Over the years, healthcare institutions have benefitted greatly from the advancements in technology to enhance practices and care. Innovation is at the core of modern medicine, yet there are still many vulnerabilities that can put at risk both patients and providers.
Healthcare cybersecurity then represents a critical issue, as patient health records contain an immense amount of personal and sensitive information. With the current sanitary crisis we are facing, cybersecurity threats are very likely to continue on increasing. Thus, it has become crucial that healthcare organizations implement strong security systems and embrace the technology development that will ensure better protection of data and information in the future.
Hence, we have talked to experts in the industry to address this topic and tell us how can healthcare institutions protect themselves against cyber threats.
Security in healthcare in times of a pandemic
As it is in all industries, cybersecurity is a major risk factor in health care data, and it has only been rising these past few months with the spread of the pandemic. Threat actors have increased, and their tactics are becoming more sophisticated, making it gradually more difficult for health organizations to fight them off.
Sonya Moisset, Lead Security Engineer at PhotoBox, tells me that, generally speaking, there is chronic underinvestment in cybersecurity regardless of the sector, which has left many organizations so exposed they were unable to detect cyber attacks when they occur.
Hence, she continues, it can take weeks or even months before a breach is detected, the damage contained, and resolutions deployed to prevent the same attack from happening again.
Melanie Molina Sandoval, Product Security Engineer at Deliveroo, points out that, with the pandemic overwhelming the capacity of many hospitals, hackers have been quick to realize this and started using it to their advantage. This is why many hospitals in the US and Europe are already being affected.
‘This has been a wakeup call for the industry to closely review their security posture with the most immediate action during these times of uncertainty and, with the pressure of so many lives at stake, it only makes it even more challenging.’
Cybersecurity is a risk factor in health care data, Sonya adds. Data from the 2021 Horizon report revealed that more than 500 healthcare organizations have reported a breach of 500+ patient records. It was found out that providers are the most targeted sector and that attacks on network servers are on the rise, with email remaining the most common attack vector used by the attackers to steal patient data.
Moreover, according to the NCSC (National Cyber Security Centre), more than one in four cyberattacks were related to COVID-19 in the UK. Hence, the NHS has become a target for threat groups and the UK vaccine research has evolved as a new espionage risk.
Sonya highlights that threat actors continue using ransomware attacks to target the healthcare sector or use COVID-19 themed online scams and phishing campaigns.
‘We are already seeing a spike in attacks and phishing emails related to a COVID-19 vaccine as it is now being made available in several countries.’
As threat actors are evolving and growing, we are unfortunately seeing a whole new range of sophisticated cyberattacks that are more and more dangerous for health institutions, especially at this time where they are the most vulnerable.
Sonya first notes that the challenges might be the same as in any industry, such as malware and ransomware. Threat actors will use both to shut down individual devices, servers, or networks and ask for a ransom to get back the encrypted data.
Another challenge, she continues, could be related to cloud threats where an important amount of health information is being stored on cloud providers. This could become a weak spot for healthcare organizations without proper encryption, security configuration, or applying best practices.
Threat actors will also create websites with similar addresses to reputable sites. With a simple substitution of the domain from .com to .gov, they can lure unwary users to these compromised websites and would allow the attackers to steal credentials or personal data/information.
Besides, Sonya emphasizes, phishing attacks are a common strategy to send out mass amounts of emails impersonating reputable sources to obtain sensitive information from users.
Finally, another growing threat to note is around IoT (Internet of Things), which would include any medical devices – such as pacemakers and other equipment – connected to the Internet. These endpoints face the same vulnerabilities as other computer systems in an organization.
Why are healthcare organizations targeted?
When hospitals face the overwhelming dependence of systems and their capacity and so many more lives at stake, Melanie points out, it is much more likely for them to comply with cybersecurity issues such as ransomware attacks, for instance.
Especially when COVID is in the spotlight, being covered 24/7 by every news network and channel, hackers can ask for much more money than ever, knowing how desperate the situation can get.
But is it just that? Melanie proposes to review some of the publicly reported attacks from last year when it all started to collapse. March 2020 included a ransomware attack on Champaign-Urbana Public Health District in the US and on critical systems at Brno University Hospital in the Czech Republic. Moreover, the World Health Organization has doubled its attacks as well as the US Department of Health, being hit with DDoS attacks.
But let’s take a step back, she suggests. It is clear that this sort of activity is attributed to hackers seeking monetary profit for ransoms, but if we analyze the umbrella of healthcare organizations targeted, we can see that it includes universities and healthcare agencies, potentially involved in research for vaccines, tests, medicines and any sort of solution to alleviate the crisis of the pandemic.
