Security vulnerabilities are now magnified during the COVID-19 epidemic, creating “a perfect storm” that can be exploited by malicious actors. In the past few weeks alone, personal information on nearly 1.5 million U.S. doctors was breached and is now up for sale on the dark web—highlighting the adversarial reconnaissance taking place.
During this public health crisis, a target hospital often has no other choice but to pay the ransom in order to prevent any impact on patient care. Healthcare has the most valuable data of any sector, where hospitals will spend $429 per each lost or stolen record.
How ransomware can paralyze a hospital?
Hospitals are the perfect target for extortion by hackers because they provide critical care and rely on the IT infrastructure, which serves as the backbone of hospital operations: powering access to electronic health records (EHRs), scheduling of appointments, billing and more. Past attacks have shown when a hospital undergoes a ransomware-induced lockdown period, access to EHRs are shut down, administrators are unable to bill and data recovery will be backlogged or potentially unavailable. In long-term care facilities, ransomware attacks lock up access to prescription and dosing for patients with complex, chronic conditions like diabetes or cancer.
Additionally, hackers have tools to take it a step further and manipulate EHR data that can completely undermine patient care. All of this ultimately threatens patient safety, leading to some hospitals diverting patients to other facilities.
How did we get here?
Ransomware attacks on hospitals are nothing new. The number of attacks have been steadily increasing each year: More than 41 million healthcare patient records were breached in 2019, which is nearly triple the number of records breached in 2018.
If this is a known threat, why are hospitals in particular still vulnerable?
One factor is the lack of investment in security for hospital IT systems. Healthcare organizations tend to devote just 3% to 4% of their IT budgets to security, a fraction of the spending in other industries (like financial services). As the threat landscape has continued to evolve since the beginning of the COVID-19 pandemic to become more pointed and sophisticated, many healthcare security professionals lament this is a battle where they have to run toward the enemy without proper defense.
Another emerging factor is the rise of the remote workforce and telemedicine. Security vulnerabilities are now magnified as secure firewalls are not in place with nonessential healthcare employees working remotely, and increasing use of telemedicine exposes health systems to new risk. A hacker no longer needs to break into the hospital—they just need to break into an employee’s shared computer at home.
What hospital leaders can do to prevent ransomware attacks
Hospital leaders need to lean in now to bolster security strategies and solutions that not only prevent against being taken down by the bad guys but also stave off manipulation of health records to preserve the integrity of their patient data.
These strategies include:
- Revisiting security plans and reassessing the threat landscape: Playing catch-up with security always puts the bad guy ahead. The whole landscape has changed completely over the last month. Leadership needs to reevaluate security posture and pivot accordingly to implement an enhanced security program that accounts for the new realities the industry is facing.
- Adding extra security measures to reflect the new threat landscape: Network segmentation, endpoint protection and multifactor authentication are the equivalent of masks and gowns for remote workers. These solutions should be enacted swiftly across healthcare before this crisis migrates and disrupts critical care.
- Training staff on the new threat landscape: Hygiene is more important now than ever—for both our personal and digital well-being. With the firewall essentially broken down, educating employees on how to securely set up a VPN or properly share a home workstation are of equal importance as a heightened awareness of suspicious activity.
Hospitals are already strained financially. Having to pay a steep ransom will only exacerbate an already precarious financial situation, and any manipulation to EHRs would be devastating for patient care. We missed the opportunity to get prepared on N95 masks and testing. Let's not miss the opportunity to be properly equipped for battle from a cybersecurity perspective.
Caleb Barlow is the president and CEO of CynergisTek, an information security and privacy consulting firm focused on the healthcare IT industry.