Escalating Cyberattacks on Healthcare Organizations Highlight Need for Security Interventions
Healthcare organizations have faced continual stress from heavy COVID-19 caseloads in 2020. Cyberattacks on their information networks also loomed as a serious threat, and the pressure to protect data is expected to grow this year, as more criminals target healthcare providers.
Protecting patient data from unauthorized access has long been a regulatory prerequisite for healthcare organizations. But increasingly, cybercriminals see profit potential in attacking and crippling their networks, and restoring operations carry a high cost, both in the expense of repairing IT capabilities, as well as lost revenue, productivity hits, and erosion of community trust.
The rising pressure to protect data systems is prompting healthcare IT security executives to take a hard look at security procedures, and ways to identify and secure potential network weaknesses.
Attacks on the Rise
The need to batten down security hatches has grown in recent months, as COVID-strained healthcare has been hit with devastating cyberattacks, and government agencies warned that more could be coming.
In late October, the FBI and two federal agencies warned that they had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The potential attacks were attributed to a Russian-speaking criminal gang targeting providers with TrickBot and BazarLoader malware, leading to ransomware attacks, data theft, and service disruption. The agencies noted that the issues will be particularly challenging for organizations within the COVID-19 pandemic.
The federal warning came on the heels of several high-profile security breaches. In one attack, UVM Health Network had about 5,000 network computers rendered inoperable by a system outage that lasted 40 days; about 300 workers were furloughed because the outage prevented them from doing their jobs. The organization noted that its IT staff had to rebuild the entire infrastructure before re-populating it with backed up files and data, in addition to scanning and cleaning 5,000 computers and endpoints that had been infected. Hospital executives estimate the total cost of the attack at more than $63 million.
Another large cyberattack crippled Universal Health Services, a large hospital system that had a massive IT network outage in late September. The IT outage for the health system lasted eight days after a malware attack; it used downtime protocols and paper records during the outage.
Some reporting suggested that attackers are mounting ransomware attacks on healthcare system networks and charging higher-than-usual fees for its removal, suggesting that criminals may be targeting as many as 400 different facilities across the country.
More broadly, attacks are being aimed at the entire healthcare sector, according to reports from Microsoft. The technology company reported that it has detected cyberattacks from three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for COVID-19.
In addition, providers could face monetary fines from the Office of Civil Rights of the Department of Health and Human Services, which has the prerogative of assessing fines on healthcare organizations or business associates for lack of compliance with HIPAA and willful neglect of practices that protect patient information. As of November 2020, OCR has settled or imposed penalties in 92 cases, resulting in fines of almost $130 million.
Boosting Security Efforts
To counter these threats, healthcare organizations are taking a variety of steps to improve their security postures. Protecting healthcare information is increasingly becoming a challenge because of growing pressure for healthcare entities to distribute healthcare information to better coordinate care, engage with patients and comply with regulations forbidding information blocking. Also, the COVID-19 pandemic has fostered the use of remote patient monitoring and telehealth services, which increase the amount of patient information being exchanged on provider networks.
An important component of ensuring information security for provider organizations involves regularly testing the defenses that protect access to crucial networks. Penetration testing is one way to check for the effectiveness of cyber defenses before potential incidents, rather than afterward, when patient care can be disrupted and expensive to resolve.
Also known as a pen test, the exercise simulates a cyberattack against a healthcare organization’s network to check for vulnerabilities that attackers could exploit. Pen testing can involve outside “white hat” hackers who attempt to breach application systems to find vulnerabilities, such as unprotected inputs that are susceptible to code injection attacks.
Pen testing can be complex, looking for weaknesses that can be exploited by insiders as well as outside attackers. It can involve significant preplanning in terms of reconnaissance, analysis of how systems and defenses respond to different forms of attack, and attempted exploits of weaknesses of systems – such as cross-site scripting, SQL injection, and backdoor efforts – as well as human engineering efforts, such as different forms of phishing attacks to see if system users need training so they don’t give their network login codes to cybercriminals.
Analysis of such efforts also is complex, assessing which vulnerabilities were found and exploited, if any sensitive patient data or administrative systems could be accessed, or how long a pen tester could remain in the system undetected after gaining access.
Many organizations conduct annual penetration tests, subjecting defenses to internal, external and application attacks designed to emulate real attacks. In addition, healthcare organizations do such testing to meet compliance obligations for standards such as the NIST 800-35 CIS ISO 27001, the PCI DSS, and SOC2, which require businesses to conduct regular penetration tests and security reviews using skilled third-party testers.
But the threat environment for healthcare organizations is always changing, and cybercriminals are constantly honing their skills to access networks and extract value from their attacks. To effectively protect critical systems and private health information, healthcare organizations need to develop customized approaches, utilizing the latest techniques, tools, and technical expertise from outside the organization to understand vulnerabilities and develop an actionable remediation plan.