With the impact of COVID-19, healthcare organizations may find themselves more vulnerable to cyber threats, especially if they have not prepared well for a crisis.

By Christophe Dore

During the COVID-19 crisis, the healthcare industry is executing profound changes at an unprecedented pace. Hospitals are reorganizing their units to free space and adding clinicians to units dedicated to this disease. They also are acquiring and deploying new medical devices—mainly ventilators and monitors. The number of ventilators in U.S. hospitals may almost double. [1]

Furthermore, hospitals are drastically and rapidly changing their staff profiles. Units and staff have been reallocated to increase the number of beds for coronavirus patients. Volunteers are called upon and come generously to support the hospital staff in any way possible. Some states are graduating medical school students early to increase the available workforce. [2]

Medical device and systems vendors also are discovering ways to help. Perhaps the best-known example is ventilator manufacturers joining forces with leaders of other industries, such as automotive, to expand their production capacity. [3] It is a time for action and cooperation. By coming together across multiple industries, we can make a real difference for people in need and for those on the front lines of this crisis,” says Bill Ford, chairman of Ford Motor Company. [4]

Manufacturers are rapidly ramping up the production of these devices, doubling it in some cases, to satisfy the urgent demand. [5] [6] Some IT and surveillance system providers have been creative in proposing and facilitating the use of solutions specifically designed to support healthcare providers fighting the disease.

Change Should Not Happen at the Expense of Security

As hospitals work on their clinical readiness for the peak of the pandemic’s waves, cybercriminals—whether their motive is financial, political, activist, or even terrorist—have never been more ready to strike. The pandemic did not alter the availability of ready-to-use malware on the dark web, for sale or rent, allowing any ill-intended person to prepare and unleash attacks on organizations, including hospitals engrossed in crisis management. 

“For a mere $5 [per hour], anyone without any technical knowledge can purchase a DDoS [(Distributed Denial of Service)] for Hire Service and launch a DDoS attack,” wrote Tom Bienkowski, director of product marketing, Arbor Networks. [7] Bienkowski adds that the DDoS is often a diversion to cover more invasive fraudulent activity. The invisible part of the cybercriminal iceberg is the worst.

Even if some cybercriminals “promised” to not attack the healthcare businesses during the pandemic [8], others [9] know very well that all this focused hyperactivity in the hospital creates more favorable conditions for broadband attacks, like the infamous WannaCry ransomware attack of 2017. “[W]e are really going to see an unprecedented wave of cyberattacks and cyber fraud,” says the U.S. attorney for the Western District of Pennsylvania, Scott Brady. [10] The pandemic did not reduce the financial attractiveness of personal health data over any other personal data.

In fact, INTERPOL warned in April that attempted ransomware attacks against healthcare and other organizations engaged in the virus response have increased: “Cybercriminals are using ransomware to hold hospitals and medical services digitally hostage, preventing them from accessing vital files and systems until a ransom is paid.” [11]

Current circumstances—with hospitals even more enticing due to the rise in admissions and more data to plunder—increase the risk for an organization to face, and possibly suffer, the damaging effects of cybersecurity attacks and breaches. The following are a few other reasons organizations are particularly vulnerable now:

  • New staff may not be as well trained—or experienced—as regular staff on the risks of cyber threats. Let’s face it, it can take a long journey for someone whose vocation is to help others in their worst moments to understand how an evil mind can construct a process designed to harm the hospital and potentially the patients. Exhausted staff will be less vigilant, and we know cybercriminals need just one person off guard at the wrong time for a noxious hack to occur. Staff is therefore more exposed to:
    • Social engineering. [12] There are many known ways to steal credentials, which often use deception, made easier with less trained and tired staff.
    • Unintentional data breaches, such as accidentally leaving a computer or a server open. [13]
  • Forced distancing creates phishing opportunities. Again, staff forced to work from home are now at a distance from the hospital’s functional departments, such as IT, [14] clinical engineering and finance, and are often impersonated by phishers. Cybercriminals may claim to be from the IT department, requiring a staff member to download a critical software update, according to Mike Weber, vice president of Coalfire Labs. With staff focused on supporting the effort against the disease, and the increased distance, the probability for a phishing email to be successful is increased.
  • Nonclinical staff working from home. Several hospitals asked their nonclinical supporting staff to work from home to be safer by increasing the social distance with places where the virus can be spread. On the other hand, doing so creates an adjacency, if not a connection, between all the home IoT (Internet of Things) devices and the hospital network. Typically, the hospital laptop used at home sits on both the home network and the hospital’s enterprise network via a virtual private network (VPN). [15] This favors the cyberattack technique called “island hopping,” named after the U.S. war strategy in the Pacific during World War II. A cyberattacker does not attack a system frontally but instead edges closer by exploiting easier vulnerabilities available around the target, gathering information and credentials before finally gaining access to their prey. This technique has become prominent, [16] as the CarbonBlack report entitled “Healthcare Cyber Heists in 2019” showed a third of the surveyed chief information security officers faced island hopping between June 2018 and June 2019. With staff working from home, using laptops sitting both on the controlled hospital network and less-controlled home networks [17][18], island hoppers have a new playground. Among all the staff remote working, a cyberattacker needs to find only one vulnerable hospital laptop on a vulnerable home network to gain access to the hospital network.
  • Additional medical devices potentially increase the attack surface of the hospital. Many of these devices are connected to the hospital’s clinical information systems and applications, including the electronic health record (EHR) system. In such cases, the risk introduced by these devices depends greatly on the security of the hospital’s medical device integration (MDI). New ventilators and other devices mean potentially increasing the variety in the brand, model, and firmware available in the hospital to the attackers. A basic MDI solution could increase the hospital’s attack surface as more devices are connected, raising the level of risk not only on the hospital information system, but also on patient safety, as devices, like ventilators, are used to sustain life.

