In October 2020, a harrowing scene played out across the country: doctors and nurses caring for patients couldn’t access medical records, X-rays or CT scans. Hospitals in California, Oregon and Vermont were among the many that lost access to their critical systems — and said they still hadn’t fully restored access days and weeks later.
The culprit: a string of ransomware attacks that caused the government’s Cybersecurity and Infrastructure Security Agency to warn of “an imminent and increased cybercrime threat to U.S. hospitals and healthcare providers.”
While the attacks delivered a shock, the fact that they happened shouldn’t have surprised anyone. Hackers have long targeted healthcare facilities because of their known reliance on often-vulnerable legacy IT systems. In fact, the number of data breaches at U.S. healthcare facilities rose sharply from 2010 to 2019, with a 197% increase between 2018 and 2019 alone, according to a HIPAA Journal report. All told, the report noted, 12.6% of all Americans’ private health care data may have been breached in the past year.
The September attack is notable because hackers see healthcare as an even softer target today than they did a year ago. That’s because of the ongoing pandemic. Healthcare centers have been overrun by patients seeking treatment for COVID-19–related symptoms and have been focused more on that than IT preparedness. Also, due to social distancing, more people than ever are accessing healthcare remotely. Telehealth visits with doctors increased 350-fold between March and June of 2020, according to the Department of Health and Human Services (HHS). With so many people sharing personal data online and over apps, hackers have a much bigger attack surface.
“Since telehealth is fairly new, we’re still discovering new types of fraud and the exploitation of security gaps,” says Michael Levin, vice president of enterprise information security at Optum, the health information technology and services firm that is part of the UnitedHealth Group. “We’ve identified the problems, but they haven’t all been fixed.”
Hackers swarm the wounded
The early weeks of the pandemic in the U.S. sent the nation into a panic, as healthcare facilities struggled to respond to the rapidly unfolding crisis. For CISOs and cybersecurity experts, it was an intense period of chaos and confusion. In March, HHS barred non-COVID-related visits to healthcare facilities in all 50 states. As a result, patient-doctor consultations went virtual over video applications like Zoom and FaceTime as HHS relaxed HIPAA restrictions on available telehealth channels.
CISOs were distracted, so they couldn’t work on security issues they normally would focus on.
The price of expediency was a rash of new security weaknesses. Hackers targeted telemedicine sessions conducted over Zoom, according to a study by the research arm of software security maker Check Point. (Zoom has since beefed up its encryption protocols.)
“There was a lot of desperation,” says Drex DeFord, former CIO at Steward Health Care and Scripps Health, two of the largest healthcare networks in the U.S., and founder of healthcare IT consultancy Drexio. “If doctors use Zoom or FaceTime, what’s the policy? Do we have a protocol? Meanwhile, CISOs were distracted, trying to set up drive-through testing centers, for example, so they couldn’t work on security issues they normally would focus on.”
Hackers wasted no time in launching malware attacks. From March to April, there was a 117% increase in IP reputation security alerts, a sign of increased traffic from sketchy websites, and a 56% increase in endpoint security incidents, meaning more hacking and malware attacks hit their targets, according to a September 2020 joint study by security ratings company SecurityScorecard and dark-web research outfit Dark Owl. The report noted that the increased digital footprint of telehealth vendors had increased the attack surface.
Telehealth gets phishy
The rampant confusion and uncertainty of the early weeks of the pandemic also made doctors and patients easy targets for phishing attacks. Hackers sent patients sophisticated emails baited with fake links to promised “COVID vaccines” and treatments.
“The phishing emails were brilliant,” says DeFord. “A doctor might get one saying, ‘Click here for today’s COVID infection rate for your area.’ Of course, doctors want the latest information, so they get sucked into a bad click.”
The hacker’s goal is to scrape the victim’s usernames and passwords for healthcare portals where precious data lives. Those records can sell for up to $1,000 on the dark web. Electronic health records can then be used by criminals to bilk insurance companies out of tens of thousands of dollars with fraudulent claims. That makes them far more valuable than stolen credit card numbers (which go for $100) and which are good only up to their credit limits.
But the phishing game gets dangerous once hackers breach a healthcare organization’s network, as they did in the October attacks. There, they can go undetected for months (anywhere from the median 54 days to up to 700 days).
During that time, cybercriminals can pillage data, install malware, hijack network administrator rights and ultimately, launch a ransomware attack like the one that crippled UHS. With their patients’ lives on the line, the odds of a facility handing over a hefty ransom are good. In fact, since 2016, a total of 172 ransomware attacks have cost U.S. healthcare organizations more than $157 million, according to a February 2020 study by Comparitech, a consumer-facing tech services research site.
Best practices for telehealth — and beyond
The healthcare industry has come out of the early pandemic months stronger. Across the board, it has installed better encryption and safety protocols. “There were poor practices out of the gate,” says Levin, the Optum VP of enterprise information security. “Since then, everybody has matured.”
For instance, the early telehealth visits over Zoom have given way to secure, and HIPAA-compliant, video conferencing channels either developed in-house by healthcare systems and hospitals or licensed from third-party cloud security vendors. The key element of HIPAA guidelines is privacy protection for patient health information. During this period, CISOs developing proprietary telehealth platforms sought to build in and verify encryption and multifactor authentication protocols according to HIPAA standards.
Levin also offers this advice to CIOs and CTOs in the healthcare industry to ensure device security and data protection:
Manage your endpoints: Focus on hardening endpoints and managing administrative access rights. Endpoint Detection and Response (EDR) software allows you to detect attempted breaches of your devices by unknown actors. Levin also recommends using something like “whitelisting software” which authorizes applications before they can run on your devices.
Educate your workforce: Sophisticated phishing attacks, as well as “spoofing” attacks, seek to exploit trusting or distracted workers to penetrate secure networks. Employee error accounts for as much as 42% of healthcare breaches, according to a Verizon study. Onboarding training, and ongoing learning and development, should highlight these risks, but Levin notes, “You can’t educate your way out of the risk 100 percent.”
Automate security workflows: For overstressed IT network administrators, AI is their best cybersecurity ally. Advances in unsupervised machine learning mean that AI can monitor networks continuously for anomalies in access attempts, flagging suspicious activity in real-time.
Zero-trust 24/7: The zero-trust operational model assumes every actor within a security perimeter must be authenticated at all times. It requires painstaking effort to identify and monitor every instance of network access from every device, mapping all of their points of connection. That said, it is the best approach to hardening security for a complex healthcare network, Levin says.
If the pandemic has shown us anything, it’s that healthcare, including telehealth, will always grapple with some network insecurity. But the radical stress test brought about by COVID-19 may actually have helped improve that.
“Things are actually much more secure than they were six months ago,” Levin notes. “COVID is now something that we live with. We understand telemedicine is something that’s going to be around for a long time now. It’s really pushed us towards adopting better practices.”
Illustration by Dan Bejar