Healthcare workers around the world are fighting a war on two fronts. The most public and dramatic one is the battle to contain the coronavirus pandemic and care for those infected. Less visible but deeply worrying is a struggle against pernicious attacks by cybercriminals using ransomware, distributed denial-of-service and other methods. Hospitals need to act urgently to tighten their defenses against these attacks to ensure their ability to deliver health care in this critical time.
The Department of Health and Human Services, which is leading the US government’s effort against the coronavirus, confirmed reports that hackers had tried to penetrate its computer systems in mid-March. Earlier that month, the Brno University Hospital in the Czech Republic was forced to turn off its IT systems and suspend scheduled operations after a ransomware attack, while a similar attack took down the website of the Champaign-Urbana Public Health District, in the US state of Illinois.
There is no sign yet that these attacks have hampered the global fight against a virus that has infected hundreds of thousands of people and claimed many thousands of lives. But the threat is clear. These cyberattacks can divert resources at a time when hospitals around the world are struggling to obtain adequate supplies of masks, gloves and ventilators for treating patients. Delays in diagnosis and treatment can cost lives.
Defining the Threat
Ransomware thieves have been targeting hospitals for years. The WannaCry virus infected computer systems at hospitals and doctors’ offices across the UK in 2017, costing the National Health Service more than $100 million in disruption and remediation costs, according to a government report. At least 764 healthcare organizations in the United States were hit by ransomware attacks last year, according to cybersecurity firm Emsisoft.
According to Greg Singleton of the US Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center, today’s cyber thieves attack healthcare organizations for the same reason the infamous Willie Sutton robbed banks in the 1930s and ‘40s – “because that’s where the money is.”
Doctors and hospitals routinely collect information that represents the epitome of attractive data for identity theft, including full names, addresses, social security numbers and insurance details. And hospitals, given the life-and-death nature of their business, may be more inclined – or perceived to be more inclined - to pay ransom to minimize disruption to patient care. The average ransom paid by victims of cyberattacks more than doubled in the fourth quarter of 2019 from the previous quarter, to just over $84,000, according to Coveware.
The cyberattack surface for hospitals has expanded significantly in recent years because of the increasing adoption of IoMT (Internet of Medical Things) technology across a broad range of devices. The US Food and Drug Administration has issued five alerts during the last year about vulnerabilities that could allow hackers to control or disrupt everything from insulin pumps and pacemakers to patient monitors and network communication software. Hospitals are also heavily dependent on third-party vendors. Two thirds of UK healthcare organizations experienced a cyber incident last year, according to data provider Clearswift, and nearly half of them involved viruses or malware introduced through IoMT gear, USB sticks or other third-party devices.
The proliferation of electronic health records also raises the industry’s vulnerability to attack. These records are complex and software updates tend to be relatively infrequent and costly. The rapid acceleration of telehealth deployments in response to the COVID-19 crisis further raises the need for scrutiny and careful planning to prevent attacks.
Preparedness and Countermeasures
What can healthcare entities do to prepare for and counter the threat? The first thing is to raise awareness. That means educating or reiterating to employees the need to guard against phishing attacks, which are on the rise, and tightening phishing filters on their computer systems. The most recent assessments revealed that about 50 percent of US hospitals reported using firewalls, encryption, or spam and spyware filters, according to Definitive Healthcare.
Companies also need to assume a cyberattack will happen and prepare accordingly. That means establishing a Cyber Incident Response Executive group that includes the chief information and technology officers, chief operating officer, chief information security officer, chief financial officer, human resources, and senior legal representatives. This group should have an incident lead director and deputies across all roles, in case any member comes down with the virus or is otherwise indisposed. And the group should conduct a tight preliminary drill to ensure it can successfully navigate different types of cyber incidents.
Senior executives should be prepared to implement extra secure communications capabilities to ensure that voice, data, and digital traffic between individuals and groups are sufficiently secure, both for dealing with the pandemic and, if needed, tackling a significant cyber event. And as more employees adopt remote working arrangements, just as in other corporate sectors, IT administrators need to ensure that remote connections are secure and routinely monitored. They also should remind employees to avoid copying work files onto less-secure home drives.
Healthcare firms should ensure that software patches are up to date on critical IT systems. That includes working with third-party vendors to ensure that they are taking commensurate steps.
Finally, health systems should collaborate with their peers and government entities through initiatives like the Healthcare and Public Health Sector Critical Infrastructure Security and Resilience Partnership, and be familiar with local law enforcement services so people know who to call when the worse happens.
The health sector will never be immune to cyberattacks. But as with the coronavirus, urgent action is required to minimize the threat.