Preparedness Will Make a Difference

During unprecedented circumstances, preparedness makes all the difference, especially when faced with the potential increase of opportunistic cybersecurity issues and attacks. Hospitals without teams and solutions dedicated to cybersecurity are more vulnerable to being unknowingly infiltrated. They will be less efficient in responding to an attack, once, or if, they become aware of it. 

Conversely, hospitals with a dedicated team will be more reactive and will limit the damages of an attack. For instance, those who have already deployed and routinely use IoT security solutions, continuously scanning and analyzing all activity on and around the hospital networks, will be in the best position for early detection and for efficiently adding new devices and clinical systems without a compromise to the overall security. They will be able to make sure any new device on the network is legitimate while controlling the network behavior of each device and optimizing the network defenses.

Healthcare organizations with a security-efficient MDI infrastructure will not increase their attack surface while expanding the number and variety of medical devices in their fleet. When adding medical devices, hospitals that previously deployed a secure MDI solution extend the security performance of this solution to the new devices. 

Hospitals who have already deployed multifactor authentication will be much less vulnerable to phishing’s adverse consequences, if the staff uses the security step. For remote workers, this authentication method will protect access to the VPN and, in turn, the entire hospital network. 

The Pandemic Is a Stress Test on Healthcare Organizations

A cybersecurity plan cannot be designed and deployed in a day, especially in the middle of a public health emergency. There may be a few things an unprepared hospital can do at the last minute, but this will often be a Band-Aid that skillful criminals can sidestep. Hospitals will probably be equally threatened by the cybercriminals leveraging the new extreme circumstances, but their ability to respond will vary significantly according to the preparedness they built prior to the pandemic surge. 

Like the clinical preparedness and ability to ramp up to the level of the pandemic challenge, this exceptional situation will leave us with lessons in cybersecurity preparedness. It will be our duty to put this learning into action. We can just hope, today, that the cost of the lesson will be as low as possible.

Christophe Dore is a senior product manager overseeing hardware products and cybersecurity at Capsule Technologies. Questions and comments can be directed to 24×7 Magazine chief editor Keri Forsythe-Stephens at [email protected].

Resources:

  1. Hospital purchases more ventilators
  2. COVID-19: States call on early medical school grads to bolster workforce 
  3. Covid-19 Hospitalizations Top 22,000 in U.S. Ford Will Build 200,000 Ventilators
  4. FORD WORKS WITH 3M, GE, UAW TO SPEED PRODUCTION OF RESPIRATORS FOR HEALTHCARE WORKERS, VENTILATORS FOR CORONAVIRUS PATIENTS
  5. Industry races to meet demand for ventilators
  6. Air Liquide, Groupe PSA, Schneider Electric, Valeo Rise to the Challenge of Producing 10,000 Air Liquide Medical Systems[1]Media Organizations Beware – DDos Attacks are Coming
  7. Media Organizations Beware – DDos Attacks are Coming
  8. Hackers Promise ‘No More Healthcare Cyber Attacks’ During COVID-19 Crisis
  9. Message to Cybercriminals: Hospitals Are Off-Limits
  10. An ‘Unprecedented’ Wave Of Coronavirus Scams Is Coming, U.S. Attorney Warns
  11. Cybercriminals targeting critical healthcare institutions with ransomware
  12. 9 Ways to Social Engineer A Hospital
  13. 41% of Health Data Breaches Stem from Unintended Disclosure
  14. COVID-19 Incites Crimes of Opportunity
  15. Cybersecurity Crisis Management During the Coronavirus Pandemic
  16. Island Hopping becoming prominent technique to launch cyber-attacks: Survey
  17. New Cyberattack Warning For Millions Of Home Internet Routers: Report
  18. 32,000+ WiFi Routers Potentially Exposed to New Gafgyt Variant