Cyberattacks on Healthcare in the Time of COVID-19

Medicine and technology are at the forefront of scientific innovation. Our understanding and ability to respond to the global health crisis we’re now living through is thanks to our ever-growing wealth of medical research and knowledge. However, employing cutting-edge technology in an interconnected world means that the healthcare industry creates novel vulnerabilities as quickly as it creates medical innovations. 

Knowing the incredible pressure that COVID-19 is putting on healthcare services and medical research facilities, cybercriminals have stepped up their game and increased their attacks on healthcare providers in line with the increasing burden of need in the pandemic.

Risks and Rewards

Quick and easy access to sensitive information is essential in a healthcare setting but having seamless access to patient data also creates massive potential for cybercriminals to discover entry points within the system. Knowing that a hospital will do almost anything to restore immediate access to essential services, a DDoS (Distributed Denial of Service) or ransomware attack could seem like a lucrative proposition for a cybercriminal.

Healthcare services are also vulnerable to data theft. Medical records are massive repositories of sensitive information. Data is power in the world of cybercrime, and medical records represent an attractive bounty. Medical records hold sensitive private health data, financial information, addresses, and many of the details required for identity theft. 

Protecting Patients

Attacks on healthcare services can often affect patients in one of three ways: 

• Immediate physical harm: This could entail attacks that affect direct patient treatment, such as changing the delivery rate of medication through a digital intravenous infusion pump. 
• Delayed diagnoses or treatment: A DDoS or ransomware attack could make patient records, digital medication, observations, fluid administration charts, and any digitized medical services inaccessible. Even pharmaceutical supplies within hospitals are electronically accessed and could be disrupted. 
• Private data theft: Data theft offers the potential for ransom, identity theft, blackmail, and so much more.

Anyone working in a healthcare setting, whether with direct patient contact or otherwise, needs to be cognizant of the level of harm data theft can inflict on a person. Employers must ensure adequate steps are taken, provision is made, and training is given to eliminate those risks. 

Protecting Healthcare Workers

Safety and medical services aside, an attack leads to loss of trust, and ultimately loss of jobs and income. A recent ransomware attack on California-based Wood Ranch Medical meant a complete loss of patient records and huge amounts of private data, leading to the closure of the organization.

A timely, secure, rolling backup and robust rollout facility can help to overcome the immediate effects of a DDoS or ransomware attack. However, in a large and diverse organization, it is impossible to avoid all human error, but cybersecurity awareness training can help empower employees to keep breaches to an absolute minimum. The cybersecurity team must be constantly vigilant to discover and mitigate new threats and avoid putting further pressure on an already stretched workforce.

It is a sad fact, but cybercrime committed against healthcare organizations ultimately endangers human lives. Trying to administer medical care without access to pathology results, high-tech medical imaging, digital care records, and the other necessities of modern medicine is near-impossible in a cybercrime scenario, such as a ransomware attack. Traditional telephony and alert systems are now digitized and rendered useless by a broad-spectrum attack. Stories of doctors resorting to walkie talkies and personal telephones for emergency calls are just the tip of the iceberg. 

Steps to Security

For a large organization providing essential healthcare and emergency medical services, the following steps should be put into place to effectively mitigate the effects of a cyberattack: 

• Training for all staff to reduce the number of attacks that actually hit the mark.
• Individualized access levels and authorization requirements.
• Solutions to enable interoperable systems with firewall-level network protection.
• A dedicated round-the-clock security team to mitigate any threats, respond to breaches, risk-assess, control backup, and troubleshoot. 
• A practical plan to enable smooth delivery of essential services if and when the systems fail. (i.e., hard copies of medicine charts, basic telephone services, non-networked medical devices, and diagnostic tools)

Access to medical care is fundamental in the modern world, and loss of healthcare services should be treated as an emergency of the most severe type. A cyberattack on a hospital is a targeted and deliberate action to withhold the essential infrastructure for treating the sick and saving lives. 

Cyberattacks on medical services, particularly in the midst of a deadly and infectious viral pandemic, are malicious and detrimental to the safety of our communities. 

Be Cyber Smart

October is Cybersecurity Awareness Month and the perfect time to #BeCyberSmart. 

The Cybersecurity & Infrastructure Security Agency and the National Cyber Security Alliance encourage us to do our part and educate ourselves and your colleagues on the importance of securing your personal information. Visit CISA.gov for more information.