IN THE NEWS

Hospitals Make Themselves a Target for Cyber Attacks

Published On November 5, 2020

Article by Nicole Laskowski, News Director at TechTarget

Cyber attacks on hospitals are on the rise because the targets are ripe and the payoff worthwhile.

Last week, the FBI, the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency published an advisory based on credible information "of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers."

The alert generated a "whirlwind of discussion" within the healthcare community, according to Jon Moore, chief risk officer and head of consulting services at Clearwater Compliance LLC in Nashville.

Part of that whirlwind included rumors that this new wave of malware and ransomware attacks, which hold healthcare data hostage and can force systems offline, could target 400 organizations at once. While that level of planning and coordination caught the eye of cybersecurity experts, the nature of the threat and its targets did not.

"The volume of attacks has greatly increased and more of those attacks have been successful," Moore said. "As organizations become increasingly dependent on technology, any interruption in that technology is increasingly detrimental."

Indeed, the growing interdependence can pressure healthcare organizations to resolve a cyber attack as quickly as possible, Moore said. That could translate -- and has -- into paying the ransom. But for an industry in the middle of a pandemic that has historically underfunded cybersecurity efforts, doing so has only added highly combustible fuel to the fire.

Healthcare caught in the crosshairs

The healthcare industry generates and stores some of the most valuable data out there, all the while riding a rapid wave of digitization and interoperability that can outpace security efforts.

Healthcare data can bring in five to 10 times what credit card data can, providing the means to steal someone's identity or file fraudulent Medicare charges, for example, according to Dan L. Dodson, CEO at Fortified Health Security.

"It's one of the only data sets in the world that gets more valuable every day," he said. "Individuals turn of Medicare age in that data set every day, and so you can monetize."But it's not just the value of the data that's causing a rise in cyber attacks on hospitals. The healthcare industry is also a soft target, according to Brian Selfridge, a partner at Meditology Services, a healthcare cybersecurity consultancy in Atlanta. The adoption of EHRs, as well as a growing number of networked medical devices, patient portals, APIs and applications have created a larger attack surface than most industries have to secure."That makes us a little more vulnerable because there's more to protect and a wider net of things that could be attacked," he said.

Plus, although no cybersecurity expert for this story advised such a strategy, healthcare organizations have paid ransoms in the past.

Not known for their investment in security, healthcare organizations, especially those that are small to midsize, can find themselves without the backups or redundancy needed to manage a ransomware attack. And with patient lives and the financial health of the organization on the line, the pressure healthcare organizations face can force their hand, according to Selfridge.

"If it's a one-time payment of $1 million or $2 million-plus, the typical healthcare system can find that. That's not going to cause them to shutter the doors," Selfridge said. "But if they don't get back up and running, the operational costs of being down and having a large-scale outage will very quickly eclipse that $1, $2, $3 million -- whatever it is -- in just raw revenue that would be coming in from procedures, treatment and everything else that happens on a day-to-day basis."

Complexity only goes up from here

Now, as healthcare organizations face the disruptions and distractions brought on by COVID-19, they may be more likely to fall victim to an email phishing scam and more likely to pay a ransom than ever before, according to Selfridge.

"By combining that knowledge with a large-scale attack that would stretch our resources thin anyway, they're taking advantage of a weakness, a vulnerability as an industry, to make their attacks on healthcare," he said.

But, Selfridge added, if it wasn't COVID-19, cybercriminals would capitalize on some other hot-button issue.

Indeed, as healthcare organizations continue to barrel toward modernization, cyber attacks on hospitals will only continue to rise. And barrel they will. A new federal interoperability regulation, for example, will require healthcare organizations provide standards-based APIs into their EHRs by next year, but the APIs will also make the healthcare ecosystem more interconnected and create more vulnerabilities, according to Clearwater Compliance's Moore.

"Once an attacker gains access to a network, they can and will try to move laterally through the network. Interconnections between organizations' systems may even allow them to move across organizations," Moore said. "As we have more interconnections with organizations outside the firewall and more sophisticated attacks, the traditional approach to security is becoming less effective."

There are strategies that could prove valuable to healthcare CIOs, Moore said, but they're not cheap. He suggested, for example, network microsegmentation, which confines traffic as well as a cybercriminal's visibility to just one part of the network. This combined with a zero-trust approach to security, where every asset requires authentication and authorization every time it's accessed, is becoming a best practice.

"Of course, this increases complexity and the cost of management," Moore said. "Many hospitals have limited resources, so it is always a challenge to manage risk to an acceptable level given the available resources."

Indeed, the bigger question seems to be "whether the hoped-for value of interoperability as measured in reduced cost of healthcare and better patient outcomes outweighs the costs of securing the information and -- when that proves insufficient -- the costs of a breach," he said.