Healthcare Cybersecurity is one of the largest concerns for healthcare organizations. With phishing emails, ransomware attacks, and healthcare data breaches increasing daily, protecting patient data is one of the crucial objectives of healthcare providers. For example, researchers estimate that ransomware attacks will quadruple in the coming years as the global healthcare industry digitizes patient information.
In addition, in contrast to the perception that cybersecurity risks are similar across all industries, healthcare cybersecurity is unique. The healthcare sector has rapidly connected networks, systems, and data to leverage the technological benefits in recent years. However, healthcare professionals have focused more on connecting healthcare systems quickly, with little thought to achieve robust security processes.
Also, numerous legacy systems are still in use in many healthcare facilities. According to Kathy Hughes, Northwell Health CISO and VP, procured medical devices have an expected life of 10 to 20 years. As a result, legacy systems with outdated security patches and applications may contain exploitable vulnerabilities resulting in an increased attack surface. While healthcare workers perceive legacy health systems as diagnostic or therapeutic machines used to provide medical care, security researchers regard them as susceptible machines that may contain exploitable vulnerabilities.
The Healthcare Sector Facing Unprecedented Cyberthreats
Continued attacks targeting critical medical records, health systems, and essential infrastructure have accelerated in 2021. For example, patient records, deemed the proverbial gold for cybercriminals, will continue being targeted. As healthcare facilities continue grappling with the deadly impacts of the COVID-19 pandemic, personalized patient information has become a ripe target for social engineering threats. Additionally, hackers can use healthcare information to access financial records and use them in malicious actions, including making false health insurance claims or blackmail.
Additionally, ransomware threats continue inhibiting patient care globally. Ransomware attacks can potentially disrupt medical practices completely, resulting in life-or-death consequences. A ransomware attack targets and encrypts electronic health records, computer systems, and information systems until a hospital pays a specific ransom amount. Subsequently, the attack derails vital health services by preventing healthcare workers from accessing medical equipment.
During the COVID-19 pandemic, hackers exploited the resulting confusion to target health services, causing a rise in healthcare-related ransomware incidents in 2020 and 2021. Due to this, the FBI, Department of Health and Human Services (DHHS), and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory regarding the rising and imminent ransomware threat to US healthcare providers.
Significant Cyber-attacks in Healthcare Since COVID-19
Numerous attacks targeting the healthcare sector have occurred following the outbreak of the devastating coronavirus. The following are detailed attacks describing the root causes and impacts:
1. Brno University Hospital Ransomware Attack
Brno University Hospital, one of the primary major healthcare providers in the Czech Republic, was a ransomware attack victim. After the hospital discovered the ransomware infection, it pulled its computer networks offline, causing the postponement of serious surgeries. Also, the variant used in the attack was gradually replicating, causing individual systems to fail, necessitating the disconnection of all networks and computers. Therefore, the ransomware incident impacted and disrupted the provision of critical services since the hospital could not access databases systems or collect new patient medical information. Furthermore, effects like shifting from digitized procedures to pen and paper manual processes can cause patient safety issues when the global healthcare sector fights a killer virus.
2. DHHS DDoS Attack
A DDoS attack targeted the United States Department of Health and Human Services last year in an attempted disruption of the COVID-19 response effort. During the attack, malicious actors targeted the organization’s servers with millions of traffic requests for multiple hours. With the DHHS tasked with supporting essential human services and ensuring the health safety of US citizens, the attack aimed at derailing the response measures to coronavirus. However, the organization maintains that the attackers did not intrude on the internal networks or steal sensitive information. Such an attack demonstrates that cyber threats to the healthcare industry need not cause network or system damage or information theft to impact healthcare services.
3. Increasing COVID-19-Themed Phishing Attempts
The World Health Organization (WHO) and associated partners warned the public regarding rising phishing and website hacking attempts. According to the warning, malicious individuals registered more than 4,000 COVID-19 related domains since the virus was first announced in 2020. Adversaries used the registered domains to facilitate phishing attacks used to steal login credentials to various sites. For example, a group of malicious cyber actors registered a dummy website that tricks WHO workers into inputting their login credentials. While the phishing campaign was largely unsuccessful, it shows that phishing attacks can target global healthcare bodies.
4. Increased Ransomware Attacks Worldwide
A recent Interpol advisory cautioned health institutions and security agencies worldwide regarding a significant rise of ransomware incidents targeting hospitals. According to the notice, increasing cases of attempted ransomware attacks had been noted in almost all countries. Most ransomware incidents used COVID-19 themed phishing emails to deliver the ransomware variants to multiple medical providers.
Besides, the US and the UK also issued a joint cyber warning to major healthcare organizations concerned with responding to coronavirus cases in both countries. In particular, the US CISA and the UK National Cyber Security Center (NCSC) issued a joint statement indicating uncovered cybersecurity threats. In particular, the joint statement noted largescale password spraying attacks targeting medical research institutions and healthcare bodies.
5. Malware Variant Targeting the Healthcare Supply Chain
An FBI-issued warning noted a spike in the malware variant used to execute supply chain attacks directed at the global healthcare sector. The malware, referred to as Kwampirs, is a remote access trojan that hackers use to detect and exploit network security flaws in healthcare organizations. Supply chain attacks comprise pre-compromised medical devices or components that contain malware designed to execute under a specific environment. In the FBI warning, the supply chain components susceptible to the malware consist of cyber-physical assets and systems required to provide crucial health operations. The FBI advisory on the Kwampirs supply chain malware noted it is more prevalent in targeting medical device manufacturers in the Middle East, Asia, Europe, and the US.
