The healthcare industry has transformed rapidly in the last decade. Today, technology is an integral part of every healthcare aspect – be it drug discovery, research & development, digital promotions, and supply chain management. As healthcare becomes increasingly more digital through electronic health records (HER) adoption and telemedicine applications, the information systems the data runs on are becoming more vulnerable to cyber-attacks. The connectivity is also important as it improves health care and increases the ability of health care providers to treat patients. However, the risk of potential cybersecurity threats increases as more medical devices use software and are connected to the Internet, hospital networks, and other medical devices. Further complicating cybersecurity is the mobile device/application component which also introduces several vulnerabilities.
According to the 2019 Thales Data Threat Report—Healthcare Edition, the majority (70%) of US healthcare organizations surveyed said they’ve experienced a data breach, with a third reporting one occurring in the past year alone. When these attacks are broken down by sector, Radware found healthcare was the second-most attacked industry, after the government sector.
The Coronavirus Disease 2019 (COVID-19) pandemic has resulted in widespread disruption to the healthcare industry. Alongside complex issues relating to ensuring sufficient healthcare capacity and resourcing, healthcare organisations and universities are now also facing heightened cyber-security threats in the midst of the pandemic.
There has been a 45% increase in cyberattacks on healthcare organisations worldwide in the last two months, making healthcare the most targeted industry by cyber criminals, according to new research from Check Point in Jan 2021. The Increase in global cyberattacks on healthcare sector is double the increase (+22%) in cyberattacks on all other industry sectors, the research found, while the average number of weekly attacks in the healthcare sector reached 626 per organisation during November, compared with 430 in previous months. Surges in cyberattacks on the healthcare sector occurred mostly in Central Europe (+145%), followed by East Asia (+137%), Latin America (+112%), Europe (+67%) and North America (+37%). Canada experienced the most dramatic increase with over a 250% uptick in attacks, followed by Germany with a 220% increase. Attacks on Spain’s healthcare sector doubled.
Recent threat intelligence task force created by IBM Security X-Force uncovered a global phishing campaign targeting organisations associated with a COVID-19 cold chain. This component of the vaccine supply chain ensures the safe preservation of vaccines in temperature-controlled environments during their storage and transportation. The phishing attack worked like this: The adversary impersonated a business executive from Haier Biomedical, a member company of the COVID-19 vaccine supply chain and qualified supplier for the Gavi vaccine alliance’s Cold Chain Equipment Optimisation Platform (CCEOP) programme. Disguised as this employee, the adversary sent phishing e-mails to organisations believed to be material support providers to meet transportation needs within the COVID-19 cold chain.
In a blog later, Claire Zaboeva, Senior Strategic Cyber Threat Analyst at IBM, assessed that the purpose of this COVID-19 phishing campaign may have been to harvest credentials, possibly to gain future unauthorised access to corporate networks and sensitive information related to the COVID-19 vaccine distribution. The campaign started in September 2020 and spanned across six countries and targeted organisations likely associated with Gavi, the global vaccination alliance, and CCEOP programme.
India is also not immune to such attacks and experts are concerned about the security of country’s digital vaccine delivery and distribution (VDD) infrastructure – the backbone of its national level COVID-19 vaccination plan. The key to the success of the pan-India rollout of COVID-19 vaccination drive, launched by Prime Minister Narendra Modi on January 16, will be the cybersecurity framework India has readied, experts say.
“The fears are not misplaced. In Dec 2020, IBM’s cybersecurity arm notified the United States Department of Homeland about the possibility of a sophisticated state-sponsored attack on government organisations involved in vaccine delivery across the globe,” says Supratim Chakraborty, Partner, Khaitan & Co. According to him, alongside these well-coordinated attacks, there have also been many instances of small groups or individuals looking to extract data or money from unsuspecting citizens and organisations through phishing and through malware attacks. “This has prompted firms across India to focus on onboarding specialized cybersecurity specialists or teams to guard against external attacks as well as internal leaks through unsuspecting employees,” he says, adding that “the good news, however, is that these are not novel threats.”
The CoWIN (Covid Vaccine Intelligence Work) App may also need to be shielded from cyber attacks. Ram Seethepalli, CEO, Cyberior by Europ Assistance India, points out that the entire ecosystem for CoWin was conceptualised by the Indian government in the last two to three months.
