To stay connected with patients, healthcare providers are turning to telehealth services. In fact, 34.5 million telehealth services were delivered from March through June, according to the Centers for Medicare and Medicaid Services. The shift to remote healthcare has also impacted the roll out of new regulations that would give patients secure and free access to their health data.
The shift to online services shines a light on a major cybersecurity issue within all industries (but especially healthcare where people have zero control over their data): consent.
Hand over data control
Data transparency allows people to know what personal data has been collected, what data an organization wants to collect and how it will be used. Data control provides the end-user with choice and authority over what is collected and even where it is shared. Together the two lead to a competitive edge, as 85% of consumers say they will take their business elsewhere if they do not trust how a company is handling their data.
Regulations such as the GDPR and the CCPA have been enacted to hold companies accountable unlike ever before – providing greater protection, transparency and control to consumers over their personal data.
The U.S. Department of Health and Human Services’ (HHS) regulation, which is set to go into effect in early 2021, would provide interoperability, allowing patients to access, share and manage their healthcare data as they do their financial data. Healthcare organizations must provide people with control over their data and where it goes, which in turn strengthens trust.
How to earn patients’ trust
Organizations must improve their ability to earn patients’ confidence and trust by putting comprehensive identity and access management (IAM) systems in place. Such systems need to offer the ability to manage privacy settings, account for data download and deletion, and enable data sharing with not just third-party apps but also other people, such as additional care providers and family members.
The right digital identity solution should empower the orchestration of user identity journeys, such as registration and authentication, in a convenient way that unifies configuring security and user experience choices.
It should also enable the healthcare organization to protect patients’ personal data while offering their end-users a unified means of control of their data consents and permissions. Below are the four key steps companies should take to earn trust when users hand over data control:
- Identify where digital transformation opportunities and user trust risks intersect. Since users are becoming more skeptical, organizations must analyze “trust gaps” while they are discovering clever new ways to leverage personal data.
- Consider personal data as a joint asset. It’s easy for a company to say consumers own their own personal data, but business leaders have incentives to leverage that data for the value it brings to their business. This changes the equation. All the stakeholders within an organization need to come together and view data as a joint asset in which all parties, including end-users, have a stake.
- Lean into consent. Given the realities of regulations, a business often has a choice to offer consent to end-users rather than just collecting and using data. Seek to offer the option – it provides benefits when building trust with skeptical consumers, as well as when proving your right to use that data.
- Take advantage of consumer identity and access management (CIAM) for building trust. Identity management platforms automate and provide visibility into the entire customer journey across many different applications and channels. They also allow end-users to retain the controls to manage their own profiles, passwords, privacy settings and personal data.
Providing data transparency and data control to the end-user enhances the relationship between business and consumer. Organizations can achieve this trust with consumers in a comprehensive fashion by applying consumer identity and access management that scales across all of their applications. To see these benefits before regulations like the HHS regulations go into effect, organizations need to act now.
Attacks on the biotech and pharmaceutical industry had increased by 50% between 2019 and 2020, according to a BlueVoyant report.
The report highlighted that nation-states are ramping up cyber attacks on companies that are developing vaccines, and this is likely to increase as production and distribution gets underway.
The analysis examined open source records of 25 publicly reported attacks that have taken place in the last four years. It set out to define key risks and how COVID-19 has changed the threat landscape.
Establishing that ransomware is still the number one threat vector for this industry, the report identifies the key risks that companies face and the steps they need to take to mitigate these.
- The number one emerging threat in 2020 is nation-state espionage aimed at stealing COVID-19 vaccine research data. That said, the top threat overall is still ransomware.
- COVID-19 vaccines are the crown jewels in 2020 with eight of the most prominent companies in the race for a vaccine facing high volumes of targeted malicious attacks. These are often out of proportion to their size and larger attack volumes than well-known pharmaceutical giants.
- Biotech and pharmaceutical companies are under daily attacks which include brute force, phishing attempts, and targeting of vulnerable web applications.
- Attacks are escalating. Of the 25 attacks reported to the media since 2017, 10 (40%) took place in 2020.
- Key defenses against such attacks such as securing open remote desktop access ports and phishing security had not been implemented across most of the observed companies.
- 80% of the 20 companies analyzed showed signs of more targeted attack activity.
Commenting on the research, Jim Penrose, COO, BlueVoyant said: “Pharmaceutical companies develop highly lucrative IP, they handle large amounts of patient and healthcare data and as such are a prime target for criminals looking to compromise, steal and exploit information. Now they face an even more elevated risk environment in the current pandemic as well-resourced nation-state actors mount aggressive and focused campaigns.
“Most organizations in this sector are significantly scaling up their digital platforms but cyber posture lags. They need to continuously monitor new attack vectors. Importantly, once they have secured their own systems, they need to look outward to supply chain cybersecurity because this sector, more than most industries, has interconnected digital business ecosystems with many supply chain dependencies. Supply chain cybersecurity is a critical step in ensuring against third-party cyber risk.”
- First, 80% of companies targeted experienced malicious, intentional and focused efforts. Even more troubling, 7 out of 20 showed signs of compromise.
- Second, attackers used automated tools and infrastructure and three quarters used programmatic brute force attacks, meaning they had acquired a credential database and then bought an automated program to target specific companies.
- Third, these incidents occurred without regard to company size, area of focus or geography. The wide distribution of attacks did not follow a clear pattern, which means that organizations were under attack from sophisticated and knowledgeable cyber actors.
Jim Rosenthal, CEO, BlueVoyant, concludes: “The ongoing effort to find a vaccine and cure for COVID-19 is an endeavor we all want to succeed. The high level of cyber risk associated with the firms working on this critical mission ought to be a call for action to take immediate measures to drive down cyber risk.
“Around the globe all citizens want peace of mind that these firms will guarantee confidentiality, integrity, and availability in their research, development, manufacturing, and data management activities as they race against the clock to deliver life-saving breakthroughs.
“We have recently seen the first death of a patient in Germany attributed to ransomware paralysing a hospital’s networks. We need to ensure that the growing surge of attacks against the pharmaceutical sector does not disrupt the delivery of healthcare, and the production and distribution of COVID- 19 vaccines in 2021.”
Ransomware still remains the most common cyber threat to SMBs, with 60% of MSPs reporting that their SMB clients have been hit as of Q3 2020, Datto reveals.
More than 1,000 MSPs weighed in on the impact COVID-19 has had on the security posture of SMBs, along with other notable trends driving ransomware breaches.
The impact of such attacks keeps growing: the average cost of downtime is now 94% greater than in 2019, and nearly six times higher than it was in 2018 increasing from $46,800 to $274,200 over the past two years, according to Datto’s research. Phishing, poor user practices, and lack of end user security training continue to be the main causes of successful ransomware attacks.
The survey also revealed the following:
- MSPs a target: 95% of MSPs state their own businesses are more at risk. Likely due to increasing sophistication and complexity of ransomware attacks, almost half (46%) of MSPs now partner with specialized Managed Security Service Providers (MSSPs) for IT security assistance – to protect both their clients and their own businesses.
- SMBs spend more on security: 50% of MSPs said their clients had increased their budgets for IT security in 2020, perhaps indicating awareness of the ransomware threat is growing.
- Average cost of downtime continues to overshadow actual ransom amount: Downtime costs related to ransomware are now nearly 50X greater than the ransom requested.
- Business continuity and disaster recovery (BCDR) remains the number one solution for combating ransomware, with 91% of MSPs reporting that clients with BCDR solutions in place are less likely to experience significant downtime during an attack. Employee training and endpoint detection and response platforms ranked second and third in tackling ransomware.
The impact of COVID-19 on ransomware and the cost of security disruptions
During the pandemic, the move to remote working and the accelerated adoption of cloud applications have increased security risks for businesses. More than half (59%) of MSPs said remote work due to COVID-19 resulted in increased ransomware attacks, and 52% of MSPs reported that shifting client workloads to the cloud increased security vulnerabilities.
As a result, SMBs need to take precautions to avoid the costly disruptions that occur in the aftermath of an attack. The survey also determined that healthcare was the most vulnerable industry during the pandemic (59%).
“Now more than ever organizations need to be vigilant in their approach to cybersecurity, especially in the healthcare industry as it’s managing and handling the most sensitive (and for criminals the most valuable) private data,” said Travis Lass, President of XLCON.
“The majority of our clients are small healthcare clinics, with no in-house IT. As ransomware attacks continue to increase, it’s critical we do everything we can to support them by arming them with best-in-class technology that will fend off malicious attackers looking to take advantage of the already fragile state of the healthcare industry.”