A Wakeup Call for Healthcare Cybersecurity
The 2020 health pandemic exposed a pressing need for healthcare organizations to invest more in cybersecurity infrastructure, tools, and incident response procedures. In addition, reports from multiple cybersecurity experts have revealed the unique challenges the health industry faces compared to other industries. For example, prior to the pandemic, medical providers were already prime targets for data breaches owing to the vast amount of patient medical records required to provide effective services.
In the 2021 Horizon Report, the reported breach statistics in the healthcare industry are more than dismal. For instance, the report reveals that at least 500 healthcare institutions were victims of a cyber-attack affecting not less than 500 patient records, with a cumulative total of more than 23.5 million impacted patients. Furthermore, the report notes an 18% rise of reported data breaches within the first ten months in 2020 compared to a similar period in 2019. Attackers targeted medical providers the most since healthcare breaches accounted for 79% of all breaches.
However, the increased rate of malicious cyber events can be attributed to the reluctance of the healthcare industry to strengthen cybersecurity in contrast to their counterparts in other industries. 2020 was just an eye-opener for a problem that has been in existence for many years. For example, the need to embrace remote working rapidly revealed severe exploitable vulnerabilities. These include weak passwords and an ignorant workforce that tend to open suspicious emails and attachments piled on the exposure. Also, with many healthcare workers working remotely, the preference for personal devices over work-issued equipment further increased security risks facing the healthcare sector.
All these and other cybersecurity scares have forced healthcare providers to rethink data security, network security, employee training, endpoint security management, and data procedures, governance, and policies. Specifically, security information and event management (SIEM) is taking a front seat in healthcare cybersecurity. SIEM collects and analyzes security event data to identify potential threats enabling organizations to implement requisite protection technologies.
Also, healthcare operators are focusing more on enhancing internal security procedures and employee training. Some internal security processes include tightening access to essential data, systems, and equipment to authorized and authenticated users. On the other hand, training the healthcare workforce has become critical to thwarting ransomware and phishing attacks. The human element is one of the weakest links in organizational cybersecurity, requiring the healthcare sector to implement frequent training and awareness programs. For example, as phishing attacks skyrocketed following the coronavirus outbreak, hospital workers must be trained on identifying, handling, and reporting phishing emails and text messages.
Best Practices and Security Solutions to Healthcare Cybersecurity Issues
1. Implementing Endpoint Security Measures
As a result of the COVID-19 pandemic, healthcare workers and patients alike have resorted to using the Internet of Things (IoT) and telehealth technologies remotely in compliance with social distance regulations. However, using the technologies outside a hospital’s protected network has increased the threat footprint and expanded the attack surface. Therefore, it is pertinent for healthcare employees to reduce the use of IoT technologies to meet the security regulations stipulated in the Health Information Protection and Portability Act (HIPAA).
That said, it is crucial to note that most health facilities rely on perimeter security, such as firewalls and antivirus tools, to secure sensitive patient information. Unfortunately, such defenses are highly incapable of protecting against modern threats and an expanded attack surface. Fortunately, an endpoint device security approach can assist hospitals in preventing unauthorized access by managing the devices and users that can access confidential patient records remotely. The solution also provides increased visibility of connected devices and users to strengthen security monitoring and management.
2. Increase Cybersecurity Training and Awareness
Many healthcare institutions have already rolled out cybersecurity programs for raising training and awareness levels among health workers. Some of the training solutions used today included training users on the best practices when accessing and using patient information and raising awareness on best password security practices. For example, a common training method includes sending phishing messages to determine how many employees can identify and report phishing emails. However, the common training procedures are inadequate in equipping the necessary skills for protecting against most COVID-19 themed attacks. Despite the world appreciating the essence of cybersecurity training, the healthcare industry is more at risk of being attacked and, therefore, requires to focus on enhancing the efficiency and efficacy of awareness programs.
3. Cybersecurity Technology Rationalization
It is a common practice for healthcare entities to continue using outdated technology or have a wide array of unused cybersecurity capacity. The approach exposes an organization to numerous threats since it is challenging to protect vulnerable medical equipment or IT assets connected to a network. In this regard, the following points can assist cybersecurity teams in healthcare setups to rationalize cybersecurity tools and technologies required to reduce risk and achieve a robust information security posture:
- Track the available cybersecurity technology, types of tools, and protection approach (in-house or outsourced) to successfully secure all vulnerable areas.
- Evaluate the compatibility of current tools with anticipated approaches, such as work from home requirements. Through the evaluation results, a hospital can decide if it is necessary to add compatible cybersecurity capacity before adopting new technologies or work methods.
- Develop key performance indicators and monitor the progress to ensure that the healthcare organization is on track to meeting optimized cybersecurity posture
4. Legislation of Appropriate Policies
The health industry in many countries has implemented various legislations aimed at strengthening patient data privacy and protection. Also, there are different regulations and laws developed to secure cyber-physical systems in a healthcare environment. However, following the new normal resulting from the COVID-19 impacts, relevant regulatory bodies must tailor healthcare cybersecurity controls to meet emerging security needs. Besides, medical device manufacturers must consider the controls and regulations when designing mobile devices or other equipment to foster telehealth procedures. Essentially, responsible government agencies and regulatory bodies need to collaborate in strengthening legislation and cybersecurity policies to protect against increasing attacks.
