DO YOUR PART, BE CYBERSMART: HEALTHCARE SYSTEMS SEE INCREASED ATTACKS WITH COVID-19

In last week’s National Cybersecurity Awareness Month (NCSAM) post, Hagerty discussed common cyber-attacks as well as the rise in individual and organizational cyber risk during this unprecedented year, and how individuals can improve their personal and professional cyber hygiene. Similarly, the healthcare sector has faced additional challenges and an uptick in cyber incidents in 2020.

COVID-19, HEALTHCARE, AND CYBER-CRIME

While cyber threats to the healthcare industry are not new, the COVID-19 pandemic and its impacts on individuals and organizations has increased the cyber risks for healthcare systems. The influx of new internet-connected devices (e.g., medical systems, equipment, sensors), unmanaged personal devices, and remote access points in healthcare facility networks increase their attack surface and vulnerabilities for attackers to exploit. Malicious actors are also using COVID-19 as the ‘lure’ for a growing number of phishing attempts. Additionally, COVID-19 may also provide additional incentives for cyber criminals and other adversaries to target healthcare facilities and systems.

COVID-19 Screening Tool: Source

In particular, attackers are increasingly using ransomware to target hospitals and other healthcare facilities. Ransomware is a form of malware that infects and restricts access to computers and data until or unless the targeted organization pays the attacker a ransom. In the healthcare sector, these attacks can impact information technology (IT) systems, patient data, medical response, and patient safety. Between July and October 2020, the daily average number of ransomware attacks across all sectors in the United States (US) was up by 98 percent. One sophisticated Ransomware variant known as Ryuk is affecting the healthcare industry more than any other sector in the US.

Some recent examples of cyber-attacks on healthcare systems highlight this trend.

• Ransomware Attack on Large US Hospital Coalition: In September 2020, attackers hit Universal Health Services, which operates nearly 70 acute care and outpatient facilities nationwide, locking down servers and phone lines across associated hospitals and potentially exposing significant amounts of patient data and personally identifiable information. This attack follows dozens of similar incidents across the US.
• Lethality of Ransomware Attacks on Healthcare Facilities: A ransomware attack targeting a German university which affected its hospital was the first in which a patient’s death was attributable to a cyber-attack. However, studies suggest that hospitals impacted by ransomware typically face an uptick in patient mortality – even if the effects are indirect.
• Attacks on Other Healthcare Systems: In addition to hospitals, other healthcare organizations at the forefront of the global response to COVID-19 have fallen victim to cyber-crimes, including companies involved in clinical vaccine trials and development of rapid testing capabilities.
• Attacks on Supply Chains: Attackers have also targeted the supply chains for healthcare companies’ software and hardware products, including products used to manage industrial control system assets and patient information in hospitals.
• Emerging Ransomware Tactic: A new ransomware tactic is emerging called “double extortion,” in which attackers extract large quantities of sensitive commercial data before encrypting the victims’ databases, threatening to leak it unless the ransom is paid. This approach is an attempt to circumvent the use of frequent backups that companies can restore to as a common defense against ransomware.

WHY HEALTHCARE SYSTEMS

The healthcare sector is not merely being caught in the crossfire of normal cyber activity; attackers are choosing these targets because they believe the pandemic has increased healthcare facilities’ incentives to acquiesce to ransom demands. COVID-19 has increased intake rates, heightened patient load, and burdened intensive care unit (ICU) capacity in health systems worldwide. With this increased operating demand, attackers see an opportunity to extort hospitals and other healthcare facilities for a more significant and/or quicker payment.

CONSIDERATIONS FOR HEALTHCARE SYSTEMS

There are important steps that individuals and organizations in the healthcare sector can take to reduce and mitigate cyber threats. Hagerty has identified four important pillars to help organizations #BeCyberSmart:

• Ensure Employee Awareness: Employees at hospitals and other healthcare facilities need to be able to identify and avoid phishing attempts and other tactics, techniques, and procedures that attackers use to gain access into their organization’s networks. Companies can help ensure their staff are prepared by conducting training and occasional testing.
• Secure Networks and Devices: As hospitals and other healthcare facilities continue to adapt to teleworking and telemedicine, it is important to ensure that any changes to their network infrastructure and connecting new devices into their network is done with extreme vigilance. Where possible, the use of managed devices instead of connecting employee devices can reduce the risks to company networks. Segregating corporate/IT networks from operational technology networks can also help healthcare providers limit the impacts of potential network breaches.
• Practice Cyber Hygiene: Basic cyber hygiene best practices can help secure healthcare organizations against attack. The National Institute for Standards and Technology (NIST) Cybersecurity Framework and associated standards and best practices provide a valuable starting point. Adhering to least privilege access controls, keeping software up to date, and frequent backups can go a long way in securing against ransomware and other malware.
• Strengthen Incident Response Planning: Even with proper protections in place, organizations may still fall victim to a successful cyber-attack. Companies should ensure they are prepared for such a worst-case scenario. By developing an incident plan that clearly roles and responsibilities, processes and procedures, triggers and thresholds, and other aspects of incident response, companies can minimize the impact that a successful cyber-attack will have on their organization. Exercising these plans can further improve response capabilities.

HAGERTY CAN HELP

Hagerty has the experience and expertise to support organizations in cybersecurity preparedness efforts, as well as pandemic planning, business continuity, and Continuity of Operations (COOP). We stand ready to help with your organization’s assessment, planning, training, and exercise needs to enhance cybersecurity and emergency response strategies amid the evolving COVID-19 pandemic response. To learn more about our cybersecurity service line, contact us or visit our cybersecurity microsite to utilize our free Cybersecurity Assessment Tool that will evaluate your current cyber capabilities.

Rob Denaburg is a Senior Managing Associate in Hagerty’s Preparedness Division. Rob is new to Hagerty but has worked with public and private sector clients to minimize the societal, economic, and national security impacts of infrastructure outages. In a previous role, he advised policymakers and industry leaders on how to build resilience against severe natural and manmade hazards, especially sophisticated cyber-attacks on lifeline systems.

Ruth Anne Holiday is a Managing Associate at Hagerty, supporting both the Preparedness and Recovery Divisions. Ruth Anne was instrumental to Hagerty’s Long-Term Recovery Planning support for the City of Panama City, developing the City’s Unmet Needs Assessment which quantified Hurricane Michael’s impact on the community. Ruth Anne serves on the Situational and Status Blog Team, providing timely updates on major events and disasters impacting communities around the nation. Prior to Hagerty, Ruth Anne supported community-building preparedness initiatives and COOP activities, exercise and workshop development, and strategic recovery planning.