As health care organizations have responded quickly to deal with the fast-moving nature of the COVID-19 pandemic, three major factors have contributed to creating a climate ripe for cyberattacks against the field.
According to John Riggi, senior advisor for cybersecurity and risk at the American Hospital Association (AHA), hospitals quickly moved to expand patient care services outside of health care’s four walls through technologies such as telehealth and remote patient monitoring. This, along with many health care personnel being encouraged to work from home, has expanded the attack surface for cybercriminals. The health care field has also seen an increased number of cyberattack types juxtaposed to fewer available resources to bolster cybersecurity defenses.
Although the expansion of network-connected technologies in health care have been vital to help fight and slow the spread of the pandemic, the expanded cyberattack surface combined with increased types of attacks and fewer resources have led to what Riggi calls a “cyber ‘triple threat’ for hospitals and health systems.” And as the pandemic has progressed, the climate has only gotten more hostile.
Data from the Department of Health & Human Services Office of Civil Rights breach portal shows there were 177 active and resolved hacking incidents affecting 13.5 million individuals in the three-month period between Sept. 1 and Dec. 15 last year. Comparatively, there were 218 active and resolved hacking incidents for the eight-month period between Jan. 1 and Aug. 31, affecting 7.3 million individuals.
For instance, a medical center in the Northwest was hit by a cyberattack in the fall that resulted in complicated communications, disruptions to scheduled procedures and limited pharmacy services as it worked to restore its systems from a ransomware attack. Although its investigation determined that patient information was uncompromised, the system still had to restore its computer system with an emphasis on biomedical devices in clinical areas and replacement of about 2,000 computers.
Around the same time, a health network in the Northeast was also hit by a widespread cyberattack that affected many patient services, such as shutting down access to electronic medical records and patient portals. Despite working day and night to restore its system and even receiving help from the National Guard, thanks to the governor’s orders, the network was still working to fully recover even weeks after the attack.
Email phishing remains the No. 1 cyberattack method, prompting health care organizations to better train personnel to spot these malicious attempts. However, many vulnerabilities exist within operational technology (OT), as well.
The American Society for Health Care Engineering developed a monograph last year to help health care facilities professionals learn more about cybersecurity and how proper management of OT plays a crucial role in keeping health care facilities safe. The “Best Practices Framework for Health Care Cyber-Physical Protection: For the Project Construction Team” can be found at ashe.org/hdrcyber.
The monograph details best practices to help mitigate cyber-physical risk with network-connected devices including electrical and mechanical building systems. Unfortunately, as buildings get smarter and more connected, cyber risk also increases.
Some of the OT discussed in the monograph includes building systems such as fire alarms and mass notifications as well as other systems, including security and access control technology, and freezer and refrigerator temperature monitors.
In addition to the need for greater cybersecurity awareness among all levels and disciplines of health care personnel, Riggi says that coordination among federal agencies and with the military plays a crucial role in protecting infrastructure.
For instance, in October 2020, U.S. Cyber Command conducted offensive cyber operations aimed at disrupting the Trickbot botnet used to distribute ransomware. Within days of this operation, the FBI indicted six Russian military intelligence officers implicated in, among other cyber crimes, distributing destructive malware globally in 2017. Riggi says this instance is an excellent example of the type of unified, coordinated government approach that can help defeat cyberthreats.
Some of the government efforts suggested by the AHA include:
- Develop and disseminate coordinated national defensive measures, including leveraging national technical defenses, which are used to protect government agencies.
- Strengthen and expand the cybersecurity workforce through grant programs and retraining efforts, perhaps with a particular focus on the retraining of veterans.
- Identify and disrupt bad actors in non-cooperative foreign jurisdictions.
- Increase the consequences for those who commit attacks.
- Identify and support cybersecurity best practices and increase information sharing between the private sector and the government.
“Health systems, and the patients they care for every day, are heavily targeted by cyber adversaries,” Riggi says. “They have made great strides to defend their networks, secure patient data, preserve health care services’ efficient delivery and, most importantly, protect patient safety,” Riggi adds. “However, our field cannot do it alone. Hospitals and health systems need more active support from the government to defend patients.”