Cyber Risk in the time of COVID-19: Why Hospitals Are More Vulnerable than Ever – and How to Respond

The following is a guest article by Dustin Hutchison, President and COO, Pondurance.

In the midst of a pandemic in which more than 2 million people have gotten sick worldwide and 130,000 have died, you’d like to think that cybercriminals would recognize the gravity of the situation and agree to a collective humanitarian “cease fire” against healthcare organizations so medical teams can focus on saving lives instead of overcoming IT and care disruptions.

But this is not how the darker side of human nature works, especially when COVID-19 has created desperate economic circumstances which, in turn, encourage crimes of desperation. There are considerable monetary rewards to reap in a successful attack, after all. A hospital with every bed occupied, for example, might be tempted to pay a significant ransom to keep compromised systems running.

At Pondurance, we work on the front lines with hospitals to help them detect and respond to threats. Unfortunately, in recent months we’ve seen systemic and operational issues which existed well before the pandemic that are now amplifying the vulnerable state of healthcare.

Our observations serve as a microcosm of what we’re seeing worldwide, as cyber foes are seizing upon the “opportunities” that COVID-19 presents – actually increasing their attacks on systems designed to save lives:

Intruders in March tried to break into the World Health Organization (WHO), part of what WHO describes as a two-fold growth in cyber attacks on the agency and its partners as they’ve worked to contain COVID-19. In this particular case, hackers activated a malicious site which mimicked WHO’s internal email system, in an attempt to steal passwords from multiple agency staffers.

The FBI warns that an Advanced Persistent Threat (APT) is using the Kwampirs Remote Access Trojan (RAT) to exploit healthcare companies and hospital networks on both a “localized infected machine(s) to enterprise infections” scale, according to the warning. The threat is targeting a large number of global hospital systems through vendor software supply chains and hardware products, placing their industrial control systems at risk.

INTERPOL has also issued a “Purple Notice” – a request for information about modus operandi, objects, devices and concealment methods used by criminals – to send an alert to police in all of its 194 member countries about a spike in ransomware attempts. “(Hackers) are using ransomware to hold hospitals and medical services digitally hostage; preventing them from accessing vital files and systems until a ransom is paid,” according to INTERPOL’s Purple Notice statement.

The rise of these attacks remains stunning and puts health and safety at risk, on top of cybercrime’s usual financial toll. Yet attackers’ calculating exploitation of the current pandemic does not surprise those of us working in healthcare security circles. Hospitals and other healthcare organizations have always represented high-profile targets, even in “normal” times: Based upon its analysis of nearly 41,700 security incidents and more than 2,010 breaches, the 2019 Verizon Data Breach Investigations Report (DBIR) indicates that the healthcare industry accounted for 466 of those incidents (ranked #6 among all sectors) and 304 of the breaches (second overall, behind only the public sector). In addition, for the ninth year in a row, healthcare organizations suffered the highest average cost of a data breach at $6.45 million – 65 percent greater than the $3.92 million global average for all industries, according to the 2019 Cost of a Data Breach Report from the Ponemon Institute and IBM.

Now that times are anything but “normal,” adversaries are eager to exploit the pandemic, regardless of any deadly consequences. In our personal observations, we are seeing two particular troublesome situations which could extend the capacity for damage – even though both are avoidable and correctable through better prevention, detection and response tools, policies and practices:

A “business first/cybersecurity second” mindset. With more employees, partners and vendors working and logging into systems from home and off-site locations, we are seeing organizations scrambling to set up remote access while bypassing fundamental risk-management steps. Going into “get things rolling now and worry about details later” mode, they are too frequently seeking to get employees up and running swiftly, regardless of the possibly huge costs of bypassing normal controls. Healthcare is a first-responder sector; crises are the norm and you are always balancing around helping people, first and foremost. Still, the sheer scale of shifts like remote work for office workers and health facilities’ introduction of improvised triage and treatment areas, supported by equipment connected on the fly, creates many persistent security blind spots and attack surfaces.

A highly connected – and potentially exposed – cyber ecosystem. With ongoing advancements in consolidation/integration and the Internet of Things (IoT), there are more interconnected devices and systems than ever in healthcare. The total number of connected medical devices will surpass 13 million by 2023, up from 4.7 million today, according to a projection from 451 Research. Everything from respirator machines to heart monitors to electronic health records (EHRs) databases to even physical facilities systems are getting linked. Yet, if the third-party vendors behind these devices do not incorporate an adequate level of defense, then the downstream fallout of an attack is dramatically elevated due to the now-exponentially expanded reach of impact.

Healthcare’s intersecting medical facilities, university campuses, insurance offices, payment processor and countless third-party service providers are not your typical corporate campus network. There is no single technology fix preventing ransomware, data theft or outages. The best strategy for mitigating risk is to align defenses along healthcare organization’s unique missions, operations and constraints.

Make security hygiene second nature: Employee security awareness must be a constant in organizations’ cultures, so that in times of elevated stakes like disasters or shelter-in-place orders, employees are already educated and empowered how to be productive, safely.

Visibility first: You may not operationally “own” all the devices on your network, but sidestepping that reality by instead concentrating on visibility over “what” is touching the network “where” reveals anomalous activity and opportunities to block behavior that may not be necessary for care, but introduces unnecessary risk.

Segment for safety: In fast-paced environments where equipment boots and connects to save lives, it becomes difficult to map devices’ relationship to each other, over time. This leads to poor network segmentation, where a critical MRI machine, for example, might be on the same network segment as printers or office Wi-Fi. Similarly, there might be vulnerable, outdated Windows operating systems running equipment close to the edge of a facility’s network, increasing the likelihood of these devices being exposed to intruders and malware. Solid healthcare security programs focus on the unique topography of medical networks as much as hunting for threats, so that the most critical and vulnerable assets are classified and segmented away from more diverse traffic coursing through the rest of the network.

In cyber risk – like modern medicine – prioritizing awareness, gathering information and visualizing your weaknesses versus the latest safeguards pays dividends. As someone with a long history in healthcare IT, I am encouraged by lessons these months are teaching our community that will help drive resilience and preparedness for what the future brings.