Top three ways ransomware is attacking entities
- Phishing emails. 54% of MSPs report these as the most successful ransomware attack vector. The social engineering tactics used to deceive victims have become very sophisticated, making it vital for SMBs to offer extensive and consistent end user security education that goes beyond the basics of identifying phishing attacks.
- Software-as-a-Service (SaaS) applications. Nearly one in four MSPs reported ransomware attacks on clients’ SaaS applications, with Microsoft being hit the hardest at 64%. These attacks mean that SMBs must consider the vulnerability of their cloud applications when planning their IT security measures and budgets.
- Windows endpoint systems applications. These are the most targeted by hackers, with 91% of ransomware attacks targeting Windows PCs this year.
“Reducing the risk of cyberattacks requires a multi-layered approach rather than a single product – awareness, education, expertise, and purpose-built solutions all play a key role.
“The survey highlights how MSPs are taking the extra step to partner with MSSPs that can offer more security-focused experience, along with a more widespread use of security measures like SSO and 2FA – these are critical strategies businesses and municipalities need to adopt to protect themselves from cyber threats now and in the future.”
Seventy-three percent of health system, hospital and physician organizations report their infrastructures are unprepared to respond to attacks. The survey results estimated 1500 healthcare providers are vulnerable to data breaches of 500 or more records, representing a 300 percent increase over this year.
Black Book Market Research surveyed 2,464 security professionals from 705 provider organizations to identify gaps, vulnerabilities and deficiencies that persist in keeping hospitals and physicians proverbial sitting ducks for data breaches and cyberattacks.
Ninety-six percent of IT professionals agreed with the sentiments that data attackers are outpacing their medical enterprises, holding providers at a disadvantage in responding to vulnerabilities.
With the healthcare industry estimated to spend $134 billion on cybersecurity from 2021 to 2026, $18 billion in 2021, increasing 20% each year to nearly $37 billion in 2026, 82% of CIOs and CISOs in health systems in Q3 2020 agree that the dollars spent currently have not been allocated prior to their tenure effectively, often only spent after breaches, and without a full gap assessment of capabilities led by senior management outside of IT.
Talent shortage for cybersecurity pros continues
Additionally, 291 healthcare industry human resources executives were surveyed to determine the organizational supply and demand of experienced cybersecurity candidates. On average, cybersecurity roles in health systems take 70% longer to fill than other IT jobs.
Health systems are struggling to find workers that request cybersecurity-related skills as vacancy duration as reported by survey HR respondents average about 118 days to fill positions, nearly three times as high as the national average for other industries.
“The talent shortage for cybersecurity experts with healthcare expertise is nearing a very perilous position,” said Brian Locastro, lead researcher on the 2020 State of the Healthcare Cybersecurity Industry study by Black Book Research.
Seventy-five percent of the sixty-six-health system CISOs responding agreed that experienced cybersecurity professionals are unlikely to choose a healthcare industry career path because of one main reason.
More than in other industries, healthcare CISOs are ultimately held responsible for a data breach and the financial and reputation impacts to the provider organization despite having extremely limited decision-making technology or policy making authority.
COVID-19 has greatly increased risk of data breaches
Healthcare cybersecurity has become more complicated as providers are forced to deal with the COVID-19 pandemic. Understaffed and underfunded IT security departments are scrambling to accommodate the surge in demand of remote services from patients and physicians while simultaneously responding to the surge in security risks.
The survey found 90% of health systems and hospital employees who shifted to working at home due to the pandemic, did not receive any updated guidelines or training on the increasing risk of accessing sensitive patient data compromising systems
“Despite the rising threat, the vast majority of hospitals and physicians are unprepared to handle cybersecurity threats, even though they pose a major public health problem,” said Locastro.
Forty percent of all clinical hospital employees receive little or no cybersecurity awareness training still in 2020, beyond initial education on log in access.
Fifty-nine percent of health system CIOs surveyed are shifting security strategies to address user authentication and access as malicious incidents and hackers are the 2020 attacker’s go-to entry point of choice for health systems.
Stolen and compromised credentials were ongoing issues for 53% of health systems surveyed as hackers are increasingly using cloud misconfigurations to breach networks.
Cybersecurity consulting and advisory services are in high demand
Sixty-nine percent of 219 C-Suite respondents state their health system’s budget for cybersecurity consulting is increasing in 2021 to assess gaps, secure network operations, and user security on-premises and in the cloud.
“In today’s highly competitive cybersecurity market there isn’t enough talent to staff hospitals and health systems,” said Locastro.
“As provider organizations struggle with recruit, hire and retain in house staff, the plausible choice is retaining an experienced advisory firm that is capable of identifying and remediating hidden security vulnerabilities, which appeals to the strategic and economic sense of boards and CEOs.”
Healthcare cybersecurity challenges find resolutions from outsourced services
“The dilemma with cybersecurity budgeting and forecasting is the lack of reliable historical data,” said Locastro. “Cybersecurity is a newer line item for hospitals and physician enterprises and budgets have not evolved to cover the true scope of human capital and technology requirements yet.”
That shortage of healthcare cybersecurity professionals and a lack of appropriate technology solutions implemented is forcing a rush to acquire services and outsourcing at a pace five times more than the acquisition of cybersecurity products and software solutions.
Cybersecurity companies are responding to the labor crunch by offering healthcare providers and hospitals with a growing portfolio of managed services.
“The key place to start when choosing a cybersecurity services vendor is to understand your threat landscape, understanding the type of services vendors offer and comparing that to your organization’s risk framework to select your best-suited vendor,” said Locastro.
“Healthcare organizations are also more prone to attacks than other industries because they persist at managing through breaches reactively.”
Fifty-one percent of in-house IT management respondents with purchasing authority report their group is e not aware of the full variety of cybersecurity solution sets that exist, particularly mobile security environments, intrusion detection, attack prevention, forensics and testing in various healthcare settings.
Cybersecurity in healthcare provider organizations remains underfunded
The amount of dollars that are actually spent on healthcare industry cybersecurity products and services are increasing, averaging 21% year over year since 2017. Extended estimates have estimated nearly $140 Billion will be spent by health systems and health insurers by 2026.
However, 82% of hospital CIOs in inpatient facilities under 150 staffed beds and 90% of practice administrators collectively state they are not even close to spending an adequate amount on protecting patient records from a data breach.
“Outdated IT systems, fewer cybersecurity protocols, untrained IT staff on evolving security skills, and data-rich patient files are making healthcare the current target of hacker attacks,” said Locastro. “And the willingness of hospitals and physician practices to pay high ransoms to regain their data quickly motivates hackers to focus on patient records.”
“Threats are now four times more likely to be centered on healthcare than any other industry, and ransomware attacks are increasing in popularity because of the amount of privileged information the hacker can obtain,” said Locastro.
“Providers at the point-of-care haven’t kept pace with the cybersecurity progress and tools that manufacturers, IT software vendors, and the FDA have made either.”
Healthcare consumers willing to change providers if patient privacy was comprised
Eighty percent of healthcare organization have not had a cybersecurity drill with an incident response process, despite the skyrocketing cases of data breaches in the healthcare industry in 2020.
Only 14 percent of hospitals and six percent of physician organizations believe that a 2021 assessment of their cybersecurity will show improvement from 2020. Twenty-six percent of provider organizations believe their cybersecurity position has worsened, as compared to three percent in other industries, year-to-year.
“Medical and financial leaders have wielded more influence over organizational budgets and made it difficult for IT management to implement needed cybersecurity practices despite the existing environment, but now consumers are beginning to react negatively to the provider’s lack of protection solutions.”
A poll of 3,500 healthcare consumers that used medical or hospital services in the last eighteen months revealed 93% would leave their provider if their patient privacy was comprised in an attack that could have been prevented.
Organizations underwent an unprecedented IT change this year amid a massive shift to remote work, accelerating adoption of cloud technology, Duo Security reveals.
The security implications of this transition will reverberate for years to come, as the hybrid workplace demands the workforce to be secure, connected and productive from anywhere.
The report details how organizations, with a mandate to rapidly transition their entire workforce to remote, turned to remote access technologies such as VPN and RDP, among numerous other efforts.
As a result, authentication activity to these technologies swelled 60%. A complementary survey recently found that 96% of organizations made cybersecurity policy changes during the COVID-19, with more than half implementing MFA.
Cloud adoption also accelerated
Daily authentications to cloud applications surged 40% during the first few months of the pandemic, the bulk of which came from enterprise and mid-sized organizations looking to ensure secure access to various cloud services.
