A shift has occurred in the healthcare sector over the course of the COVID-19 pandemic, pressing the limits of what providers can accomplish under the most overwhelming circumstances, and not just in terms of patient care.
Rapid tech adoptions to support the pandemic response were quickly met with equal force by cyberattacks, hell-bent on turning a profit on weakened systems. But as a steady number of healthcare providers fell victim to attacks that led many into weeks of downtime procedures, the media coverage has helped to raise awareness on the inevitable risk to patient safety.
In fact, cyber awareness in healthcare is at an all-time high, with a dramatic focus and understanding that cyber risk is not just an IT issue, John Riggi, American Hospital Association senior advisor for cybersecurity and risk advisory, explained to SC Media. There’s an overall understanding with most leadership “that cyber risk is really an enterprise risk issue.”
Cybersecurity and security incidents impact “every function in the organization, while every function in the organization has the ability to either cause cyber risk or help mitigate it,” said Riggi. “Hospitals and health systems, and their boards, right now rank cyber risk within their top three enterprise risk issues.”
“For many of them, it’s the No. 1 concern,” he added. “That’s the good news.” The bad news is that cyberattacks are pummeling the healthcare sector, as seen with near-daily front page reports on ongoing incidents.
COVID-19 and the ongoing pandemic response are adding to these concerns and security challenges. The response has further fueled digital innovation within healthcare and provider environments, creating new technologically complex systems and increases in remote care or work.
In short, there is no longer a perimeter or one firewall able to protect all healthcare assets or the environment, he explained. “The endpoints are everywhere. So even though they have more attention focused on [cybersecurity], there is probably less confidence in their ability to deal with the increased threat.”
Recent Shred-it research supports Riggi’s theory, which found that 42% of providers may not be prepared to handle a security incident. The College of Healthcare Information Management Executives and Association for Executives in Healthcare Information Security previously reported that the majority of healthcare entities experienced a security incident in the last year.
Of those, 30% faced a system or electronic health record outage, with another 15% reporting a patient safety incident tied to a cyber event, and 10% were forced to divert patients to nearby healthcare settings as a result of cyberattack-related outages.
“Quite frankly, healthcare, fortunately and unfortunately, understands cybersecurity as a major strategic risk issue — because they’ve been attacked so much and because people’s lives depend on it,” said Riggi. “We’ve seen ambulances diverted, surgeries being canceled.”
“The pipeline attack this spring demonstrated to other sectors that they are critical infrastructure for a reason: they’re critical to the U.S. economy, to public health and safety,” he added.
Healthcare’s triple threat
The pandemic exacerbated ongoing cybersecurity challenges within the healthcare sector. Providers are now facing a “COVID-19-induced cyber triple threat: a vastly expanded attack surface and dramatically increased attacks, ransomware attacks that also employ data theft as another layer of extortion, and reduced resources” stemming from the pandemic.
Many small providers are struggling to close some of the major security gaps and “are absolutely feeling the pressure right now,” which is a direct result of the pandemic. They’ve had to divert resources and shift their attention to the response, including shuffling their wards and ICU beds.
Riggi added they’ve also had to deal with other environmental factors as the pandemic created a much broader remote work environment. Some non-clinicians are working remotely in many instances. There’s also been a tremendous expansion of telehealth and telemedicine, as well as an over-reliance on remote technologies and services, such as the cloud.
The pandemic and related environmental shifts in healthcare “vastly expanded what we call the attack surface.”
“The extension of remote technologies and a wide adoption and application of technologies was actually very important and the right thing to do to respond to emergency situations such as a pandemic, but it did create this vastly expanded attack surface,” he said.
“Now our adversaries, from the start of the pandemic, have been consistently targeting and consistently exploited,” Riggi added.
Healthcare has a confluence of factors, which creates a perfect storm for increased cyber threats, expanded attacks or more attacks, and fewer human financial and technical resources to deal with it.
Overall, the financial strain placed on hospitals, especially smaller hospitals, has resulted in revenue pressures and staffing shortages, with both the clinical and trained-cybersecurity workforce.