According to Seethepalli, the robustness of the security framework around the platform deployed will depend a lot on the public-private partnerships that evolve in the coming days. “Due to the rapid requirement for prototyping and development, the responsibility lies on partners to ensure that no corners are cut and that the systems aren’t susceptible to dangerous threats such as hacking from the foreign state and rogue actors that wish to target the data of citizens and also potentially disrupt the entire vaccination process,” he says.
Cyber threats to the health Sector
Advancements in technology have offered healthcare an opportunity to save lives and operate efficiently. This technology has created vulnerabilities to threats that infiltrate, steal, or hijack networks of confidential data and systems. Nation-states have used these opportunities to gather intelligence using software espionage tools and customized malware in social engineering attacks to steal intellectual property or gain competitive advantage. For instance, the second–largest healthcare insurance provider in the United States was affected by a foreign government attack in this way in 2014. Cyberterrorists, meanwhile, launch disruptive or destructive cyberattacks to cause physical destruction of property, loss of life and spread terror. Hacktivists are internet activists who attack cyber assets to draw attention to their political causes and tend to choose highly visible or high-profile targets.
For example, the use of telemedicine technology is expected to grow by over 18 percent annually through 2020. As the physicians are increasingly adopting telemedicine, and telehealth services that rely on the transfer of data from one location to another, whether it’s through interactive video consultations, store and forward technology or remote patient monitoring. Unfortunately, this data can be stolen or even manipulated during transmissions by cybercriminals looking to harm patient outcomes. To protect consumers and their own businesses, telemedicine providers should provide services via applications that use end-to-end encryption and other security technologies to prevent information theft or tampering.
According to the report, these organizations saw a significant increase in malware or bot attacks, with socially engineered threats and DDoS steadily growing, as well. According to the research, the increase in attacks involves a range of attack vectors, including ransomware, botnets, remote code execution and DDoS attacks.
Ransomware showed the largest increase and poses as the most significant malware threat to healthcare organisations, when compared to other industry sectors. The primary ransomware variant used in attacks is Ryuk, followed by Sodinokibi. The report found the most disturbing ransom attack is one that seeks to take advantage of people who are dealing with health issues. Many ailments are treated with cloud-based monitoring services, IoT-embedded devices and self or automated administration of prescription medicines. Physicians were most concerned that future attacks could interrupt their clinical practices, compromise the security of patient records, or affect patient safety.
Covid-19 forced millions to work from home and fueled anxieties about the virus, presenting a tempting target for cyber criminals. Since the outbreak began various healthcare providers and academic institutions across the world have been targeted in a variety of complex and coordinatized cyber-attacks. A division of GCHQ, Britain’s signals intelligence agency, the NCSC said that since March 2020 it had taken down 15,354 campaigns using coronavirus to lure people into clicking links which could have led to phishing and malware. Many of the 22,000 malicious web addresses it tackled hosted scams playing on Covid-19 fears like pretending to sell personal protection equipment. This includes a desire to steal intellectual property such as data relating to COVID-19 vaccine development, modelling and experimental therapeutics.
Omer Dembinsky, manager of data intelligence at Check Point, says cyberattacks on the global healthcare sector are “simply getting out of control”. “This is because targeting hospitals equates to fast money for cyber criminals. These criminals view hospitals as being more willing to meet their demands and actually pay ransoms,” he says. “Hospitals are completely overwhelmed with rises in coronavirus patients and recent vaccine programmes – so any interruption in hospital operations would be catastrophic. “This past year, a number of hospital networks across the globe were successfully hit with ransomware attacks, making cyber criminals hungry for more,” says Dembinsky.
“Furthermore, the usage of Ryuk ransomware emphasises the trend of having more targeted and tailored ransomware attacks rather than using a massive spam campaign, which allows the attackers to make sure they hit the most critical parts of the organisation and have a higher chance of getting their ransom paid.”
In January 2018, a regional hospital in Indiana was forced to pay $55,000 after their records were infected by the SamSam ransomware. The attackers targeted more than 1400 patients’ data and changed their names to “I’m sorry”. Even though the hospital had a backup, the incident response team determined that it would take a lot of time and resources to recover the damaged data. Instead of wasting downtime the hospital paid the attackers the demanded amount in order to retrieve the backup of its critical systems.
A March 2017 report from the Identity Theft Resource Center indicated that more than 25% of all data breaches were related to health care. The estimated loss to the industry is $5.6 billion per year. Healthcare has been transformed with the adoption of electronic health records (EHRs). Compared to paper, the digital documents yielded huge in efficiency and the quality of patient care. The greater access to patient data helps doctors to provide high-quality patient care more efficiently. This leads to tremendous amounts of patient data which the hospitals and health organization are not equipped to protect it. Healthcare data is extremely desirable as it contains a wealth of personal information, including Social Security Numbers, addresses, credit card numbers, and birthdays.