As organizations scrambled to acquire the requisite equipment to support remote work, employees relied on personal or unmanaged devices in the interim. Consequently, blocked access attempts due to out-of-date devices skyrocketed 90% in March. That figure fell precipitously in April, indicating healthier devices and decreased risk of breach due to malware.
“As the pandemic began, the priority for many organizations was keeping the lights on and accepting risk in order to accomplish this end,” said Dave Lewis, Global Advisory CISO, Duo Security at Cisco. “Attention has now turned towards lessening risk by implementing a more mature and modern security approach that accounts for a traditional corporate perimeter that has been completely upended.”
Additional report findings
So long, SMS – The prevalence of SIM-swapping attacks has driven organizations to strengthen their authentication schemes. Year-over-year, the percentage of organizations that enforce a policy to disallow SMS authentication nearly doubled from 8.7% to 16.1%.
Biometrics booming – Biometrics are nearly ubiquitous across enterprise users, paving the way for a passwordless future. Eighty percent of mobile devices used for work have biometrics configured, up 12% the past five years.
Cloud apps on pace to pass on-premises apps – Use of cloud apps are on pace to surpass use of on-premises apps by next year, accelerated by the shift to remote work. Cloud applications make up 13.2% of total authentications, a 5.4% increase year-over-year, while on-premises applications encompass 18.5% of total authentications, down 1.5% since last year.
Apple devices 3.5 times more likely to update quickly vs. Android – Ecosystem differences have security consequences. On June 1, Apple iOS and Android both issued software updates to patch critical vulnerabilities in their respective operating systems.
iOS devices were 3.5 times more likely to be updated within 30 days of a security update or patch, compared to Android.
Windows 7 lingers in healthcare despite security risks – More than 30% of Windows devices in healthcare organizations still run Windows 7, despite end-of-life status, compared with 10% of organizations across Duo’s customer base.
Healthcare providers are often unable to update deprecated operating systems due to compliance requirements and restrictive terms and conditions of third-party software vendors.
Windows devices, Chrome browser dominate business IT – Windows continues its dominance in the enterprise, accounting for 59% of devices used to access protected applications, followed by macOS at 23%. Overall, mobile devices account for 15% of corporate access (iOS: 11.4%, Android: 3.7%).
On the browser side, Chrome is king with 44% of total browser authentications, resulting in stronger security hygiene overall for organizations.
UK and EU trail US in securing cloud – United Kingdom and European Union-based organizations trail US-based enterprises in user authentications to cloud applications, signaling less cloud use overall or a larger share of applications not protected by MFA.
COVID-19 changed the rules of the game virtually overnight. The news has covered the broader impacts of the pandemic, particularly the hit to our healthcare, the drops in our economy, and the changes in education.
But when a massive portion of our workforce was sent home, and companies moved operations online, no one thought about how vulnerable to cyberattacks those companies had now become. The attack surface had changed, giving malicious actors new inroads that no one had previously watched out for.
The thing is, cybersecurity isn’t a battle that’s ultimately won, but an ongoing game to play every day against attackers who want to take your systems down. We won’t find a one-size-fits-all solution for the vulnerabilities that were exposed by the pandemic. Instead, each company needs to charge the field and fend off their opponent based on the rules of play. Today, those rules are that anything connected to the internet is fair game for cybercriminals, and it’s on organizations to protect these digital assets.
COVID may have changed the rules, but the game is still on. Despite the security threat, this pandemic may have caused a massive opportunity for companies — if they’re willing to take it.
WFH isn’t new, but WFH suddenly, at scale, is
The attack surface changed — and so did the rules of the game.
A work-from-home world isn’t a new thing. Slow transitions to remote workplaces have become more of a norm, though pushes for all-remote workplaces come in cycles. In the past five to ten years, despite the rise of flexible work options and global teams, work still happened mainly in an office.
What is new is a massive amount of the workforce shifting to remote work nearly overnight. Suddenly, the internet became a company’s network—thousands of employees turned into thousands of individual offices. Secured networks were traded in for home Wi-Fi, and gaps and holes in an organization’s attack surface were introduced where they didn’t exist before.
That shift suddenly exposed vulnerabilities in the system, like older systems that were never updated, internet assets that were forgotten, and patches that never happened. These weak links are all the invitation a malicious adversary needs.
Rogue threats—web infrastructure created by criminals—changed, too. Phishing schemes suddenly took a new approach in the form of “COVID lures”: emails and ads that lead to questionable websites providing cure-alls for the virus, taking advantage of people’s increased fear and anxiety.
Attackers realized they had another advantage: employees responsible for diagnosing and fixing these kinds of security issues are now preoccupied with supporting family, supervising their kids’ remote education, or working long hours to cover other cuts. In other words, some of our players were benched.
Combine this easier access to enterprise systems with the increased willingness to hand over information and a drop in vigilance, and you can see how this all became a new kind of game. The good news is that although malicious actors seeking ways into these exposed systems are adapting, a company can adapt as well.
Going on the offensive
Companies can’t afford large-scale cyberattacks at any time, but especially right now. The pandemic has caused consumers who may have lost significant income to be picky with their purchases and investments. Companies need to be focused on retaining customer relationships so that they’ll weather the pandemic, and a take-down of the network could undercut customer trust in unrecoverable ways.
But many companies won’t take action. They may view their older systems as good enough to ride the wave to the other side of the pandemic, and once there, they’ll go back to what they had used before, unprepared for the next attack. They may get through, but nothing will have changed — things will not go back to how they were, and you will no longer be able to rely on systems that protected a pre-COVID world.
Now, there’s an opportunity to huddle up, form a new strategy, and go on the offensive. The pandemic can be an opportunity for businesses to take a look at their vulnerabilities, map their attack surface, and take appropriate actions to secure and strengthen their systems. We’ve seen this after other catastrophic events, such as after 9/11, when companies adopted new resiliency plans for any future recovery events. Companies have the same opportunity now.
Here are some things a company can do to ensure their systems are secure, even if they’ve been running a remote workforce for a while.
Invest in security teams
Companies who understand the value of keeping their systems secure and taking initiatives against potential leaks will want to invest in cybersecurity. Shore up the team and make new hires if needed. Overall, companies have been supportive of their security teams during this time, but if security isn’t a priority, make it one.
Map the attack surface
The quick move to remote work probably meant a fast rollout of new initiatives and quickly standing up new equipment, which means mistakes are the leading cause of a breach. Do an audit of your attack surface to uncover hidden failures and where older systems, forgotten assets, or unpatched issues are creating vulnerabilities.
Ask questions about what changed: What programs were canceled or altered? How are resources shifting around? Can new assets be secured before they roll out? Also, do some threat modeling with your team. Ask what a threat actor would do to attack your systems, or where they would gain a foothold. In other words, anticipate the opposing team’s next move.
Even the best companies miss something, but the more you can anticipate, the better. Then prepare a response plan for investigating attacks quickly, develop a triage system, create a playbook, and run drills so your players know their roles.
Update the old and roll out the new
Now that you’re learning the new rules of the game, can visualize the playing field and anticipate the opposing team’s next move, it’s time to act. Update older systems or trade them in for new ones. Patch security holes. Shrink the attack surface. Roll out new digital initiatives you might have been sitting on.
Finally, create that mobile app. Move to the cloud. Find new digital ways to engage with your customers, since it may be a while before in-store foot traffic returns. As you do this, you may come to realize that your systems were set up in such a way that you need to start over. In that case, do it. Now’s the time.
Support your team
Above all, make sure you have the right team in place, and take care of them. Get them the resources and information they need as they audit, patch, and put new protocols in place for the future.
Communicate with both them and your leadership team to keep everyone informed, and if you think you’re too busy, communicate even more like teammates would on the field. Hedge against burnout. Above all, give your team the time and space they need to find the holes and make the fixes.
Live to play another day
In many ways, this shift to digital has been in progress for a long time. However, because it was never a necessity, the transformation lagged or stalled from a lack of resources and was moved down the priorities list. But today we see stalled-out initiatives finally being implemented. The plans have been in place, and COVID is now forcing us to get it done.
Healthcare delivery organizations (HDOs) have been busy increasing their network and systems security in the last year, though there is still much room for improvement, according to Forescout researchers.
This is the good news: the percentage of devices running Windows unsupported operating systems fell from 71% in 2019 to 32% in 2020 and there have been improvements when it comes to timely patching and network segmentation.
The bad news? Some network segmentation issues still crop up and HDOs still use insecure protocols for both medical and non-medical network communications, as well as for external communications.
