Three years after the WannaCry cyberattack shut down hospitals and health care facilities in Europe (particularly in the U.K., where some 70,000 computers and other devices across 16 locations were compromised), the healthcare sector remains one of the prime targets for cyber criminals. Why is this, and what can be done?
Many of the issues with the state of healthcare cybersecurity revolve around resources. Hospitals tend to use hardware and applications much longer than other industries, due to budget constraints, lack of personnel, and the perceived inconvenience of replacements and downtime. Many hospitals and offices are still running PCs using Windows 7, for which extended support ended in January 2020. Facilities rely on connected devices like monitors, imaging machines, scanners, and other equipment running obsolete operating systems with known security flaws… but lack of available expertise and funding leaves these targets exposed to potential cyberattack.
And hospitals aren’t the only targets in healthcare. In February 2020, NRC (a service provider supporting 75% of the top 200 hospital chains in the U.S., and dozens of healthcare facilities across Canada), was affected by a security breach and ransomware attack, disrupting service for days. Canada is still reeling from the 2019 attack on LifeLabs, which affected millions of confidential patient records in Ontario and BC.
Health Sector’s Data Is At Risk
Cyber attackers understand that the health sector not only provides a “soft target”, but the data at risk is arguably the most sensitive personal information that third parties can store. WannaCry’s ransomware attack resonated because of the scope and impact: thousands of patient appointments were affected, thousands of pieces of diagnostic equipment were locked up, literally holding lives for ransom. Dozens more ransomware attacks over the years have been reported, keeping healthcare among the top ten sectors for attack – and climbing – according to a 2019 cybercrime report from Malwarebytes. Ransoms in healthcare incidents also seem to be higher than average, also showing the hackers’ awareness of the immediacy and urgency of the extortion on hospital operations. While credit card and financial information is more lucrative in the short term, personal health information is “forever”, and cannot simply be changed by issuing a new credit card, making the impact of loss that much more profound.
Interestingly, while hospitals are at the low end with respect to some computing technology, they can be at the leading edge of deploying “smart” medtech. The rapid introduction of IoT (or, more specifically, IoMT or IoHT, reflecting “medical” or “health” in the “Internet of Things” acronym) in sensors, monitoring and diagnostic equipment is seen as a way to improve patient care, increase efficiency and cut costs. Wireless technology also provides significant advantages in efficiency, consistency of reporting, communications between doctors, nurses, and support staff. iPads, laptops, and wireless monitors have replaced pens and paper charts. But the sensitive data tracked by these devices may be at risk of exposure to theft or ransom unless it is properly secured and accessible only to authorized personnel. Healthcare organizations seeking to reduce complexity and hardware commitments have also been moving to cloud services to store medical records and patient data, and facilitate collaboration between service providers, suppliers, staff and patients. If the cloud services are configured and managed properly, however, the security consequences can be catastrophic.
How serious is secure authentication and end-to-end network/cloud security?
Consider the recent vulnerabilities identified in widely-used anesthesia and respirator machines. It was found that these “smart” devices could be accessed with no authentication requirements at all, so anyone getting onto the hospital’s network could readily hack into these sensitive machines, potentially tampering with the devices, shutting off warning alarms, or even copying/changing recorded data, compromising patient care. Another recent case involved forged requisitions for hundreds of thousands of dollars of opioid medication submitted by a hacker spoofing an administrator’s credentials and penetrating hospital record and order processing systems. Massive implications can flow from healthcare breaches.
Unfortunately, training and awareness on cybersecurity is not a high priority at some healthcare facilities. With time at a premium, personnel already bombarded with information and competing priorities tend to put “computer stuff” at the bottom of the pile. This can heighten the risk of susceptibility to phishing attack or accidental disclosure. A Kaspersky report of North American healthcare professionals indicated that nearly a third of surveyed personnel advised they had not received any cybersecurity training in their workplaces. 21% did not know of any cybersecurity policies where they worked, and 15% of those who did know about a policy had never read it. A 2019 survey and report of healthcare CIOs by CyberMDX indicated that only half of the responding hospitals had a formal inventory of computing devices; more than half either did not maintain security profiles of connected devices, or maintained a manual process to attempt to do so. Worse yet, nearly 2/3 of respondents conceded there was no audit of medical devices at all, or an annual review at best.
The complexity and importance of securing computing systems in healthcare facilities cannot be understated. With in-house cybersecurity personnel difficult to recruit and even harder to retain, it would be wise to at least consider enlisting the help of external professionals. Assistance can start with a vulnerability management process: documenting and prioritizing security remediation; assisting with the patching/replacement of existing, dated systems; developing a workable plan to stay on top of system security to avoid disasters. Partners can help strategize the roll-out of new technology, whether it’s cloud tech, new IoMT devices, or even the implementation of 5G networks, which are the next “big thing” in healthcare due to the greater bandwidth that can handle hospitals’ big data/AI initiatives, massive images and scans, and expanding remote access requirements. And just as importantly, guidance can be provided on employee awareness training: hospital staff often have to be “first responders” when it comes to cyberthreats, and must be adequately and regularly trained. Identity and access management (IAM) control is essential in the healthcare environment – as shown, unauthorized network access can open the door to a surprising number of threats. Modern IAM can help lock down systems and resources, and ensure that appropriate tracking, reporting, and alerting takes place to help hospitals stay secure and minimize the severity of attacks or breaches if they do occur. Enterprise-wise systems can inventory, profile, and help control/restrict access by personnel and machine alike, helping to ensure that private data stays private, and the risk of costly ransomware attack is reduced.
It’s Time to Act Now
Three years later, the CyberMDX report estimates there are still some 1,000,000 devices in the field still susceptible to WannaCry. It’s time to act: an ounce of prevention is worth a pound of cure. Controlling and managing privileged access to personal health information and crucial systems can dramatically help to reduce the cybersecurity risks healthcare providers continuously face. Managing privileged access enables healthcare organizations to implement security layers that prevent the compromise of sensitive information and systems while limiting the damage a cyber attacker can do by reducing privileges for users, applications and machines.
For more information check out the eBook: Healthcare Cyber Trends: Is your Organization Ahead of the Curve? to learn common attack methods used to penetrate healthcare organizations, how to protect privileged access and how it helps to align to global healthcare regulations.