The personal data hackers can obtain from breaching a healthcare institution can be utilized to open new credit cards, create government documents, and empty out bank accounts. Two other scenarios are even more damaging: using details that are specific to a terminal illness or lifelong disease and long-term identity theft. Cyber criminals can leverage sensitive healthcare information, such as sexually transmitted diseases or terminal illnesses, to coerce victims into doing what they want.
“When sensitive patient information is breached, it poses significantly longer-term risks compared to other sectors – sometimes indefinitely,” Frank Dickson, program vice president for security products research at IDC, said in a press release. “Healthcare data is especially attractive to hackers because it’s far more valuable than other kinds of data that can be accessed and exploited. When healthcare data is stolen, damage cannot be fully mitigated. A credit card can be cancelled or a bank account can be closed, but private patient data circulates endlessly which opens opportunities for various types of fraud to occur again and again from a single breach.”
Therefore they become easy targets for hackers to launch ransomware attacks under which a busy hospital suddenly cannot use any of its electronic medical records or other computerized systems. The victim of a ransomware attack, the hospital will not regain access without paying those who locked down the records — if at all.
The worst cyberattack in Singapore’s history, which involved the theft of medical information linked to the prime minister as well as 1.5m patients, was executed by a state-sponsored espionage group called Whitefly, according to Symantec. March 2019 report said that in the 12 months to mid-2018 Whitefly launched attacks against a number of organisations mostly based in Singapore, including multinational corporations with operations in the city state. Symantec also found that tools used by Whitefly in Singapore had been deployed against defence, telecoms and energy entities in south-east Asia and Russia as well as a UK-based hospitality company. “It now appears that the SingHealth breach was not a one-off attack and was instead part of a wider pattern of attacks against organisations in the region,” the report said. In 2019, data breaches cost the healthcare industry $4 billion, with organizations paying out $423 per breached patient record. This number doesn’t even factor in the costs tied to potential HIPAA fines and productivity loss.
In a cyber attack in December 2020, data on the Pfizer/BioNTech COVID-19 vaccine was stolen and released online illegally. Organisations spend millions of dollars to discover a new drug to manage a rare disorder and the whole drug data, trial data and patient data being compromised. This can severely derail the whole drug discovery process and end up jeopardising the future of the organisation.
Another category of possible attackers is the insider threat. Insider threats may be borne out of negligence, like opening a phishing email by mistake. According to a recent report on hacking of healthcare providers, insider threats, such as staffers falling for phishing attacks, play a leading role in healthcare breaches overall. The report from Protenus indicated that 41% of data breaches in 2017 were tied to insider errors or wrongdoing. A 2014 report by Forrester Research stated that lost or stolen mobile devices were implicated in 39% of healthcare security breaches.
Denial of service attacks may affect patient safety
These cyber threats don’t just mean financial losses for the patients. They could mean the loss of a human life. Hackers may use malware for device reprogramming which alters device function. Malware attacks can shutdown healthcare devices and equipment, including pacemakers, insulin pumps, and light scopes, and even add tumors to MRI scans.
At another hospital, hackers find a way to connect to the software that controls IV pumps, changing their settings so they no longer deliver the correct doses of medication. “There were several reports of UK hospitals unable to administer X-rays. The computer equipment attached to the X-ray machines was compromised and attacked by ransomware and rendered inoperable for some period of time.” Patients could be harmed or even die. Many people — both patients and health-care workers — could be inconvenienced by systems going down.
Supply Chain Vulnerability
Entry points that threat actors can use to compromise the hospital supply chain range from manufacturers to distribution centers and transportation companies, from third-party contractors to developers of software and mobile apps hospitals use, from past to non-core services staff.
“Supply chain threats arise as a result of outsourcing suppliers, and the lack of verifiable physical and cybersecurity practices in place at the suppliers,” Sterling OEM, Trendmicro pointed out. “Suppliers do not always vet personnel properly, especially companies that have access to patient data, hospital IT systems, or healthcare facilities. Vendors do not always vet their products and software for cybersecurity risk and maybe outsourcing resources as well.”