Based on two data sources – an analysis of network traffic from five large hospitals and clinics and the Forescout Device Cloud (containing data for some 3.3 million devices in hundreds of healthcare networks) – the researchers found that, between April 2019 and April 2020:
- The percentage of devices running versions of Windows OS that will be supported for more than a year jumped from 29% to 68% and the percentage of devices running Windows OS versions supported via ESU fell from 71% to 32%. Unfortunately, the percentage of devices running Windows OSes like Windows XP and Windows Server 2003 remained constant (though small)
- There was a decided increase in network segmentation
Unfortunately, most network segments (VLANs) still have a mix of healthcare devices and IT devices or healthcare equipment, personal, and OT devices, or mix sensitive and vulnerable devices.
As far as communication protocols are concerned, they found that:
- 4 out of the 5 HDOs were communicating between public and private IP addresses using a medical protocol, HL7, that transports medical information in clear text
- 2 out of the 5 HDOs allowed medical devices to communicate over IT protocols with external servers reachable from outside the HDO’s perimeter
- All HDOs used obsolete versions of communication protocols, internally and externally (e.g., SSLv3, TLSv1.0, and TLSv1.1, SNMP v1 and 2, NTP v1 and 2, Telnet)
- Many of the medical and proprietary protocols used by medical equipment lack encryption and authentication, or don’t enforce its usage (e.g., HL7, DICOM, POCT01, LIS02). OT and IoT devices in use also have a similar problem
That’s all a big deal, because attacks exploiting these security vulnerabilities could do a lot of damage, including stealing patients’ information, altering it, disrupting the normal behavior of medical devices, disrupting the normal functioning of the entire organization (e.g., via a ransomware attack), etc.
Defense strategies for better healthcare network security
The researchers advised HDOs’ cyber defenders to:
- Find a way to “see” all the devices on the network, whether they comply with company policies, and detect malicious network behavior they may exhibit
- Identify and remediate weak and default passwords
- Map the network flow of existing communications to help identify unintended external communications, prevent medical data from being exposed publicly, and to detect the use of insecure protocols
- Improve segmentation of devices (e.g., isolate fragile legacy applications and operating systems, segment groups of devices according to their purpose, etc.)
“Whenever possible, switch to using encrypted versions of protocols and eliminate the usage of insecure, clear-text protocols such as Telnet. When this is not possible, use segmentation for zoning and risk mitigation,” they noted.
They also warned about the danger of over-segmentation.
“Segmentation requires well-defined trust zones based on device identity, risk profiles and compliance requirements for it to be effective in reducing the attack surface and minimizing blast radius. Over-segmentation with poorly defined zones simply increases complexity without tangible security benefits,” they concluded.
Exposures and cybersecurity challenges can turn out to be costly, according to statistics from the US Department of Health and Human Services (HHS), 861 breaches of protected health information have been reported over the last 24 months.
New research from RiskRecon and the Cyentia Institute pinpointed risk in third-party healthcare supply chain and showed that healthcare’s high exposure rate indicates that managing a comparatively small Internet footprint is a big challenge for many organizations in that sector.
But there is a silver lining: gaining the visibility needed to pinpoint and rectify exposures in the healthcare risk surface is feasible.
The research and report are based on RiskRecon’s assessment of more than five million of internet-facing systems across approximately 20,000 organizations, focusing exclusively on the healthcare sector.
Healthcare has one of the highest average rates of severe security findings relative to other industries. Furthermore, those rates vary hugely across institutions, meaning the worst exposure rates in healthcare are worse than the worst exposure rates in other sectors.
Severe security findings decrease as employees increase. For example, the rate of severe security findings in the smallest healthcare providers is 3x higher than that of the largest providers.
Sub sectors vary
Sub sectors within healthcare reveal different risk trends. The research shows that hospitals have a much larger Internet surface area (hosts, providers, countries), but maintain relatively low rates of security findings. Additionally, nursing and residential care sub-sector has the smallest Internet footprint yet the highest levels of exposure. Outpatient (ambulatory) and social services mostly fall in between hospitals and nursing facilities.
Cloud deployment impacts
As digital transformation ushers in a plethora of changes, critical areas of risk exposure are also changing and expanding. While most healthcare firms host a majority of their Internet-facing systems on-prem, they do also leverage the cloud. We found that healthcare’s severe finding rate for high-value assets in the cloud is 10 times that of on-prem. This is the largest on-prem versus cloud exposure imbalance of any sector.
It must also be noted that not all cloud environments are the same. A previous RiskRecon report on the cloud risk surface discovered an average 12 times the difference between cloud providers with the highest and lowest exposure rates. This says more about the users and use cases of various cloud platforms than intrinsic security inequalities. In addition, as healthcare organizations look to migrate to the cloud, they should assess their own capabilities for handling cloud security.
The healthcare supply chain is at risk
It’s important to realize that the broader healthcare ecosystem spans numerous industries and these entities often have deep connections into the healthcare provider’s facilities, operations, and information systems. Meaning those organizations can have significant ramifications for third-party risk management.
When you dig into it, even though big pharma has the biggest footprint (hosts, third-party service providers, and countries of operation), they keep it relatively hygienic. Manufacturers of various types of healthcare apparatus and instruments show a similar profile of extensive assets yet fewer findings. Unfortunately, the information-heavy industries of medical insurance, EHR systems providers, and collection agencies occupy three of the top four slots for the highest rate of security findings.
“In 2020, Health Information Sharing and Analysis Center (H-ISAC) members across healthcare delivery, big pharma, payers and medical device manufacturers saw increased cyber risks across their evolving and sometimes unfamiliar supply chains,” said Errol Weiss, CSO at H-ISAC.
“Adjusting to the new operating environment presented by COVID-19 forced healthcare companies to rapidly innovate and adopt solutions like cloud technology that also added risk with an expanded digital footprint to new suppliers and partners with access to sensitive patient data.”
Information security policies (ISP) that are not grounded in the realities of an employee’s work responsibilities and priorities expose organizations to higher risk for data breaches, according to a research from Binghamton University, State University of New York.
The study’s findings, that subcultures within an organization influence whether employees violate ISP or not, have led researchers to recommend an overhaul of the design and implementation of ISP, and to work with employees to find ways to seamlessly fit ISP compliance into their day-to-day tasks.
“The frequency, scope and cost of data breaches have been increasing dramatically in recent years, and the majority of these cases happen because humans are the weakest link in the security chain. Non-compliance to ISP by employees is one of the important factors,” said Sumantra Sarkar, associate professor of management information systems in Binghamton University’s School of Management.
“We wanted to understand why certain employees were more likely to comply with information security policies than others in an organization.”
How subcultures influence compliance within healthcare orgs
Sarkar, with a research team, sought to determine how subcultures influence compliance, specifically within healthcare organizations.
“Every organization has a culture that is typically set by top management. But within that, you have subcultures among different professional groups in the organization,” said Sarkar. “Each of these groups are trained in a different way and are responsible for different tasks.”
Sarkar and his fellow researchers focused on ISP compliance within three subcultures found in a hospital setting – physicians, nurses and support staff.
The expansive study took years to complete, with one researcher embedding in a hospital for over two years to observe and analyze activities, as well as to conduct interviews and surveys with multiple employees.
Because patient data in a hospital is highly confidential, one area researchers focused on was the requirement for hospital employees to lock their electronic health record (EHR) workstation when not present.
“Physicians, who are dealing with emergency situations constantly were more likely to leave a workstation unlocked. They were more worried about the immediate care of a patient than the possible risk of a data breach,” said Sarkar.
“On the opposite end, support staff rarely kept workstations unlocked when they were away, as they felt they were more likely to be punished or fired should a data breach occur.”
Researchers concluded that each subculture within an organization will respond differently to the organization-wide ISP, leaving organizations open to a higher possibility of data breaches.
Their recommendation – consult with each subculture while developing ISP.
“Information security professionals should have a better understanding of the day-to-day tasks of each professional group, and then find ways to seamlessly integrate ISP compliance within those job tasks,” said Sarkar. “It is critical that we find ways to redesign ISP systems and processes in order to create less friction.”
In the context of a hospital setting, Sarkar recommends touchless, proximity-based authentication mechanisms that could lock or unlock workstations when an employee approaches or leaves a workstation.
Researchers also found that most employees understand the value of ISP compliance, and realize the potential cost of a data breach. However, Sarkar believes that outdated information security policies’ compliance measures have the potential to put employees in a conflict of priorities.
“There shouldn’t be situations where physicians are putting the entire hospital at risk for a data breach because they are dealing with a patient who needs emergency care,” he said. “We need to find ways to accommodate the responsibilities of different employees within an organization.”
