2020 has been a challenging year for everyone. The COVID-19 pandemic caused havoc in people’s personal and professional lives. Workforces quickly shifted to remote environments. And no industry was impacted more than healthcare. Not only was the healthcare industry forced to pivot to telehealth visits on unproven technology, all while dealing with the Covid crisit, but cybercriminals seized the opportunity to prey upon this sector while day-to-day operations were in flux and defenses were down.
In the third quarter of 2020, the US saw a 50 percent increase in the frequency of ransomware attacks. Healthcare was no exception, and in October, Universal Health Services was hit with what some are calling the “largest cyberattack in US history.” In September, a patient awaiting urgent treatment died during a transfer from a German hospital after ransomware brought the hospital down—the that can be attributed to a cyberattack. In both cases, hackers were able to exploit vulnerabilities found in these hospitals’ networks.
Vulnerabilities can exist in the form of unpatched software, which is then used as a method to gain entry to the network. Or healthcare employees themselves can be the weak point in a security network at a healthcare organization, by clicking a suspicious link in a phishing email or exposing patient health information through negligence.
What’s at stake in a healthcare security breach
As with the above example, a ransomware attack could literally mean life or death to a patient receiving urgent or emergency care at a hospital. Though it is urged not to put more money into the hands of these criminal hacking organizations, facing situations where peoples’ lives are at stake could cause a hospital to consider paying the ransom to restore operations quickly.
Mostly, it’s patients’ protected health information (PHI) that cybercriminals want to get their hands on. Every compromised patient record could incur fines under the Health Insurance Privacy & Accountability Act (HIPAA), and a typical breach exposes hundreds, if not thousands, of records. The fines can add up quickly. Hospitals have to publicly report breaches of 500 or more records, which can lead to a decline in trust, reputation and loss of revenue from patients who choose to seek care elsewhere. There are currently nearly 700 healthcare breaches under investigation by the U.S. Office of Civil Rights within the Department of Health and Human Services.
Staying on top of threats can be challenging for healthcare IT staff
Larger health organizations typically have dedicated security staff; however, smaller hospitals and private practices usually do not. Like other industries, security workers are in high demand for healthcare, and there aren’t enough skilled workers to go around. Therefore, healthcare organizations may have a difficult time staying on top of the latest threats. With the amount of software and connected devices found in a typical hospital or physician’s office, just installing patches alone could keep a person busy during the work week.
But security is more than a 9-5 job in itself. Cybercriminals leverage evenings, weekends and other times when staff is not usually in the office to conduct their attack campaigns. To staff a 24/7 Security Operations Center is costly and requires skilled analysts. This just isn’t feasible for a majority of healthcare organizations.
How healthcare organizations can stay safe
Healthcare organizations should take precautions to ensure that their networks are equipped to defend against ransomware and other types of cyberattacks. Here are a few essential tips to securing healthcare networks:
- One of the most common ways ransomware infiltrates a network is through exposed Remote Desktop (RDP) servers with weak credentials. RDP servers should be placed behind a VPN and RDP Gateway if external access is needed, rather than exposing them directly to the Internet. Strong credentials and multi-factor authentication should be enforced as well. VPN servers should be patched to prevent the VPN itself from becoming the attacker’s entry point.
- Organizations should also invest in regular security awareness training to make employees aware of what phishing emails look like. October is Cybersecurity Awareness Month, so it’s a perfect time to conduct phishing simulations or other interactive training exercises with staff.
- Following the 3-2-1 backup rule can help defend against data loss. Keep at least three copies of your data. Store the copies on at least two different forms of storage media. Keep one copy offsite.
- Enact and enforce strict policies against sending the PHI or other sensitive data by email or storing the data anywhere other than one centralized database. The database should be closely monitored for patterns of usage using a baseline of normal user behavior, and any abnormalities such as requesting too many records at once should be quickly investigated.
- Invest in advanced cybersecurity protection, such as managed endpoint detection and monitoring. 24/7/365 monitoring by a Security Operations Center can help reduce incident response time drastically.