Healthcare “also has a greater understanding that a lot of the cyber risks that an organization has actually absorbed comes from third parties,” he continued. “Some of the largest cyber breaches we've seen this year, and last year, in terms of the number of records stolen, were not stolen from the covered entities: they were stolen from the business associates, that the provider had to turn the records over to for business reasons.”
“There are mission-critical dependencies the provider has, for instance: certain medical devices may require access to a third-party cloud service for them to operate,” said Riggi. “Understanding third-party risk, its implications for patient care services and business operations, is critical for both hospitals and health systems, and healthcare.”
Data show that the vast majority of the largest healthcare data breaches both in 2020 and 2021 were caused by third-party vendors, while recent reports confirm the sector is struggling to close these major gaps.
What then should be the key focus?
To be blunt, providers must deal with what's directly in front of them at the moment, the nearest threat, the tactical threat, which can impose direct harm to patient lives, explained Riggi.
At the moment, that is the “highly disruptive ransomware attacks, which have, in fact, been disrupting care delivery services and risking patient safety.” Some of the most high profile attacks that affected large systems had a direct regional, state, and nationwide impact.
“AHA is most concerned about those at the moment because they’re posing a direct, immediate threat to patient care delivery and patient safety,” said Riggi. “There is a tremendous, residual impact because it’s not just the organizations affected [by these attacks], it’s all of the surrounding providers, as well.”
“There’s a cascading effect,” he continued. “We’ve seen this in some of the attacks on larger entities that all the smaller hospitals rely on, as well as the vendors or providers, for lab results or cancer treatments that can’t serve those patients because the services are disrupted during the attack.”
Ransomware can cause a lot of collateral impact across the region when one major provider gets hit with a ransomware attack and the ambulances and patients are diverted to other hospitals, which may already be full with COVID-19 patients.
As detailed in a July 22 congressional hearing, the May cyberattack on Scripps Health that led to a month of network downtime, led to overwhelmed emergency departments at local hospitals, such as the University of California San Diego Health. That same hearing confirmed healthcare is just not prepared to handle ransomware attacks at the current pace of activity.
What’s more, as soon as providers are exposed, they have civil and regulatory obligations to fulfill, explained Riggi. “This is what has the chilling effect on hospitals and really all healthcare providers to be fully transparent with the government.”
To pare down some of the complexity of the healthcare environment, Riggi urged providers to ensure they have means and processes in place able to continuously map and monitor the environment, which can provide a better understanding to the technical environment — including “what normal or baseline network activity looks like.”
This information can “then help to identify abnormal and malicious traffic flow,” he added.
Another priority must be established processes to maintain an accurate dynamic inventory of data, devices (including all IoT devices) and applications, which will “allow for the efficient application of patches to mitigate identified vulnerabilities within devices and applications and ensure the proper controls are in place to protect the privacy and security of sensitive data sets.”
It’s also “incumbent” that leadership and technical staff rely on the “vast amount of free cyber threat intelligence and information” provided by government agencies, AHA and other stakeholder groups, the Department of Health and Human Services, and threat sharing channels. The FBI-sponsored InfraGard program is ideal for cyber threat information exchange.
“Regular cyber threat briefings with leadership and staff, perhaps as a recurring agenda item at leadership and staff meetings, is a good way to establish a consistent cadence of the briefings and continuous reinforcement of cyber awareness,” said Riggi.
While it’s impossible to eliminate risk, it’s also imperative for healthcare organizations to exhaust all avenues when securing the healthcare environment. NIST provides more than 400 controls that are routinely updated, which should be the standard used by all healthcare security teams.
If attackers relentlessly targeted healthcare during a global pandemic, they clearly won’t let up once everything is back to normal. As awareness is at its high, there’s no longer an excuse for failing to act.
This is part of SC Media's special October coverage, in honor of Cybersecurity Awareness Month, spotlighting “security by design”: How different organizations within various verticals recognize their own security practices not only as a necessity, but also as a differentiator. Click here to access all of our security awareness coverage, which will filter out throughout the month.