Securing medical devices is not a new challenge. Former Vice President Cheney, for example, had the wireless capabilities of a defibrillator disabled when implanted near his heart in 2007, and hospital IT departments and health providers have for years secured medical devices to protect patient data and meet HIPAA requirements.
With the expansion of security perimeters, the surge in telehealth usage (particularly during COVID-19), and proliferation in the number and types of connected technologies, healthcare cybersecurity has evolved into a more complex and urgent effort.
Today, larger hospital systems have approximately 350,000+ medical devices running simultaneously. On top of this, millions of additional connected devices are maintained by the patients themselves. Over the next 10 years, it’s estimated the number of connected medical devices could increase to roughly 50 billion, driven by innovations such as 5G, edge computing, and more. This rise in connectivity has increased the threat of cyberattacks not just to patient data, but also patient safety. Vulnerabilities in healthcare technology (e.g., an MRI machine or pacemaker) can lead to patient harm if diagnoses are delayed or the right treatments don’t get to the right people.
What can the healthcare industry do to strengthen their defenses today? How can they lay the groundwork for more secure devices and networks tomorrow?
The challenges are interconnected. The solutions cannot be siloed, and collaboration between manufacturers, doctors, healthcare delivery organizations and regulators is more critical now than ever before.
Device manufacturers: Integrating security into product design
Many organizations view medical device cybersecurity as protecting technology while it is deployed as part of a local network. Yet medical devices also need to be designed and developed with mobile and cloud security in mind, with thoughtful consideration about the patient experience. It is especially important we take this step as medical technology moves beyond the four walls of the hospital and into the homes of patients. The connected device itself needs to be secure, as opposed to the network surrounding the device.
We also need greater visibility and transparency across the medical device supply chain—a “software bill of materials.” The multicomponent nature of many medical products, such as insulin pumps or pacemakers, make the final product feel like a black box: hospitals and users know what it’s intended to do, but they don’t have much understanding about the individual components that make everything work. That makes it difficult to solve cybersecurity problems as they arise.
According to the 2019 HIMSS Cybersecurity Survey, just over 15% of significant security issues were initially started through either medical device problems in hospitals or vendor medical devices. As a result, some of these issues led to ransomware attacks exposing vulnerabilities, as healthcare providers and device makers scrambled to figure out just which of the products were at risk, while their systems were under threat. A software bill of materials would have helped them respond quickly to security, license, and operational risks.
Healthcare delivery organizations: Prioritizing preparedness and patient education
Healthcare providers, for their part, need to strengthen their threat awareness and preparedness, thinking about security from device procurement all the way to the sunsetting of legacy devices, which can extend over years and decades.
It’s currently not uncommon for healthcare facilities to use legacy technology that is 15 to 20 years old. Many of these devices are no longer supported and their security doesn’t meet the baseline of today’s evolving threats. However, as there is no replacement technology that serves the same functions, we need to provide heightened monitoring of these devices.
Threat modeling can help hospitals and providers understand their risks and increase resilience. Training and preparedness exercises are imperative in another critical area of cybersecurity: the humans operating the devices. Such exercises can put doctors, for instance, in an emergency treatment scenario with a malfunctioning device, and the discussions that follow provide valuable opportunities to educate, build awareness of, and proactively prepare for cyber threats.
Providers might consider “cybersecurity informed consent” to educate patients. When a patient signs a form before a procedure that acknowledges potential risks like infection or side effects, cyber-informed consent could include risks related to data breaches, denial of service attacks, ransomware, and more. It’s an opportunity to both manage risk and engage patients in conversations about cybersecurity, increasing trust in the technology that is essential for their health.
Regulators: Connecting a complex marketplace
The healthcare industry in the US is tremendously complex, comprised of hundreds of large healthcare systems, thousands of groups of physician practices, public and private payers, medical device manufacturers, software companies, and so on.
This expanding healthcare ecosystem can make it difficult to coordinate. Groups like the Food & Drug Administration (FDA) and the Healthcare Sector Coordinating Council have been rising to the challenge.
They’ve assembled subgroups and task forces in areas like device development and the treatment of legacy technologies. They’ve been reaching out to hospitals, patients, medical device manufacturers, and others to strengthen information-sharing and preparedness, to move toward a more open, collaborative cybersecurity environment.
Last year, the FDA issued a safety communication to alert health care providers and patients about cybersecurity vulnerabilities identified in a wireless telemetry technology used for communication that impacted more than 20 types of implantable cardiac devices, programmers, and home monitors. Later in 2019, the same device maker recalled thousands of insulin pumps due to unpatchable cyber vulnerabilities.
These are but two examples of many that demonstrate not only the impact of cybersecurity to patient health but to device makers and the healthcare system at large. Connected health should give patients access to approved technologies that can save lives without introducing risks to patient safety.
As the world continues to realize the promise of connected technologies, we must monitor threats, manage risks, and increase our network resilience. Working together to incorporate cybersecurity into device design, industry regulations, provider resilience, and patient education are where we should start.
Contributing author: Shannon Lantzy, Chief Scientist, Booz Allen Hamilton.
There are growing privacy concerns among Americans due to COVID-19 with nearly 70 percent citing they would likely sever healthcare provider ties if they found that their personal health data was unprotected, a CynergisTek survey reveals.
And as many employers seek to welcome staff back into physical workplaces, nearly half (45 percent) of Americans expressed concerns about keeping personal health information private from their employer.
“As healthcare systems and corporations continue to grapple with data challenges associated with COVID-19 – whether that’s more sophisticated, targeted cyber-attacks or the new requirements around interoperability and data sharing, concerns around personal data and consumer awareness of privacy rights will only continue to grow,” said Caleb Barlow, president and CEO of CynergisTek.
Patients contemplate cutting ties over unprotected health data
While many still assume personal data is under lock and key, 18 percent of Americans are beginning to question whether personal health data is being adequately protected by healthcare providers. In fact, 47.5 percent stated they were unlikely to use telehealth services again should a breach occur, sounding the alarm for a burgeoning telehealth industry predicted to be worth over $260B by 2026.
While 3 out of 4 Americans still largely trust their data is properly protected by their healthcare provider, tolerance is beginning to wane with 67 percent stating they would change providers if it was found that their data was not properly protected. When drilling deeper into certain age groups and health conditions, the survey also found that:
- Gen X (73 percent) and Millennials (70 percent) proved even less tolerant compared to other demographics when parting ways with their providers due to unprotected health data.
- 66 percent of Americans living with chronic health conditions stated they would be willing to change up care providers should their data be compromised.
Data shows that health systems who have not invested the time, money and resources to keep pace with the ever-changing threat landscape are falling behind. Of the nearly 300 healthcare facilities assessed, less than one half met NIST Cybersecurity Framework guidelines.
Concern about sharing COVID-19 health data upon returning to work
As pressures mount for returning employees to disclose COVID-19 health status and personal interactions, an increasing conflict between ensuring public health safety and upholding employee privacy is emerging.
This is increasingly evident with 45 percent stating a preference to keep personal health information private from their employer, shining a light on increased scrutiny among employees with over 1 in 3 expressing concerns about sharing COVID-19 specific health data, e.g. temperature checks. This highlights that office openings may prove more complicated than anticipated.
“The challenges faced by both healthcare providers and employers during this pandemic have seemed insurmountable at times, but the battle surrounding personal health data and privacy is a challenge we must rise to,” said Russell P. Branzell, president and CEO of the College of Healthcare Information Management Executives.
“With safety and security top of mind for all, it is imperative that these organizations continue to take the necessary steps to fully protect this sensitive data from end to end, mitigating any looming cyberthreats while creating peace of mind for the individual.”
Beyond unwanted employer access to personal data, the survey found that nearly 60 percent of respondents expressed anxieties around their employer sharing personal health data externally to third parties such as insurance companies and employee benefit providers without consent.
A stark contrast to Accenture’s recent survey which found 62 percent of C-suite executives confirmed they were exploring new tools to collect employee data. A reminder to employers to tread lightly when mandating employee health protocols and questionnaires.
“COVID-19 has thrown many curveballs at both healthcare providers and employers, and the privacy and protection of critical patient and employee data must not be ignored,” said David Finn, executive VP of strategic innovation of CynergisTek.
“By getting ahead of the curve and implementing system-wide risk posture assessments and ensuring employee opt-in/opt-out functions when it comes to sharing personal data, these organizations can help limit these privacy and security risks.”
