Healthcare organizations face a growing risk of healthcare cyberattacks during the coronavirus pandemic.
The federal government is relaxing regulations so that providers can treat patients from home and use consumer-grade technologies like Skype and FaceTime. The measures are aimed at keeping providers and patients at home as much as possible to slow the spread of COVID-19. But there is also a downside to making healthcare more accessible: The measures are creating more points of entry into healthcare systems for cyberattackers.
Before the coronavirus outbreak, the healthcare industry was already one of the most likely industries to be attacked. The industry pays the highest cost to detect, respond to and deal with the fallout of a data breach, averaging just under $6.5 million per breach, said Caleb Barlow, president and CEO of healthcare cybersecurity firm CynergisTek.
Now in the midst of a pandemic, the healthcare industry is more vulnerable than ever, and cyber criminals are likely laying the groundwork for major healthcare cyberattacks.
"If you put yourself in the mindset of an attacker right now, now is actually not the time to detonate your attack," Barlow said. "Now is the time to get on a system, to move laterally and to elevate your credentials, and that's likely exactly what they're doing. There are a lot of indicators of that. We've seen a significant rise in COVID-19-focused phishing, both that is targeting individuals as well as institutions."
Caleb BarlowPresident and CEO, CynergisTek
Healthcare systems and even the U.S. Department of Health and Human Services are seeing phishing and other similar attacks right now, but Barlow warns that healthcare CIOs and CISOs need to prepare for the more insidious healthcare cyberattacks that are coming, including ransomware.
"We have to realize that these attackers are highly motivated," Barlow said. "Many of them, particularly with things like ransomware, are nation-state actors. These are how nation-states fund their activities. There is not going to be a plea to bad guys of, 'Please not right now.' It just doesn't work that way. It is coming. Get prepared, you have a few weeks. It is that simple."
Cyberthreats seen on the front lines
Anahi Santiago, CISO at the Delaware-based ChristianaCare health system, said there has been a rapid increase in social engineering attacks -- including phishing, where bad actors appear as a trusted source and trick healthcare employees into revealing their credentials -- that are testing healthcare systems during the coronavirus crisis.
Although the ChristianaCare health system has security tools to prevent phishing attacks on the organization, Santiago said home computers may not have the same protections. Additionally, Santiago said threat actors are setting up websites using legitimate coronavirus outbreak global maps to trick people into visiting those sites and, unbeknownst to them, downloading malware. While the healthcare system's security tools block malicious websites, clinicians may not have the same types of protection at home.
CynergisTek's Barlow said the "threat landscape has increased dramatically," as regulations have been relaxed to enable physicians to work and treat patients remotely. That increased threat landscape includes a physician's home network, which gives bad actors more opportunity to gain access to a healthcare institution.
As cyberattackers capitalize on this opportunity, Barlow said it's important for health systems' security teams to mobilize and for healthcare CIOs and CISOs to have a plan in place in case their healthcare system is breached.
Santiago echoed Barlow's call on security teams, saying awareness and ensuring the cybersecurity posture remains intact are key to preventing these kinds of attacks.
"We have been working very closely with our external affairs folks to communicate to the organization so that our caregivers have awareness, not only around potential phishing and social engineering attacks that might come through the organization, but also to be aware at home," she said. "We're doing a lot of enablement for the organization, but also making sure that we're thinking about our caregivers and their families and making sure we're giving them the tools to be able to go home and continue to protect themselves."
Aaron Miri, CIO at the University of Texas at Austin Dell Medical School and UT Health Austin, said he has heard of academic medical institutions and healthcare systems being under constant attack and is remaining vigilant.
"During any situation, even if it's a Friday afternoon at 5 o'clock, you can expect to see bad actors try to capitalize," he said. "It is an unfortunate way of the world and it's reality, so we are always keeping watch."
Preparing for cyberattacks
Barlow said there are a few steps healthcare security teams can take to make sure providers working at home are doing so securely.
First, he said it's key to make sure clinicians have proper virtual private networks (VPNs) in place and that they're set up properly. A VPN creates a safe connection between a device that could be on a less secure network and the healthcare system network.
Second, he said security teams should make sure those computers have proper protection, often referred to as endpoint security. Endpoint security ensures devices meet certain security criteria before being allowed to connect to a hospital's network.
The next step is getting a plan in place so that when a healthcare system is breached or hit with ransomware, it will know how to respond, he said. The plan should include how to manage a breach in light of the pandemic, when leaders of the organization are likely working from home.
"If you are hit with ransomware, how are you going to process through that, how are you going to do that when you can't get everybody in the room … how are you going to make decisions, who are you going to work with," he said. "Get those plans up to date."