Education is key to procurement personnel to know that the supplier has been vetted to eliminate gray market equipment making its way into a hospital or medical facility. As a reseller, Sterling Sr. VP, Jeff Moore states in a recent article published by MeriTalk, “The bottom line is that facilities need comprehensive assessments of their suppliers to understand the total risk. Training procurement staff and buyers to look beyond the Bill of Materials (BOM) and the part number is essential.”
As healthcare organizations grow, they increase in complexity. Without a secure supply chain, healthcare facilities may face more uncertainty. At the end of the day, healthcare facilities need to know their resellers and have a detailed Supply Chain Risk Management (SCRM) plan in place so customers can be assured of secure product procurement
Health Sector Vulnerability
The current pandemic situation in the EU and worldwide provides a fertile breeding ground for various campaigns. In no particular order, the following conditions are being exploited making the sector even more vulnerable: High demand for certain goods like protective masks, disinfectants and household products; Decreased mobility and border closures; Increasing reliance on teleworking, often with little previous experience and planning; and Increased fear, uncertainty and doubt in the general population.
Experts say there are a number of reasons for the increased risk — and challenges, some unique to health care, in mitigating it. Health organizations often lack the infrastructure to identify and track threats, the capacity to analyze and translate the threat data they receive into actionable information, and the capability to act on that information. There are Security vulnerabilities in off-the-shelf software due to poorly designed software security features. “Health care has an open, sharing culture — as is appropriate to support its primary mission — but this culture also complicates the issues of security and privacy,” said the June 2017 Report on Improving Cybersecurity in the Health Care Industry, produced by the Health Care Industry Cybersecurity Task Force of the U.S. Department of Health and Human Services.
The Public Accounts Committee (PAC) said the health service had taken insufficient action to protect itself from hacking almost a year since the most devastating attack in its history. The National Audit Office said a cyber-attack which crippled a third of NHS hospitals in May 2017 could have easily been prevented. NHS officials warned that future attacks could be “more sophisticated and malicious” than that which led to the cancellation of 20,000 NHS operations and appointments.
But the report reveals hospitals could have acted far sooner, with officials warned repeatedly about the WannaCry virus before the attack, with ‘critical alerts’ sent out in March and April. The virus spread via email, locking staff out of their computers and demanding £230 to release the files on each employee account. Hospital staff reported seeing computers go down ‘one by one’ as the attack took hold. Doctors and nurses were locked out, meaning they had to rely on pen and paper, and crucial equipment such as MRI machines were also disabled by the attack.
The average healthcare organization spent $1.4 million to recover from a cyberattack, according to a recent report from Radware. The number is slightly lower than other industries, which spent $1.67 million. The Radware 2018-2019 Global Application and Network Security Report researchers surveyed 790 IT executives and found a 50 percent growth in organizations estimating the cost of a cyberattack to be greater than $1 million. In fact, those executives are increasingly shifting away from lower estimates. About 54 percent of respondents said revenue-killing operational and productivity loss felt the greatest impact of a cyberattack, while 43 percent pointed to negative customer experience. Another 37 percent said they saw reputation loss after a cyberattack.
Cyber security recommendations
International and national regulatory bodies have stressed the urgent need for healthcare providers and universities to protect themselves against cyber-attacks during COVID-19, recognising that a growing number of cyber-criminals are seeking to capitalise on the vulnerabilities of the healthcare sector during this period.
The whole cybersecurity community is working together to support the healthcare sector as the pandemic develops; national cybersecurity authorities are issuing alerts and guidelines (e.g. the situation in CZ) on potential cyber attacks; in the CSIRT Network MS continuously exchange information and issue situational reports together with the EU Institutions; the private sector is offering pro-bono cybersecurity related services supporting the healthcare sector.
Cybersecurity Risk management
Because cybersecurity threats cannot be completely eliminated, manufacturers, hospitals, and facilities have to work to manage them to protect patient safety. At a macro-level, organizations may leverage the NIST Cybersecurity Framework (i.e., identify, protect, detect, respond, and recover) as a tool to help understand, manage, and communicate their cybersecurity risk. Hospitals can review their security policies to uncover any vulnerabilities before an attach happens.
It is critical for stakeholders to develop a shared understanding of the risks posed by cybersecurity vulnerabilities and threats to medical devices and the IT networks to which these devices connect. This required Improved information sharing of industry threats, risks, and mitigations.
Additionally, the rise and sophistication of ransomware attacks that hold IT systems and patient-critical devices hostage continues to grow, as evidenced by hospital ransomware attacks of 2016, Manufacturers should work towards increasing the security and resilience of medical devices and health IT. Timely security software updates and patches should be provided to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices). Users should follow best practices for installing and testing the updates.
