Rising Cyberattacks on Healthcare: Time to Start Preparing
The global healthcare industry has been in crisis since the beginning of the COVID-19 pandemic. Hospitals are overwhelmed with severely ill patients while facing the risk of potential cross-infection. Many had to increase turnover rates and build new disease control facilities.
As if the situation isn’t bad enough, the healthcare industry is now facing another unprecedented threat: cyberattacks. Very few hospitals are fully prepared for a sophisticated ransomware attack. Given the current pandemic situation, most hospitals barely have any extra resources to allocate towards cybersecurity, making them especially vulnerable.
The nature of healthcare also makes it an appealing target for exploitation. Not only does the healthcare industry contain highly sensitive personal and health data, but its operations are also critical to fighting diseases and saving lives. Unfortunately, we are witnessing more and more cybercriminal groups using human lives as leverage for financial gains.
Below are a few of the major cyberattacks on healthcare organizations over the past year. Many of them are so-called “triple extortion ransomware attacks”, where the victim faces three potential losses: 1) getting locked out of its IT systems due to ransomware encryption, 2) the release or sale of personal and health data stolen during the attack, and 3) the potential life losses from service disruptions. These incidents show that cybersecurity is now becoming crucial to healthcare safety and must be treated as a priority by healthcare organizations.
Major Healthcare Cyberattacks During the COVID-19 Pandemic
Health Service Executive, Ireland
In May 2021, Health Service Executive (HSE), Ireland’s national agency for health and social services, faced an unprecedented ransomware attack led by the Conti ransomware gang. As a triple extortion ransomware attack, the HSE had to shut down all its IT systems and take all IoMT(Internet-of-Medical-Things) equipment and devices offline. As a result, some critical operations were delayed. New appointments had to be made offline and outpatients had to bring in their own medical history. After the Irish government decided to refuse the ransom and fight off the infection, the HSE faced months of service disruptions. Millions of lives were put at risk due to this attack.
Scripps Health, San Diego
Also in May 2021, Scripps Health, a San Diego-based five-hospital healthcare system serving Southern California, was hit by a ransomware attack. This had forced the organization to take many parts of its IT network offline for several weeks, leading to critical disruptions to healthcare services. To make the matter worse, the threat actors claimed to have exfiltrated personal and health data belonging to 150,000 patients, which included names, driver’s licence numbers, social security numbers (SSN), and medical records. As a result, Scripps Health was later sued for lacking adequate security measures on protecting patient data.
UVM Health Network, Vermont
In October 2020, the University of Vermont (UVM) Health Network suffered from a cyberattack that forced its hospitals to delay chemotherapy and mammogram appointments and redirect more than 300 staff members. A total of six hospitals were taken offline, including three in Vermont and three in New York. Malware infected over 5,000 computers and encrypted data on 1,300 servers. All the infected systems had to be reset to resume normal operation, leading to days of delay in health services.
Universal Health Services, US
In September 2020, Universal Health Services (UHS), one of America’s largest healthcare providers with over 400 facilities across the US and UK, was forced to disconnect its IT systems due to a malware attack. A total of 26 hospitals faced service disruptions and redirected emergency patients to other hospital systems. This happened at a time where COVID-19 infections in the US started climbing up their third wave. Such disruptions lasted for eight days before the organization was able to recover from the crisis.
Commonly Exploited Vulnerabilities of the Healthcare Industry
Due to the nature of the industry, a wide range of vulnerabilities could be exploited by threat actors. Recent cyberattacks on healthcare organizations mostly consisted of ransomware attacks, remote code execution, or DDoS (distributed denial-of-service), all of which were financially motivated.
Unprotected Personal and Health Data
The healthcare industry has long been an appealing target for cybercriminals since the adoption of electronic health records (EHR). On the positive side, EHR has made it seamless for patients to switch hospitals and allowed doctors to precisely manage and monitor more patients, significantly decreasing counts of misdiagnosis and prescription errors. However, on the negative side, unprotected EHRs could put some of the most sensitive data at risk.
Furthermore, the COVID-19 pandemic has increased the risk of exposing EHRs as more and more healthcare services are now offered online. For instance, patients who need periodic checkups now receive remote consultation with their physicians online before being referred directly to testing centers without the need to visit the hospital.
These rapid changes in the industry have made it very difficult for hospitals to keep up their data protection measures, leading to database configuration errors and unprotected EHRs from time to time.
Sophisticated Communication Channels
Healthcare organizations are involved in highly sophisticated communication channels, which contain a wide range of third parties that can be difficult to track. A typical hospital opens its network to visiting physicians, pharmacies, medical examination centers, insurance companies, medical equipment maintenance providers, and all kinds of other contractors. Such a highly intertwined communication network means that healthcare organizations are very vulnerable to third-party breaches and supply chain attacks. It is also difficult to educate and inform all these third parties on defending against potential phishing attacks.
Legacy Systems
Healthcare organizations tend to use legacy systems even beyond their end of life. This is especially a concern with publicly funded healthcare systems due to tight budgets. Since medical equipment like CT, MRI, and X-ray scanners are very expensive, hospital operators try to keep them for as long as possible. In fact, research showed that a high percentage of MRI machines still run on Windows 7, which has stopped receiving updates since early 2020.
Lack of Network Segregation
Hospital networks are just as complex as corporate networks. Yet, most hospitals do not segregate their networks with VLANs. The lack of segregation makes it very easy for attackers to gain access to a wide area of the network in a short amount of time, making hospitals especially vulnerable to ransomware infections. Since hospitals are exposed to a great number of third parties, having isolated networks is crucial for health data security.
Healthcare Cybersecurity: Start with the Small Steps
For a long time, healthcare organizations have shrugged off cybersecurity down their priority list. Even though data privacy regulations like HIPAA require adequate protection of health data, very few hospitals are fully protected against today’s sophisticated attacks. Of course, for an industry with limited financial resources, it would be unrealistic to deploy the latest cybersecurity measures altogether. However, it is never too late to start with the small steps.
To prevent attackers from gaining entry through phishing. It is crucial to set up multi-factor authentication (MFA) for all accounts with access to health data. An identity and access management (IAM) solution like iSIGN+ utilizes single sign-on (SSO) MFA to keep accounts safe from leaked login credentials, without causing any inconvenience to the user. Its authorization tools control access to crucial systems and servers, adding another layer of protection. iSIGN+ has been adopted by one of the largest healthcare systems in Singapore for HIPAA compliance and health data protection.
Source : PentaSECURITY blog