Attackers focused on COVID-era lifelines such as healthcare, e-commerce, and educational services with complex, high-throughput attacks designed to overwhelm and quickly take them down, Netscout reveals.
“The first half of 2020 witnessed a radical change in DDoS attack methodology to shorter, faster, harder-hitting complex multi-vector attacks that we expect to continue,” stated Richard Hummel, threat intelligence lead, Netscout.
“Adversaries increased attacks against online platforms and services crucial in an increasingly digital world, such as e-commerce, education, financial services, and healthcare. No matter the target, adversary, or tactic used, it remains imperative that defenders and security professionals remain vigilant in these challenging days to protect the critical infrastructure that connects and enables the modern world.”
Record-breaking DDoS attacks at online platforms and services
More than 929,000 DDoS attacks occurred in May, representing the single largest number of attacks ever seen in a month. 4.83 million DDoS attacks occurred in the first half of 2020, a 15% increase. However, DDoS attack frequency jumped 25% during peak pandemic lockdown months (March through June).
Bad actors focused on shorter, more complex attacks
Super-sized 15-plus vector attacks increased 2,851% since 2017, while the average attack duration dropped 51% from the same period last year. Moreover, single-vector attacks fell 43% while attack throughput increased 31%, topping out at 407 Mpps.
The increase in attack complexity and speed, coupled with the decrease in duration, gives security teams less time to defend their organizations from increasingly sophisticated attacks.
Organizations and individuals bear the cost of cyber attacks
To determine the impact that DDoS attacks have on global Internet traffic, the Netscout ATLAS Security Engineering and Response Team (ASERT) developed the DDoS Attack Coefficient (DAC). It represents the amount of DDoS attack traffic traversing the internet in a given region or country during any one-minute period.
If no traffic can be attributed to DDoS, the amount would be zero. DAC identified top regional throughput of 877 Mpps in the Asia Pacific region, and top bandwidth of 2.8 Tbps in EMEA. DAC is important since cybercriminals don’t pay for bandwidth. It demonstrates the “DDoS tax” that every internet-connected organization and individual pays.
71% of healthcare and medical apps have at least one serious vulnerability that could lead to a breach of medical data, according to Intertrust.
The report investigated 100 publicly available global mobile healthcare apps across a range of categories—including telehealth, medical device, health commerce, and COVID-tracking—to uncover the most critical mHealth app threats.
Cryptographic issues pose one of the most pervasive and serious threats, with 91% of the apps in the study failing one or more cryptographic tests. This means the encryption used in these medical apps can be easily broken by cybercriminals, potentially exposing confidential patient data, and enabling attackers to tamper with reported data, send illegitimate commands to connected medical devices, or otherwise use the application for malicious purposes.
Bringing medical apps security up to speed
The study’s overall findings suggest that the push to reshape care delivery under COVID-19 has often come at the expense of mobile application security.
“Unfortunately, there’s been a history of security vulnerabilities in the healthcare and medical space. Things are getting a lot better, but we still have a lot of work to do.” said Bill Horne, General Manager of the Secure Systems product group and CTO at Intertrust.
“The good news is that application protection strategies and technologies can help healthcare organizations bring the security of their apps up to speed.”
The report on healthcare and medical mobile apps is based on an audit of 100 iOS and Android applications from healthcare organizations worldwide. All 100 apps were analyzed using an array of static application security testing (SAST) and dynamic application security testing (DAST) techniques based on the OWASP mobile app security guidelines.
- 71% of tested medical apps have at least one high level security vulnerability. A vulnerability is classified as high if it can be readily exploited and has the potential for significant damage or loss.
- The vast majority of medical apps (91%) have mishandled and/or weak encryption that puts them at risk for data exposure and IP (intellectual property) theft.
- 34% of Android apps and 28% of iOS apps are vulnerable to encryption key extraction.
- The majority of mHealth apps contain multiple security issues with data storage. For instance, 60% of tested Android apps stored information in SharedPreferences, leaving unencrypted data readily readable and editable by attackers and malicious apps.
- When looking specifically at COVID-tracking apps, 85% leak data.
- 83% of the high-level threats discovered could have been mitigated using application protection technologies such as code obfuscation, tampering detection, and white-box cryptography.
US-based healtchare giant Universal Health Services (UHS) has suffered a cyberattack on Sunday morning, which resulted in the IT network across its facilities to be shut down.
Location of UHC facilities
UHS operates nearly 400 hospitals and healthcare facilities throughout the US, Puerto Rico and the UK.
“We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods,” the company stated on Monday.
“Patient care continues to be delivered safely and effectively. No patient or employee data appears to have been accessed, copied or misused.”
No more details were shared about the nature of the “IT security issue” (as they chose to call it), leaving the door open for unconfirmed reports from professed insiders (employees at some of the affected facilities) to proliferate online.
A Reddit thread started on Monday is chock full of them:
- The attack involved ransomware – Ryuk ransomware, to be more specific
- It’s unknown how many systems have been affected, i.e., how widespread is the damage
- “All UHS hospitals nationwide in the US currently have no access to phones, computer systems, internet, or the data center”
- Ambulances are being rerouted to other hospitals, information needed to treat patients – health records, lab works, cardiology reports, medications records, etc. – is either temporarily unavailable or received with delay, affecting patient treatment
- “4 people died tonight alone due to the waiting on results from the lab to see what was going on”
Was it Ryuk?
While most of these reports have yet to be verified, it seems almost certain that ransomware is in play.
Bleeping Computer was told by an employee that the encrypted files sported the .ryk extension and another employee described a ransom note that points to Ryuk ransomware.
“Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing and can propagate and infect IoT/IoMT devices, as we’ve seen with UHS hospital phones and radiology machines. Once on an infected host, it can pull passwords out of memory and then laterally moves through open shares, infecting documents, and compromised accounts,” commented Jeff Horne, CSO, Ordr.
Justin Heard, Director of Security, Intelligence and Analytics at Nuspire, noted that up until recently, Ryuk was used solely to target financial services, but over the last several months Ryuk has been seen targeting manufacturing, oil and gas, and now healthcare.
“Ryuk is known to target large organizations across industries because it demands a very high ransom. The ransomware operators likely saw UHS as the opportunity to make a quick buck given the urgency to keep operations going, and the monetary loss associated with that downtime could outweigh the ransom demand,” he explained.
“Ryuk Ransomware is run by a group called Wizard Spider, which is known as the Russia-based operator of the TrickBot banking malware. Ryuk is one of the most evasive ransomware out there. Nuspire Intelligence has repeatedly seen the triple threat combo of Ryuk, TrickBot and Emotet to wreak the most damage to a network and harvest the most amount of data.”
Some ransomware operators have previously stated that they would refrain from hitting healthcare organizations. Despite that, the number of attacks targeting medical institutions continues to rise.
Government and financial service sectors globally are the most hack-resistant industries in 2020, according to Synack.
Government and financial services scored 15 percent and 11 percent higher, respectively, than all other industries in 2020. Government agencies earned the top spot in part due to reducing the time it takes to remediate exploitable vulnerabilities by 73 percent.
Throughout the year, both sectors faced unprecedented challenges due to the global pandemic, but still maintained a commitment to thorough and continuous security testing that lessened the risk from cyberattacks.
“It’s a tremendously tough time for all organizations amidst today’s uncertainties. Data breaches are the last thing they need right now. That’s why it’s more crucial than ever to quickly find and fix potentially devastating vulnerabilities before they cause irreparable harm,” said Jay Kaplan, CEO at Synack. “If security isn’t a priority, trust can evaporate in an instant.”
The government sector earned 61 — the highest rating
The chaos of 2020 added new hardship to many government bodies, but security hasn’t necessarily suffered as many agencies have become more innovative and agile. Their ability to quickly remediate vulnerabilities drove this year’s top ranking.
Financial services scored 59 amidst massive COVID-19 disruptions
Financial services adapted quickly through the pandemic to help employees adjust to their new remote work realities and ensure customers could continue doing business. Continuous security testing played a significant role in the sector’s ARS.
Healthcare and life sciences scored 56 despite pandemic challenges
The rush to deploy apps to help with the COVID-19 recovery led to serious cybersecurity challenges for healthcare and life sciences. Despite those issues, the sector had the third highest average score as research and manufacturing organizations stayed vigilant and continuously tested digital assets.
ARS scores increase 23 percent from continuous testing
For organizations that regularly release updated code or deploy new apps, point-in-time security analysis will not pick up potentially catastrophic vulnerabilities. A continuous approach to testing helps ensure vulnerabilities are found and fixed quickly, resulting in a higher ARS metric.
