Healthcare institutions, particularly hospitals, have long been seen as a tempting target by cyber-criminals. Holding vast swathes of highly sensitive and valuable data, as well as having heavily interlinked IT systems and extensive use of IoT devices, modern organizations are both especially vulnerable and potentially highly lucrative should attacks be successful. Indeed, unlike most industries, cyber-attacks have the potential to directly endanger lives when it comes to healthcare.
Additionally, the scale and pressurized nature of the work in institutions like hospitals mean staff, focused on their critical roles, are highly susceptible to making security errors that open the door to cyber-criminals. Raj Samani, chief Scientist and fellow at McAfee, said: “Due to the size and nature of organizations within the healthcare industry, and the data they hold, our health service is often a target for cyber-attackers. The scale and variety of attacks are continually growing and evolving, and the tactics cyber-criminals use can be a combination of traditional phishing and vulnerability exploitation.”
Unsurprisingly, the use of ransomware has proven to be a popular mode of attack against hospitals; the WannaCry incident of 2017 impacting the UK’s National Health Service is just one of many reported in recent years. The potentially devastating consequences of an attack on patients could make institutions such as hospitals more likely than others to agree to ransom demands.
On a more positive note, recent research from Kaspersky has indicated that healthcare institutions have strengthened their security in light of incidents such as WannaCry; in 2019, there was a decrease globally in the number of attacked medical devices, including doctors’ computers, medical servers and equipment.
Additional Threats During COVID-19
However, the COVID-19 pandemic has seen hospitals under renewed focus from cyber-criminals, with institutions like these particularly vulnerable in the midst of a global health crisis.
“The last thing on a doctor or nurse’s mind is IT – they’re looking at saving lives”
David Emm, principle security researcher at Kaspersky, stated: “This is especially the case at a time of pandemic when the last thing on a doctor or nurse’s mind is IT – they’re looking at saving lives.”
Certainly, the evidence indicates that healthcare bodies are facing an increasing volume of attacks at this time of emergency. Recent research from McAfee showed that there was a 630% increase in the number of external cloud attacks between January and April 2020, with healthcare the second most targeted sector behind financial services. In April, Microsoft alerted several dozen hospitals in a “first of its kind notification” that their gateway and VPN appliances are vulnerable to ransomware groups actively scanning for exposed endpoints.
Interpol has also recently issued a Purple Notice regarding the heightened threat of ransomware attacks on healthcare organizations at the forefront of efforts to combat COVID-19. In May, a joint advisory was published by the UK’s National Cyber Security Center (NCSC) and the US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), stating that healthcare bodies, pharmaceutical companies and research organizations have been subject to large-scale ‘password spraying’ campaigns.
Future Opportunities for Cybercrime
The increased dangers to healthcare organizations during COVID-19 are sadly likely be a sign of what’s to come. There are many reasons to believe institutions like hospitals could be even more vulnerable in the future. One reason for this is the growth of electronic data records of patients.
Emm commented: “In the medical sphere, data is particularly sensitive and we know that on the criminal underground, it is valuable. Also, it opens up other areas because if you’ve got somebody’s medical details then it lends itself to further scams such as phishing-based attacks.”
An especially alarming prospect relates to the aforementioned use of technology to diagnose and treat patients, including IoT devices that are implanted in patient’s bodies. This opens up the prospect of terrifying, dystopian type scenarios. Daniel Norman, research analyst at the Information Security Forum, explained: “Use cases for emerging technology range from adopting AI for diagnostics and imagery in radiology and neurosurgery, remote or autonomous robotics for complex surgeries and implantable IoT devices for managing diabetes or coronary complications.
“The dependency on the efficacy of technology has never had this many life-threatening implications before”
“The dependency on the efficacy of technology has never had this many life-threatening implications before. The healthcare service will become critically dependent on technology for decision-making processes, such as leveraging semi-autonomous and autonomous robots during surgeries or IoT devices to pump medicine into the human body. These will be significantly handicapped should systems fail during surgeries or consultations or if robotics connected to poorly secured networks are targeted.”
Establishing Effective Cybersecurity for Healthcare
In anticipation of these additional potential threats, what kinds of approaches do healthcare organizations need to put in place now to ensure they are adequately protected?
Firstly, with so many connected devices and systems in the healthcare setting, efforts should be made to separate different aspects of connected systems as much as possible.
Heather Paunet, vice-president of product management at Untangle, commented: “For larger systems within the network, such as connected devices or machines, labs and other medical departments, IT departments should create a multi-layered system of checks and balances within the network. Using a next generation firewall as a unified threat management system, IT departments should use captive portal logins, making it easy to identify who is logging into the system or into particular devices.
“IT departments should also segment different devices within the network, critical medical equipment such as ventilators, lab equipment, or heart monitors that have any connection to the internet should be separated from workstations pulling up patient records or billing information. This logical separation will ensure if one aspect of the network is compromised it won’t affect critical, life-saving devices or a doctor’s ability to administer care.”
A major component of effectively segregating different parts of the system is managing permissions. Emm said: “Having passwords on all external connection points in particular; any place that interfaces with the external network is really important. It’s also about making sure that only people who need to access something have that ability so not having a system which is flat and where there is generalized access to something.”
“It’s about having some kind of process in place for when a patch becomes available”
Implementing patch management properly is another crucial area in a hospital setting. Emm added: “If we think back to 2017, WannaCry exploited a vulnerability for which a patch existed. However, people were vulnerable because that patch hadn’t been rolled out. It’s about having some kind of process in place for when a patch becomes available; perhaps testing it on a local scale to check that it’s stable before doing a roll out.”
Staff Awareness
Having a staff well-versed on best cybersecurity practices and the policies of individual institutions, fully immersed in the steps that must be taken to protect systems, and ultimately patients, is critical to effective cybersecurity, regardless of how good the policies and technologies are. This is clearly easier said than done in busy hospital settings, with frontline employees such as doctors unlikely to be impressed with any practices that take up their time or hinder their work in any way. A survey among healthcare sector employees in the US and Canada by Kaspersky demonstrated that nearly a third of all respondents (32%) had never received any cybersecurity training from their workplace. Additionally, it found that one in 10 employees in management positions also admitted that they were unaware of a cybersecurity policy in their organization.
Therefore, placing an emphasis on why practices such as strong password security, including multi-factorial authentication, are so essential, is the first step to make. “Fostering a strong cybersecurity culture is crucial. There needs to be more awareness of the impact a successful attack or breach could have on healthcare institutions. This culture of informed risk management must start with the board and propagate through the organization, with education and investment in critical areas,” said Samani.
A Joint Solution
Ultimately, it requires a joint effort between IT departments and staff to have effective security in place in settings like hospitals, establishing a ‘zero trust’ type mindset in addition to robust software solutions. This is of course an approach that should be applied to all industries, but the complexities of healthcare IT and the particularly potentially devastating consequences of successful cyber-attacks puts it into extra focus when it comes to this particular sector.
As Samani put it: “Security maturity takes time, and requires best practice which is baked into the daily operations of the whole organization – not just IT. Technology and culture need to work in tandem to keep the health system secure and enable it to harness the next generation of digital healthcare technologies without opening the system up to potential threats.”