Solving the healthcare cybersecurity crisis
Since 2020, hospitals and healthcare organizations suffered brutal ransomware and phishing attacks during the COVID-19 pandemic. Healthcare cyber attacks came from all sides and caught facilities off guard, from the aggressiveness and sheer volume of hacks and cyber threats. Hackers were trying to breach electronic medical records (EMR) to access valuable private patient data -- a hot commodity on the black market. Internal employees were caught snooping on patient medical records. And third-party vendors (like machine technicians) and programs (like telehealth) that healthcare systems trust and heavily rely on became avenues for hackers to use to access medical systems and information. Healthcare organizations are undoubtedly looking at previous years and the attacks thus far this year to prepare for future cyber threats that come with surges in COVID cases and hospitalizations, which strains hospitals of all sizes. As we look back, we can see the lessons learned from the cyber bomb dropped on healthcare organizations and use these lessons to fuel future healthcare cybersecurity strategies.
COVID has been a training ground for hackers
The pandemic brought on unique challenges that caused even more strain to healthcare facilities than usual, like reduced resources and an overwhelming influx of patients. Hospitals were more concerned about providing care for patients and making sure they had enough space, staff, and equipment like ventilators and PPE. Understandably, their focus might not have been on cybersecurity for hospitals and healthcare facilities, but on saving lives instead. Hackers have taken notice and have taken advantage, which is why data breaches increased in the healthcare sector by leaps and bounds.
Healthcare networks continue to be targets for hackers
Not only is healthcare data some of the most valuable data sold in underground markets, but the high volume of patients (and therefore patient data) make hospitals a gold mine for hackers. Hospitals also can’t afford downtime when it comes to responding to ransomware and phishing attacks. They can’t shut down operations like other critical infrastructure or supply chain organizations -- it could literally be a matter of life and death. Just look at some recent examples:
- Eskenazi Healthcare in Indianapolis had to turn ambulances away while security teams resolved a ransomware attack.
- Memorial Health System, which owns 64 hospitals in its network, had to cancel surgeries and radiology treatments in its West Virginia and Ohio locations due to ransomware that shut off IT access to healthcare systems.
- Sanford Health in Sioux Falls, South Dakota diverted ambulances to other hospitals while teams recovered the systems hit by a ransomware hack.
- In 2021, 38 cyber attacks caused disruption of services to 963 healthcare locations.
The impact ransomware has on healthcare institutions could not only cost hospitals money and resources, but also human lives.
Attack surface continue to widen for hospitals
Now more than ever before, hospitals need more equipment, higher production of supplies, and more advanced technology and devices, not to mention the IT needs of at-home healthcare workers who have to remotely access a healthcare system’s network. Hackers are Houdinis with the internet; they’ll take any internet-enabled devices (whether that’s medical equipment, laptops, or VPNs) and use it as an avenue to attack. This is even more of a risk considering that most hospitals are manually calculating device inventory and don’t have reliable ways to identify which devices are active or inactive on the network at any given time. With new variants playing COVID on repeat, hackers can continue to find more vulnerable devices, connections, and access points to exploit.
Hospitals need more cybersecurity protection
Unfortunately, hospitals get threats from every corner of the cyber threat landscape. They can’t escape the insider threat or the dangers from an external third party; the entire operation of a hospital relies on its employees, staff, vendors, and contractors. This means their systems need to follow suit and have tighter security measures.
- Internal access rights need to be audited frequently to make sure the staff members accessing patient records are actually permitted to access them. If there are any suspicious access attempts, this needs to be flagged, reported, and investigated.
- Zero Trust principles must be deployed; this means all external access attempts need to be authenticated and verified before access is actually granted to the individual. And if hospitals can use third parties who already have secure remote access methods in place, even better -- one less access point they have to worry about.
Healthcare cybersecurity is worth investing in
The US government has passed a large critical infrastructure bill, where nearly $2 billion is being devoted to cybersecurity alone. This is all due to the hefty and real-life consequences of recent cyber attacks on critical infrastructure like JBS, Colonial Pipeline, and Kaseya. The amount of money critical infrastructure is putting behind cybersecurity efforts should wake up hospital IT and security teams because they are just as much at risk of attack -- possibly more -- as critical infrastructure. A recent report by CyberMDX and Philips revealed these alarming stats about cybersecurity investments for hospitals and healthcare facilities:
- Only 11% of respondents said healthcare cybersecurity is a high-priority spend.
- Let’s look at this again - 89% of respondents (which includes health IT and infosec executives, biomedical technicians, and engineers) said healthcare cybersecurity is not a high priority spend.
- Two-thirds of respondents said they don’t track ROI on healthcare cybersecurity spending.
- Large hospitals reported shutting down for an average of 6.2 hours at $21,500/hour after a healthcare cyber attack occurs.
- Midsize hospitals shut down an average of 10 hours at a rate of $45,700/hour when experiencing a healthcare cyber attack.
- 50-75% of respondents are not protected from common cybersecurity vulnerabilities like Bluekeep, WannaCry, and NotPetya
The survey also revealed there was a huge talent shortage in cybersecurity for hospitals and healthcare facilities, and most healthcare organizations struggled to fill jobs within 100 days of posting. In addition, compliance teams are under-resourced and underfunded. How can hospitals stay safe and within compliance guidelines when there’s no one there to make sure it’s meeting regulatory standards?
Yes, the past can hurt. but you can either run from it or learn from it.”
This is the healthcare sector’s opportunity to learn from the past. We know healthcare IT teams are hurting, burnt out, and struggling. And we know they want to do all they can to secure their patients and their staff. As healthcare cybersecurity professionals, we can help. Imprivata has solutions that can automate and streamline many of the practices that will tighten security measures and mitigate the threat of a healthcare cyber attack:
- Access Monitoring - This patient privacy monitoring tool reviews all access attempts into electronic medical record (EMR) systems and flags any suspicious access. It sends the suspicious report to the appropriate parties, so investigations can begin immediately. The tool also uses machine learning capabilities to adapt to the healthcare organization’s data and systems, so it’s always up-to-date on which access is appropriate vs. inappropriate.
- Access Intelligence - Access Intelligence is a user access review tool that periodically reviews user access rights and permissions. It audits internal system access and practices role-based access control to ensure the right people have access to the right internal systems (and that the wrong people are kept out of those systems).
- Access Control for Enterprise - Healthcare enterprises can use Imprivata’s remote access platform to safely provide remote access to third-party vendors and contractors. Third parties are one of the biggest threats to the healthcare sector; they’re also simultaneously dependent on them. If a healthcare organization needs to provide remote network access to a third party, the Access Control for Enterprises solution gives a secure connection to third parties that verifies each user through Zero Trust and authentication methods, making sure each connection has as little exposure to the network as possible.
- Access Control for Vendors - If you’re a third party that serves a healthcare organization, we can help you provide the security hospitals are looking for. Access Control for Vendors gives third parties a secure remote connection into their healthcare customer’s network. You can give your customers peace of mind by providing the exact kind of protection and security they are looking for.
The good news is that we’ve been through this before, and now you have support on your side. Let’s work together to secure your healthcare system and stop the threats.