If we analyze the methodologies from the disclosed reports, she continues, we see that Advanced Persistent Threat (APT) groups are involved, with the purpose of Cyber Espionage. Proprietary information about tests and vaccines is extremely valuable right now, especially to those competing to find a cure. Not only public/private healthcare organizations but government entities as well.
Therefore, she emphasizes that this particular information warfare presents hackers with a plethora of high-value information.
‘Hackers are, by their nature, opportunistic and so I wouldn’t be surprised if we started to see a sharp rise in APT hacker groups in the near future as a result of this’, Melanie says. ‘I would go further and say this information could prove more profitable to hackers than anything they would get holding hospitals ransom.’
Sonya also notes that these threat actors are after data. Healthcare organizations are easy targets because they possess an important amount of information of high monetary and intelligence value both for cyber thieves and nation-state actors.
Besides, she adds, the targeted data, in that case, would include patients’ protected health information (PHI), financial information, and personal identifying information (PII). Yet, it is also important to consider that data could include intellectual property related to medical research and innovation.
The dangers for patients and care
There are many risks involved when an organization is being targeted by a threat group, especially related to personal information and records.
Indeed, Sonya points out that if an organization suffers from a cyberattack, this could potentially mean losing access to medical records, lifesaving medical devices and deter the ability to care for the patients. If the attackers have access to patient private data, they can alter the data which leads to serious effects on patient health.
For instance, she says, when patient outcomes were threatened in the UK when the NHS was hit in 2017 as part of the ‘WannaCry’ ransomware attack on computer systems, this resulted – among other things – in ambulances being diverted and surgeries being canceled.
Besides, Sonya notes that we mustn’t forget that organizations could face penalties under HIPAA’s Privacy and Security rules (as well as harm to its reputation).
Building better cybersecurity for healthcare organizations
According to Melanie, there are multiple paths and decisions a company can make that can help protect or mitigate damage should they fall victim to these attacks. But what it is essential to revisit Incident Response Plans, Business Continuity Plans, and optimizing mechanisms for access control.
Incident Response Plans (IRP) are key, she continues, especially when you are being constantly targeted. Establishing a solid IRP can answer questions like: how prepared are we if we get hit with a ransomware attack? When was the last time we revisited our current processes? Can we have or improve relationships with digital forensic providers or consultancies?
This then would trigger a domino effect in terms of what areas to improve on, discussing these sorts of questions can lead to more emphasis on things that were not brought up before. For instance, investing in dark web investigations to learn what hacker groups could be talking about your organization online, or knowing how many of your employees’ passwords and credentials have been compromised.
‘Strategizing and planning ahead is absolutely beneficial and necessary.’
When it comes to Business Continuity, Melanie emphasizes, a lot of organizations already have a plan in place. But if they haven’t already, it would be very beneficial for Hospitals, for example, to consider scenarios where critical systems for patients become unavailable for multiple days. With the saturation that Covid has brought to healthcare, this would definitely be circumstances hackers would be interested in positioning hospitals in.
In terms of enhancing access control, these organizations should be trying to answer questions like:
- What can we do to sufficiently restrict access to systems, networks, data, etc.?
- Have we reviewed enforcing Multi-Factor Authentication or Privileged Access Management recently?
- Do our employees have access to educational resources to help enforce this and understand how they can protect themselves and the company, and how it can be valuable for them?
Sonya points out that the same recommendations as any other business can be applied to healthcare organizations, starting with establishing a security culture with ongoing training as every member of an organization is responsible for protecting patient data.
The importance is to maintain good computer habits. Indeed, she says, this starts from onboarding new employees with training on best practices for computer use. This includes using strong passwords, changing them regularly, and using MFA whenever possible. It is important to limit network access, use a firewall for anything connected to the Internet and install and maintain anti-virus software.
It is also essential to control access to protected health information by applying the least privilege and grant only to those who need to view or use the data, as well as plan for the unexpected and the importance of backing up regularly for easy data restoration. Moreover, another important thing for healthcare organizations is to consider storing this backed-up information away from the main system if possible and segregate the network.
Finally, Sonya notes that IoTs are also a point of failure if not properly set up. IoT devices should be maintained on their own separate network and monitored to identify sudden changes in activity levels that could indicate a breach. IoT devices should also be kept up to date with the latest patches.
Therefore, cybersecurity within healthcare organizations has never been more important. This is why it is necessary that these institutions are well-protected but also, that security experts are prepared to tackle the new challenges that come with the advancements of technology.
Special thanks to Melanie Molina Sandoval and Sonya Moisset for their insights on the topic!