Hospitals Under Attack!

Why it’s happening now, and what to do about it

Just as the COVID pandemic created new opportunities for hackers, ransomware pushers, and other bad actors, the recent availability of vaccines has produced similar opportunities for enterprising cybercriminals.

In almost every month in 2020, more than one million individuals were affected by healthcare data breaches, according to U.S. Department of Health and Human Services (HHS) data. Hospitals, in particular, are under sustained attack as primary storage and distribution centers for much-heralded COVID vaccines.

Who’s to Blame for Rising Attacks

Last year, 527 healthcare organizations reported data breaches to HHS that affected more than 21 million individuals, according to Becker’s Hospital Review. HIPAA requires that healthcare providers who experience data breaches affecting more than 500 individuals report those breaches to HHS within 60 days.

In an article in the Wall Street Journal on February 2, 2021, the technology manager at a hospital based in Nebraska, which serves some 183,000 patients each month, said his hospital security normally blocks approximately 10,000 attempts to access its servers on any given day. When the hospital began coronavirus antibody drug trials in November 2020, the number of attacks tripled to 30,000 per day on average, with spikes as high as 70,000.

Ransomware gangs and financial scammers are widely blamed for the upsurge in opportunistic attacks related to COVID vaccine activity. And the competition among certain nation-states to obtain treatment data by illicit means is driving aggressive action by hackers.

Other factors are in play as well, coming together to create unprecedented opportunities for the theft of proprietary data, intellectual property, and protected patient information. The black market for this data is enormous and lucrative, so the motive is strong.

Current Hospital Landscape Invites Attack

Following are some of the other factors that are contributing to the rise in hospital cyberattacks.

• As is the case with many organizations, hospital administrative and other staff are working from home. This generally means less stringent security measures are in place and computer usage procedures are more relaxed. Multiple home users sharing computers and home wi-fi networks can also create vulnerabilities.

The use of personal smartphones for some work-related activity can weaken hospital security and provide uncontrolled access points into the hospital network, particularly if the smartphone has not been formally integrated into the network.

Tired and stressed healthcare workers tend to be less focused on security and privacy concerns while concentrating on patient care and treatment. Loss of focus can make workers vulnerable to social engineering ploys, phishing schemes, and email scams that allow malware, spyware, and ransomware into the hospital network.

• Among hospitals themselves, many still have not implemented security programs that comply with HIPAA requirements or even meet best practices standards. Consider the fact that data breaches in the healthcare industry have risen steadily every year since 2016. One of the fundamental best practices is to back up data daily, if not continuously, although there are still too many hospitals who do not.

• Many hospitals use aging equipment in a vulnerable patchwork of hardware and software platforms, and do not add appropriate security safeguards as various devices are plugged into the hospital’s Internet of Things. And far too many do not maintain up-to-date inventories of these assets.

• With elective surgeries cancelled and elective treatments postponed since COVID struck in March 2020, hospital revenues have plummeted, like those in other industries. Any planned security improvements or investments in security tools have been suspended—ironically, at a time when hospitals can least afford to have substandard security.  

  Webinar Replay - Click to view

What To Do?

The easy response to hospitals who find themselves barraged by cyberattacks is “become HIPAA compliant ASAP.” While achieving and maintaining complete compliance with the HIPAA Security Rule will not guarantee that a hospital won’t be breached, the HHS will be much more understanding should a breach occur.

The longer answer is that there are key actions hospitals should take, now, to reduce their vulnerability to opportunistic cybercriminals and harried hospital employees. These immediate actions should be part of a longer-range program to become fully HIPAA-compliant.

1. When was your last Security Risk Assessment? If more than two years ago, schedule one now. Do not wait. HIPAA requires regular security risk assessments as the foundation for HIPAA compliance, and with good reason.

2. If you have an information technology team on staff, call a meeting and find out where your security gaps are, what is being done to address those gaps, and the timeframe for completion. Is there an up-to-date incident response plan?

3. If you don’t have IT support in-house, contact a cybersecurity firm that specializes in HIPAA compliance and cybersecurity, and have a thorough risk assessment conducted. The resulting report will help to answer those questions

How a Security Risk Assessment Works

Hospitals are required by HIPAA to conduct regular security risk assessments that evaluate the adequacy of security controls in place at the time of each assessment. This provides a structured, qualitative evaluation of the operational environment, including threats, vulnerabilities, risks, and safeguards. In accordance with HIPAA, the risk assessment must evaluate the Administrative, Physical, and Technical aspects of a hospital’s security program.

The security risk assessment reviews the hospital network and information systems in terms of Confidentiality (protection of data from unauthorized disclosure), Integrity (protection of data from improper modification), and Availability (protection from loss of access to the data).

Some of the tools employed as part of the assessment include internal and external penetration testing, web application testing, social engineering testing, and physical security testing. Policies and procedures are analyzed along with employee security training programs as required by HIPAA. These and other tests provide a comprehensive view of the current security program.

The security assessment follows a proven methodology consisting of these steps:

1. Identify scope of assessment

2. Collect all necessary data

3. Identify and document threats and vulnerabilities

4. Assess current security measures

5. Determine likelihood of threat occurrence and potential impact

6. Determine degree or level of risk

7. Finalize documentation and present actionable report

Security risk assessments recommend reasonable corrective actions to reduce the risks they have identified, and to mitigate threats and their associated exploitable vulnerabilities. Recommendations are ranked according to severity and potential impact in order to assist hospital management in making decisions and allocating resources for implementation.

In addition to following a risk remediation or corrective action plan, every hospital should have an up-to-date incident response plan to be activated in the event of a data breach or other security incident. That response plan will include patient notification requirements as specified by HIPAA and the HITECH Act.

Summary

The volume of data breaches in the healthcare industry has risen steadily since 2016, and for well over a decade healthcare data breaches have comprised at least one-third of data breaches across all industries in the U.S. Today, hospitals are undergoing malicious attacks by cybercriminals aggressively taking advantage of new opportunities presented by the pandemic.

The current hospital landscape is rife with security vulnerabilities that make hospitals tempting targets for motivated cybercriminals—from aging hospital hardware and software and unsecured IoT devices, to employees working at home in less secure environments, to inadequate or incomplete compliance with HIPAA requirements and cybersecurity best practices.

Improving security is a must, and the road to better cybersecurity and compliance begins with a security risk assessment. For hospitals who haven’t thoroughly reviewed their security programs by conducting a formal security risk assessment in two years or more, now is the time, for so many reasons.