Boring’s Not So Boring
COVID-19 & Healthcare Cybersecurity
COVID-19 has phenomenally altered the way healthcare functions, with growing adoption of telehealth and remote patient monitoring. The threat landscape in healthcare, too, has become fertile ground for phishing campaigns, malware, ransomware, breached patient records, and other cyberattacks on healthcare systems – all with far-reaching consequences.
According to Interpol, COVID-19 has led to shifts in targets from individuals and small businesses to government and critical health infrastructure. Security agencies in the U.K. and U.S. have unsurfaced targeted efforts against the healthcare, pharmaceutical, academic, and research industries tasked with providing uninterrupted patient care to infected people and in coronavirus vaccine research.
The healthcare sector is highly vulnerable today. Amidst one of the worst healthcare crises to have hit mankind, attackers are unflinchingly exploiting conditions like increases in teleworking – many with little or no prior experience and planning – fear and anxiety among the general masses, and an overworked and distracted medical workforce. Failure of healthcare systems can have dire consequences: failures to order drugs, schedule operations, or make ambulances available on time during emergencies.
In the fight against the pandemic, most countries rapidly rolled out virtual patient consultations using telehealth services in an effort to reduce physical contact to help prevent the spread of the disease. These services make use of remote access systems – which also means that every device and connection acts as a way into the healthcare system.
Given these unprecedented circumstances, the Office of Civil Rights (OCR) exercised enforcement discretion and announced that, during the pandemic, it will not impose penalties for noncompliance with HIPAA regulations against providers leveraging telehealth platforms that may not comply with privacy rules. This is giving hackers more leverage to deploy data breaches, ransomware attacks, EHR snooping, phishing attacks, and more.
Furthermore, to accommodate the rapidly rising numbers of infections and to support existing healthcare infrastructure, many countries around the world have had to create temporary COVID-19 facilities to house infected patients. Since these facilities are created in a hurry and the priority is to deliver patient care, security becomes a lower priority, with many crucial steps to protect networks and devices overlooked.
This, in turn, leads to weak spots in networks that are easily exploited by malicious actors. The Department of Health and Human Services has reported that between the months of February and May of this year, there have been 132 reported breaches. This is an almost 50% increase in reported breaches during the same time last year.
A result of the pandemic has also been a significant increase in the amount of patient health data stored by the government and healthcare organizations. Personal data like daily health parameters, co-morbid health status, insurance providers, as well as tracing all contacts who come in contact with an infected person can be exploited for identity theft and sold for a high value on the dark web.
Contact tracing and tracking apps are another source of privacy concerns. Sometimes patients’ medical history data needs to be sourced and transferred from regular hospitals to temporarily-created facilities, which happens over less secure technology. This puts hospitals and healthcare organizations at risk of “spray and pray” attacks by cybercriminals.
Fortified’s mid-year report found that 60% of healthcare breaches from the first half of 2020 were caused by a malicious attack or IT incident, rather than insiders. Email compromises have been the most common attack vector to gain access to healthcare networks and steal patient data during the pandemic. Fortified explained that these attacks are often executed by phishing campaigns used to drop malware or ransomware, which have remained prevalent throughout the crisis.
Given the scenario today, a focus on cybersecurity basics continues to be more important than ever. Organizations, especially in healthcare, must focus on email security and training. Users must be educated and tested with simulated phishing attacks and security awareness training. This creates both a positive security awareness culture and decreases the probability of users falling for attacks.
Network segmentation is another way organizations can limit or restrict communication between devices and systems that are critical to maintaining medical services. Today, when IT is already overwhelmed or understaffed, managed threat response services can help back up security operations by ensuring 24×7 threat hunting, detection, and response as well.
Visit Sophos.com/Healthcare to learn more.