Report on Improving Cybersecurity recommends establishment a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures. It is important to have good backups, so that even when cyber attacks happen you’re able to recover.
ENISA can provide some advice to support the sector, taking into account the situational evolution and most common incidents since the beginning of the pandemic.
- Share the information with healthcare staff in the organisation, build awareness of the ongoing situation and, in the case of infection, ask staff to disconnect from the network to contain the spread. Raise awareness internally in healthcare organisations and hospitals by launching campaigns even during the time of crisis (i.e. to inform hospital staff not to open suspicious emails).
- In case of systems compromise, freeze any activity in the system. Disconnect the infected machines from others and from any external drive or medical device. Go offline from the network. Immediately contact the national CSIRT.
- Ensure business continuity through effective backup and restore procedures. Business continuity plans should be established whenever the failure of a system may disrupt the hospital’s core services and the role of the supplier is such cases must be well-defined.
- In case of impact to medical devices, incident response should be coordinated with the device manufacturer. Collaborate with vendors for incident response in case of medical devices or clinical information systems.
- One preparedness measure is network segmentation. With network segmentation network traffic can be isolated and / or filtered to limit and / or prevent access between network zones.
Performing risk assessments on a regular basis you will have enough information to implement the right security measures. The risk assessments of healthcare entities shall ensure that they are compliant with HIPPA (Health Insurance Portability and Accountability Act) requirements in terms of technical, physical and administrative processes. It is a necessity for any healthcare entity to meet the HIPPA standards and by performing regular security assessments ensure that the PHI (Protected Health Information) of patients is secure.
Ransomware attacks don’t start with ransomware. Ryuk and other types of ransomware exploits usually start with an initial infection with a trojan. Often this trojan infection occurs days or weeks before the ransomware attack starts, so security professionals should look out for Trickbot, Emotet, Dridex and Cobalt Strike infections within their networks and remove them using threat hunting solutions – as these can all open the door for Ryuk.
Raise your guard on weekends and holidays – most Ransomware attacks over the past year have taken place over the weekends and during holidays when IT and security staff are less likely to be working.
Use anti-ransomware solutions – although ransomware attacks are sophisticated, Anti-Ransomware solutions with a remediation feature are effective tools which enable organisations to revert back to normal operations in just a few minutes if an infection takes place.
Curb Access to Patients’ Data
In March 2018, Verizon analyzed that healthcare is the industry to have the highest recorded internal breaches which form 58% of the overall tracked cyber attacks in healthcare. Hackers seek to reach patients’ data so that they can exploit them for some monetary benefits. One of the ways to reduce this risk is to establish controlled access to the patient’s database. A regular audit of access will help you understand who has accessed the data and when.
Authentication and Password management
Strong measures to authenticate providers and users is critical to the establishment of the trust relationship in the delivery of health care. Instead of relying on only password authentication, this may require promoting the use of multi-factor authentication, and leveraging biometrics.
Passwords are the direct key for hackers to gain access to personal data. Using the same passwords or easily guessed passwords may put your data at risk. The convenience of having one password will lead to the catastrophic threat of data loss. The three steps that an organization should follow when it comes to password management are – Restrict access to main accounts; Change passwords regularly and Use multi-factor authentication to access secure data
Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).
Cybersecurity Awareness and Training
Increase health care industry readiness through improved cybersecurity awareness and education. “Securing digital assets can no longer be delegated solely to the IT department,” they continued. “Rather, security planning needs to be infused into new product and service offerings, security, development plans and new business initiatives.”
Every sector faces challenges in meeting its need to recruit and retain qualified cybersecurity professionals. It is necessary to develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities. Healthcare organizations must thoroughly educate their current and future employees on all HIPAA rules and regulations that include patient privacy Additionally, they should establish a culture of security and remind employees to be on the lookout for unattended medical devices and/or paper documents. Hospitals should have a legal team in place in the event a breach does occur to deal with the investigation, patient lawsuits, and civil rights and HIPAA fines.
Henry Ford Health System was breached during October 2017 due to the improper care of healthcare records by the employees. The hacker stole the data of 18,470 patients which had the patient names, date of births, medical record numbers, health insurer, and other medical conditions. It has been observed that the weakest cybersecurity link in healthcare is the user. Therefore, the staff should be trained on all the latest security protocols at regular intervals. A little ignorance on the part of any member of staff could result in a hefty ransom.