meanwhile, hospitals will have to be strategic about how they invest as the landscape keeps shifting while remaining vigilant of new challenges. As CynergisTek has made the rounds to assess facilities’ cyber health, Barlow says grades have actually been declining year over year. “The reason isn’t that people aren’t investing, it’s that they’re not investing as fast as the threat is emerging,” he said.