Only 44% of healthcare providers, including hospital and health systems, conformed to protocols outlined by the NIST CSF – with scores in some cases trending backwards since 2017, CynergisTek reveals.
Healthcare providers and NIST CSF
Analysts examined nearly 300 assessments of provider facilities across the continuum, including hospitals, physician practices, ACOs and Business Associates.
The report also found that healthcare supply chain security is one of the lowest ranked areas for NIST CSF conformance. This is a critical weakness, given that COVID-19 demonstrated just how broken the healthcare supply chain really is with providers buying PPE from unvetted suppliers.
“We found healthcare organizations continue to enhance and improve their programs year-over-year. The problem is they are not investing fast enough relative to an innovative and well-resourced adversary,” said Caleb Barlow, CEO of CynergisTek.
“These issues, combined with the rapid onset of remote work, accelerated deployment of telemedicine and impending openness of EHRs and interoperability, have set us on a path where investments need to be made now to shore up America’s health system.
“However, the report isn’t all doom and gloom. Organizations that have invested in their programs and had regular risk assessments, devised a plan, addressed prioritized issues stemming from the assessments and leveraged proven strategies like hiring the right staff and evidence-based tools have seen significant improvements to their NIST CSF conformance scores.”
Bigger budgets don’t mean better security performance
The report revealed bigger healthcare institutions with bigger budgets didn’t necessarily perform better when it comes to security, and in some cases, performed worse than smaller organizations or those that invested less.
In some cases, this was a direct result of consolidation where systems directly connect to newly-acquired hospitals without first shoring up their security posture and conducting a compromise assessment.
“What our report has uncovered over recent years is that healthcare is still behind the curve on security. While healthcare’s focus on information security has increased over the last 15 years, investment is still lagging. In the age of remote working and an attack surface that has exponentially grown, simply maintaining a security status quo won’t cut it,” said David Finn, EVP of Strategic Innovation at CynergisTek.
“The good news is that issues emerging in our assessments are largely addressable. The bad news is that it is going to require investment in an industry still struggling with financial losses from COVID-19.”
Leading factors influencing performance include poor security planning and lack of organizational focus, inadequate reporting structures and funding, confusion around priorities, lack of staff and no clear plan.
Key strategies to bolster healthcare security and achieve success
Look under the hood at security and privacy amid mergers and acquisitions: For health systems planning to integrate new organizations into the fold through mergers and acquisitions, leadership should look under the hood and be more diligent when examining the organization’s security and privacy infrastructure, measures and performance.
It’s important to understand their books and revenue streams as well as their potential security risks and gaps to prevent these issues from becoming liabilities.
Make security an enterprise priority: While other sectors like finance and aerospace have treated security as an enterprise-level priority, healthcare must also make this kind of commitment.
Understanding how these risks tie to the bigger picture will help an organization that thinks it cannot afford to invest in privacy and information security risk management activities understand why making such an investment is crucial.
Hospitals and healthcare organizations should create collaborative, cross-functional task forces like enterprise response teams, which offer other business units an eye-opening look into how security and privacy touch all parts of the business including financial, HR, and more.
Money isn’t a solution: Just throwing money at a problem doesn’t work. Security leaders need to identify priorities and have a plan which leverages talent, tried and true strategies like multi-factor authentication, privileged access management and on-going staff training to truly up level their defenses and take a more holistic approach, especially when bringing on new services such as telehealth.
Accelerate the move to cloud: While healthcare has traditionally been slow to adopt the cloud, these solutions provide the agility and scalability that can help leaders cope with situations like COVID-19, and other crises more effectively.
Shore up security posture: We frequently learn the hard way that security can disrupt workflow. COVID-19 taught us that workflow can also disrupt security and things are going to get worse before getting better. Get an assessment quickly to determine immediate needs and coming up with a game plan to bolster defenses needed in this next normal.
While COVID-19 has proven the healthcare industry’s overall resilience, it has also increased its cybersecurity risk with new and emerging threats.
The rapid adoption and onboarding of telehealth vendors led to a significantly increased digital footprint, attack surface, and cybersecurity risk for both provider and patient data, a new report released by SecurityScorecard and DarkOwl has shown.
Telehealth use is booming, and so is the associated cybersecurity risk
According to a brief from the U.S. Department of Health and Human Services, at the height of the pandemic, the number of telehealth primary care visits increased 350-fold from pre-pandemic levels.
Researchers focused the 2020 healthcare report on reviewing the 148 most-used telehealth vendors according to Becker’s Hospital Review. The report indicates that telehealth providers have experienced a nearly exponential increase in targeted attacks as popularity skyrocketed, including a 30% increase of cybersecurity findings per domain, notably:
- 117% increase in IP reputation security alerts
- Malware infections — as part of successful phishing attempts and other attack vectors — ultimately cause IP reputation finding issues
- 65% increase in patching cadence findings
- Patching cadence is the regularity of installing security patches and is often one of the primary security policies that protect data
- 56% increase in endpoint security findings
- Exploited vulnerabilities in endpoint security enable data theft
- 16% increase in application security findings
- Patients connect with telehealth providers using web-based applications including structured and unstructured data
- 42% increase in FTP issues
- FTP is an insecure network protocol that enables information to travel between a client and a server on a network
- 27% increase in RDP issues
- RDP is a protocol that allows for remote connections, which has seen increased usage since the widespread adoption of remote work
Evidence on the dark web
Additionally, DarkOwl’s research showed a noticeable increase in mentions of major healthcare and telehealth companies across the dark web since February 2020. There was evidence of prolific and emerging threat actors selling electronic patient healthcare data, malware toolkits that specifically target telehealth technologies, and strains of ransomware that are uniquely configured to take down healthcare IT infrastructure.
Over the past four years, SecurityScorecard has reported on the cybersecurity struggles the healthcare industry faces. In this year’s report, SecurityScorecard and DarkOwl looked at over one million organizations – over 30,000 in healthcare alone – from September 2019 to April 2020 and analyzed terabytes of information to assess risk across 10 factors.
The healthcare industry, despite new risks from telehealth vendors, slightly improved its security posture compared to 2019. The industry moved to 9th place out of 18 reviewed industries (up from 10th in 2019.) This is heartening, especially as the industry has been overwhelmed by an influx of patients, limited resources, rationing, and other challenges due to COVID-19.
“While telehealth is an integral part of maintaining social distancing and providing patient care, it has also increased healthcare providers’ digital footprint and attack surface, which we see with the increase of findings per telehealth domain, and in factors like endpoint security,” said Sam Kassoumeh, COO and co-founder of SecurityScorecard. “It’s an indicator that healthcare organizations should continue to keep a focus on cyber resilience.”
Mark Turnage, CEO of DarkOwl adds, “Since the onset of the pandemic, cybercriminals are entering the healthcare data selling space which ultimately leads to new risks facing healthcare organizations and their IT supply stream. Threat protection teams must remain one step ahead of potential attackers, especially during this critical time.”
As a result of the COVID-19 pandemic, healthcare professionals have increased their reliance on the internet to carry out their job. From connectivity with patients, to the interconnectivity of different medical devices passing patient data, the threat vector has expanded dramatically, so cyber awareness has become crucial.
Healthcare under attack: What about cyber awareness?
This has made the sector an attractive target for cybercriminals, with the plethora of research, personal, and confidential data available to them. Recent research surveying healthcare professionals found that 41% are seeing cyberattacks against their organization take place on a weekly basis.
Healthcare organizations have seen a significant rise in prominence over the last few months owing to their key roles in fighting the pandemic. Nations have celebrated the heroes on the frontline in many ways, so why, despite the humanitarian capacity of their roles, are they being targeted by nefarious actors?
Critical national infrastructure
Healthcare plays a fundamental role in supporting a nation and is considered a fundamental part of the critical national infrastructure. With its heightened importance during the current global pandemic, it has rapidly become a very attractive target for nefarious actors intent on causing chaos and disruption, by exploiting a time of confusion and uncertainty. Cybercriminals know that by denying the services of the healthcare sector at this time would have massive ramifications for the well-being of the nation.
By denying services or the efficiency of the healthcare sector, a hostile state actor can be seen as subverting the credibility of both the government and NHS Trusts. There is also a possibility that in attacking a healthcare organization that is part of a wider network of infrastructure, it may be possible to pivot to other critical facilities.
This could start with something as simple as an email with a malicious link or document that a healthcare professional clicks on or opens, providing the cybercriminal access to the wider infrastructure. This is a very real possibility, as our recent research found that 25% of healthcare professionals believe their colleagues click on links in emails from unknown sources.
