As if hospitals and healthcare organizations don’t have enough to worry about in the wake of COVID-19, another significant issue has come to the forefront.
More than ever, cyberattacks present a major dilemma for the healthcare industry. The situation has been exacerbated by the pandemic, but the full overview of reasons why attackers are going after healthcare organizations paints a challenging picture.
To begin, healthcare organizations hold an enormous amount of regulated health data, which is private, sensitive in nature, and extremely valuable on the open market.
Additionally, perhaps more than any other industry, healthcare organizations cannot afford downtime. The emergency room cannot just shut down for a few hours. A hospital cannot just go a couple of days without its core systems. Any disruption to a healthcare organization or hospital system can have an immediate, significant impact on the health of its patients.
As a result, hackers have realized that if they can get ransomware into a healthcare environment, the organization is often forced to pay because they simply cannot risk the exposure of sensitive data or the possibility of a shutdown.
Additionally, healthcare organizations typically have lots of different departments, internal systems and potential entry points – and many of them are interconnected. In other words, hospitals and healthcare systems have a lot of employees and vendors who could potentially grant quick access to a large number of systems by providing a hacker with their credentials, either knowingly or unknowingly. And that does not even factor in how the current work-from-home environment has created more entry points into healthcare organizations, or how some biomedical devices simply can’t be secured from breaches.
Another exacerbating factor is the financial strain that many healthcare organizations have dealt with since the start of the pandemic. Budgets are tight, and many healthcare programs were forced to slice their IT and cybersecurity departments, which in turn has made it even easier for attackers to find points of entry. Plus, of course, the work-from-home environment has encouraged cybersecurity specialists to find remote jobs – not to mention that many of those cyber folks may not want to work in healthcare security at the moment, due to funding issues, stress, etc.
The result is an industry that holds valuable information is extremely susceptible to attacks and may pay out ransoms relatively quickly. As far as hackers are concerned, healthcare organizations are an ideal target.
Navigating an Uncertain Future
The days of simply telling employees not to click on suspicious links are long gone. Sure, that advice is valuable in helping to limit an organization’s potential exposure to ransomware, but the new wave of attacks is much more direct.
These days, attackers might even bribe employees, directly, with a cash reward. “I’m going to send you a link at 2 p.m. Enter your credentials and a bag with $5,000 will show up on your doorstep.” In an organization with thousands of employees, the reality is that somebody is likely to take that cash. And criminal organizations are so well funded at this point that it’s usually a worthwhile investment for the attackers.
How do you prevent this next wave of attacks? One of the most important protections is the use of multifactor authentication, which requires employees to enter their credentials and an extra code that they received elsewhere.
In healthcare, most organizations require multifactor authentication for key aspects of their cyber environment. However, with just a little bit of digging, one can usually discover other aspects of their systems where basically anybody on the internet can potentially log in with a username and a password, with no sign of multifactor authentication.
And that doesn’t even consider how most people reuse their passwords on multiple websites. So, all it takes is one breach that results in a mass distribution of passwords, and suddenly plenty of employees have potentially exposed their organization’s critical information to a variety of people with bad intentions.
Additionally, it is important to remember that while a cyberattack and the ensuing payout could conceivably take place behind closed doors in other industries, that isn’t the case in healthcare. Because of HIPAA, healthcare organizations are obligated to report any breaches to the government. And depending on the size of the breach those organizations quickly end up on a publicly available listing.
Some in the industry refer to this list as the “Wall of Shame.” Needless to say, no organization wants to find its name on the list. But fortunately, there are proactive steps that can be taken.
What can healthcare organizations do?
Attackers often try to lock up all cyber systems within an organization, not just one. So once attackers get access, they can jump from system to system, locking as many doors as possible.
In addition to multifactor authentication, there are other safeguards organizations should employ.
From the perspective of a healthcare organization, it is critical to know how many systems you have, what they are, and how they are connected. (While that may sound simple, it’s not a step that should be taken for granted.) Only once that process is complete, can an organization begin monitoring for vulnerabilities and patching any holes. And then of course there needs to be a procedure in place to address anything that slips through the cracks. If that occurs, is there a way to isolate it? Can you keep it from infecting other systems? And what type of incident response process do you have in place?
Furthermore, every organization needs to have a recovery process in place. If you realize that an attacker got into your systems and has potentially spread to other areas within your organization, you now need to use your backup and disaster recovery plans to recover that data as quickly as possible.
Unfortunately, healthcare systems rarely do comprehensive recovery testing. Often the recovery testing is limited to a few core systems. In my experience, very few systems have ever done a true restoration of their entire environment. It’s too costly, they say. Or sometimes they comment that it’s simply too hard. But just because something is expensive, or difficult, doesn’t mean that you shouldn’t do it. In this case, spending the time, energy and money today will help save you immensely in the event of a cyberattack.
All healthcare organizations need to be strong when it comes to:
- Multifactor authentication
- Access and identity management system
- Vulnerability management program
- Incident response process
- Disaster recovery planning
Healthcare organizations should also seek third-party assistance in performing a full risk assessment that accounts for their unique industry requirements, evaluating everything from gaps within individual departments to full-scale assessments of entire hospital systems. Focused, risk-based recommendations help organizations make critical decisions and important changes to their IT controls, cybersecurity infrastructure and disaster recovery plans.
The truth is that cybersecurity is getting harder, not easier. We likely will continue to see an increase in breaches, and those attacks certainly will fetch larger and larger sums of money. And with more healthcare organizations being unable to afford cyber insurance, these organizations need to take every possible step to protect their environment, before it’s too late.
Jeff Krull
Jeff Krull is a partner at Baker Tilly and has more than 20 years of experience in cybersecurity, process and controls, information technology and internal audit.
