This is an update of an article we originally published on March 27.
Healthcare workers around the world are fighting a war on two fronts. The most public and dramatic one is the battle to contain the coronavirus pandemic and care for those infected. Less visible but deeply worrying is a struggle against pernicious attacks by cybercriminals using ransomware, distributed denial-of-service and other methods. Hospitals need to act urgently to tighten their defenses against these attacks to ensure their ability to deliver health care in this critical time.
The United States’ Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation and the Department of Health and Human Services (DHS) warned on October 28 that “malicious cyber actors” were targeting healthcare and public health institutions and trying to make ransomware demands, steal data, and disrupt health services.
These attacks typically involve phishing with seemingly legitimate email messages to trick people into downloading malware. DHS said back in March that hackers had tried to penetrate its computer systems. Earlier that month, the Brno University Hospital in the Czech Republic was forced to turn off its IT systems and suspend scheduled operations after a ransomware attack.
There is no sign yet that these attacks have seriously hampered the global fight against a virus that has infected more than 50 million people around the world and claimed over 1.2 million lives, including nearly a quarter of a million in the US. But the threat is clear. These cyberattacks can divert resources at a time when hospitals around the world are struggling to treat patients. Delays in diagnosis and treatment can cost lives. Police in Germany opened a homicide investigation in September after a Dusseldorf hospital was unable to give life-saving treatment to a woman because of a ransomware attack.
Defining the Threat
Ransomware thieves have been targeting hospitals for years. The WannaCry virus infected computer systems at hospitals and doctors’ offices across the UK in 2017, costing the National Health Service more than $100 million in disruption and remediation costs, according to a government report. At least 764 healthcare organizations in the United States were hit by ransomware attacks last year, according to cybersecurity firm Emsisoft.
According to Greg Singleton of the US Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center, today’s cyber thieves attack healthcare organizations for the same reason the infamous Willie Sutton robbed banks in the 1930s and ‘40s – “because that’s where the money is.”
Doctors and hospitals routinely collect information that represents the epitome of attractive data for identity theft, including full names, addresses, social security numbers and insurance details. And hospitals, given the life-and-death nature of their business, may be more inclined – or perceived to be more inclined - to pay ransom to minimize disruption to patient care. The average amount paid by victims of ransomware attacks rose more than fivefold in the third quarter from the same period a year earlier, to nearly $234,000, according to Coveware.
The cyberattack surface for hospitals has expanded significantly in recent years because of the increasing adoption of IoMT (Internet of Medical Things) technology across a broad range of devices. The US Food and Drug Administration has issued five alerts during the last year about vulnerabilities that could allow hackers to control or disrupt everything from insulin pumps and pacemakers to patient monitors and network communication software. Hospitals are also heavily dependent on third-party vendors. Two thirds of UK healthcare organizations experienced a cyber incident last year, according to data provider Clearswift, and nearly half of them involved viruses or malware introduced through IoMT gear, USB sticks or other third-party devices.
The proliferation of electronic health records also raises the industry’s vulnerability to attack. These records are complex and software updates tend to be relatively infrequent and costly. The rapid acceleration of telehealth deployments in response to the COVID-19 crisis further raises the need for scrutiny and careful planning to prevent attacks.
Preparedness and Countermeasures
What can healthcare entities do to prepare for and counter the threat? The first thing is to raise awareness. That means educating or reiterating to employees the need to guard against phishing attacks, which are on the rise, and tightening phishing filters on their computer systems. The most recent assessments revealed that about 50 percent of US hospitals reported using firewalls, encryption, or spam and spyware filters, according to Definitive Healthcare.
Companies also need to assume a cyberattack will happen and prepare accordingly. That means establishing a Cyber Incident Response Executive group that includes the chief information and technology officers, chief operating officer, chief information security officer, chief financial officer, human resources, and senior legal representatives. This group should have an incident lead director and deputies across all roles, in case any member comes down with the virus or is otherwise indisposed. And the group should conduct a tight preliminary drill to ensure it can successfully navigate different types of cyber incidents.
Senior executives should be prepared to implement extra secure communications capabilities to ensure that voice, data, and digital traffic between individuals and groups are sufficiently secure, both for dealing with the pandemic and, if needed, tackling a significant cyber event. And as more employees adopt remote working arrangements, just as in other corporate sectors, IT administrators need to ensure that remote connections are secure and routinely monitored. They also should remind employees to avoid copying work files onto less-secure home drives.
Healthcare firms should ensure that software patches are up to date on critical IT systems. That includes working with third-party vendors to ensure that they are taking commensurate steps. Firms also should make sure their business continuity plans are up to date and redouble efforts to boost employee awareness of phishing threats.
Finally, health systems should collaborate with their peers and government entities through initiatives like the Healthcare and Public Health Sector Critical Infrastructure Security and Resilience Partnership, and be familiar with local law enforcement services so people know who to call when the worse happens.
The health sector will never be immune to cyberattacks. But as with the coronavirus, urgent action is required to minimize the threat.