Since the WannaCry attack on the NHS in 2017, the healthcare, pharmaceutical, and biotechnology sectors have been conscious of the possibilities of a ransomware attack. In addition to the loss of sensitive data, ransomware attacks can put the lives of patients at risk.
The race for a vaccine
In addition to the healthcare sector, pharmaceutical and biotechnology organizations are also in a global race to develop cures and vaccines for COVID-19, with an increased reliance on AI within the industry. This can have many benefits, including the acceleration of drug development and the production of medicine. This speed is obviously extremely important now. Despite this, there are also risks with the increased use of AI.
While health technology tools and organizations are more powerful and impactful than ever before, individuals or organizations within this sector potentially hold the keys to ending the pandemic. As a result of this, they offer more cyberattack surfaces and options for adversaries. One example of this technology is the increased use of mobile devices by healthcare professionals. This can provide great benefits such as increased availability and efficiency, but also increases opportunities for cybercriminals if not used properly.
Our research found that 81% of healthcare professionals are using corporate devices for personal purposes, which could pose a large cybersecurity risk. This means professionals could be checking emails from compromised inboxes, sending personal emails that may contain bad links, or using online shopping websites that are not secure.
Both biotechnology and pharmaceutical companies have seen an increase in attacks compared to previous years. Reports have found the pharmaceutical industry is now the number one target for cybercriminals globally, especially for intellectual property theft. As these specialized companies move towards increased digitization and a reliance on IT and OT for development, storage, and understanding of more valuable data online, this threat only becomes more real.
Stolen data can either be sold on the dark web or ransomed back to desperate organizations which rely on access to critical documents, such as trial results, patient information, and intellectual property to continue operations.
With the medical sector having an increased reliance on AI, comes an increased number of devices, and objects being reliant and dependent on internet connectivity. This single factor leads to an increased number of potential, and vulnerable, exploitable access points for malicious actors. Unlike the many “entertainment” devices that aggregate to form our understanding of the IoT, there are multiple connected medical devices that are often unseen, but vital.
Connected medical devices have obvious benefits for clinicians, medical staff, and patients. These devices can instantly exchange data, or instructions on treatment. But this aspect is where some of the greatest dangers lie as the devices are often involved in critical procedures or treatments. Consequently, interference with the signals to a robotic surgical tool, for example, would potentially have devastating consequences.
Maintaining security through education
It is well-documented that healthcare budgets aren’t keeping up with demand and this may prevent many organizations maintaining an appropriate and resilient cybersecurity posture. This often results in security policies not being able to keep up, or just not considered during the application, maintenance, and through life support of digital systems.
Because of this, it is even more important that healthcare professionals are as vigilant to cyber-threats as possible. One small example of cyber negligence can lead to a cybersecurity attack – which happens every week for 41% of healthcare IT managers. These can result in service disruption, potentially postponing treatment for patients; or they can lead to huge amounts of data being leaked to hackers with nefarious intent.
54 percent of Americans have opted for virtual visits during pandemic, a CynergisTek survey reveals. Of those, more than 70 percent of respondents plan to continue to use telemedicine post-pandemic.
However, healthcare providers should note that privacy and protection of sensitive health data was a major concern for telemedicine users and breaches could prompt patients to switch doctors.
“The rapid growth of telehealth has accelerated to a level we wouldn’t have expected to see over a 10-year timeframe,” said Caleb Barlow, president and CEO of CynergisTek.
“However, major vulnerabilities are emerging around privacy and security standards for video conferencing and messaging apps when used for telehealth (such as consumer technologies like Zoom), which can be easily infiltrated – providing hackers with additional opportunities to breach highly-sensitive information.”
Delaying in-person visits, spurring rise of telehealth
During the pandemic, 56 percent of Americans have considered postponing non-emergency medical appointments until the COVID-19 pandemic ends. When put in a hypothetical situation where they would need medical care during the pandemic, the types of appointments Americans are postponing include:
- Vaccines: 25 percent of Americans would postpone annual vaccines such as a flu shot until the pandemic was resolved.
- Annual physicals: Nearly 40 percent are considering postponing physical exams for adults and child wellness exams.
- Dental and vision exams: 45 percent of consumers said they would postpone their dental/orthodontics check-up amid the COVID-19 pandemic, followed by 43 percent postponing an eye exam.
- Elective cosmetic procedures: More than 40 percent report considering putting off elective cosmetic services and surgeries (i.e. Botox, breast augmentation, etc).
- Elective surgery: 35 percent report considering pushing out surgeries like hip and knee replacements until after the pandemic.
As Americans weigh their comfort level on what medical services require in-person visits with a physician or healthcare provider, telehealth options have skyrocketed as a popular alternative, providing convenience and access at a time when many are canceling appointments out of an abundance of caution.
According to the survey, while 39 percent of Americans opted for in-person visits, more than 54 percent of respondents opted for telehealth options with phone consultations and video visits being the two most popular. When examining consumers’ willingness to using telehealth post COVID-19, the survey found:
- Of those who have used telehealth options during the COVID-19 pandemic, 73 percent report they will continue virtual visits after the pandemic passes.
- 79 percent of male respondents who have used a telehealth solution during the COVID-19 pandemic will continue using them post-COVID, compared to 67 percent of females.
- Millennials are statistically more likely than any other generation to continue using telehealth options after the pandemic has passed (81 percent), followed by Gen X (79 percent).
- In a hypothetical situation where they needed medical care, 25 percent of Americans would not consider using a telehealth solution for any of the appointments or procedures types presented – this number is significantly higher among Baby Boomers (41 percent) and the Silent Generation (59 percent).
Embracing telehealth and balancing security needs to protect patients
While urgent visits require in-person consultation, Americans are looking to telehealth to fill in the gap for more routine types of care.
In a hypothetical situation where they’d need medical care or advice, nearly 30 percent of respondents would also look to telehealth for chronic care check-ups (29 percent) or annual physical and children’s wellness exams (27 percent).
While patients are embracing telehealth, providers must prioritize security when rolling out phone and virtual services or else they risk potential breaches of sensitive patient data.
A recent report found an increase in nefarious attacks targeting video conferencing tools like Zoom, reinforcing the need for healthcare providers to reassess their security posture and fortify their defenses to reflect this new reality, potentially losing their patients’ trust and business.
48 percent of respondents said they would be unlikely to use telehealth solutions again if their personal health data was hacked due to a telemedicine-related breach.
- Women are more unlikely than males to use telehealth solutions again if their health information was involved in a telemedicine-related breach (54 percent of women vs. 41 percent of men).
- Baby Boomers and the Silent Generation are the two groups most unlikely to return to telehealth solutions if their data was involved in a telehealth-related breach (62 and 65 percent respectively).
“We find ourselves in a very unique scenario, where consumers had to almost accept telehealth overnight,” said Russ Branzell, CEO of the College of Healthcare Information Management Executives.
“The progress has been amazing to see in creating easier access to care while reducing the burden on both providers and patients. However, we must remain vigilant in our efforts to protect and secure telehealth and other digital health technologies.
“With the opportunities of digital health also come inherent security risks – but digital health’s risks are manageable. It is important for healthcare providers to take data privacy and security seriously in order to ensure that digital health platforms like telehealth remain an essential part of the future of patient care.”
“We appreciate that this is a new development and healthcare providers are balancing all the new demands the pandemic has created,” said David Finn, Executive Vice President of Strategic Innovation of CynergisTek.
“However, the first step is to assess how the data is encrypted and who is authorized to access this data. From there, IT teams should work closely with leadership to fill in the security gaps on telehealth solutions that protect patients while also providing the convenience.”
Anti-vaccine websites, which could play a key role in promoting public hesitancy about a potential COVID-19 vaccine, are far more likely to be found via independent search engines than through an internet giant like Google. Misinformed while looking for privacy The study, led by researchers at Brighton and Sussex Medical School (BSMS), showed that independent search engines returned between 3 and 16 anti-vaccine websites in the first 30 results, while Google.com returned none. Lead author … More
The post Users turn to independent search engines for privacy, but also get misinformation appeared first on Help Net Security.
This has been a very challenging year. Despite the COVID-19 outbreak starting in the first half of 2020, data analyzed from the Health and Human Services (HHS) Office for Civil Rights (OCR) Breach Portal shows that the number of patient data records breached dramatically declined during the early stages of the pandemic. Healthcare orgs too busy to report CI Security analysts assessment indicates that the number of breach reports in the first half of 2020 … More
The post Healthcare breaches declined sharply during the first half of 2020 appeared first on Help Net Security.