The last thing a health care organization wants to face during the COVID-19 crisis is what happened to the leaders of the Champaign-Urbana Public Health District.
Amid the pandemic, the organization got hacked and was forced to pay out a $300,000 ransom from the perpetrators, according to Pew Trusts. The health system’s cyber insurance plan paid most of the ransom while the Champaign-Urbana Public Health District met its deductible. But the point stood: Thanks to the coronavirus pandemic, there was no room for negotiation, and no time to waste.
Quite simply, CEOs can’t afford to forget about cybersecurity issues that could arise while attention and resources are dedicated to fighting COVID-19. Amy Abernethy, MD, Principal Deputy Commissioner, FDA said at Health Evolution’s Pandemic Response: A Public-Private Call to Action virtual gathering.
“I’m usually the optimist in the room, but we’re seeing more risk of cyberattacks. We’re seeing issues of fraudulent medical products and health care services. We must be able to watch our flanks and recognize that at a time when we’re all focused on a common enemy, other enemies can creep up from the side. We have to make sure that we’re paying attention to that as well,’ says Abernethy.
Thanks to the rapid increase of virtual visits and digital innovation, as well as more employees working from home, health care is more exposed to cyber threats than ever before, experts say. It’s not just an issue that should be top of mind for providers, but payers as well. “I can tell you as somebody who runs a health insurance company, we are very keenly aware and concerned about cyberattacks. Cyberattacks are going to happen,” says Pat Geraghty, President & CEO, GuideWell and Florida Blue.
Health care was a vulnerable industry that didn’t invest enough in cybersecurity before the pandemic. One research firm found that 83% of health care systems are running devices with outdated software, which are vulnerable to attack. With those devices now being used at home and for virtual care, health care organizations are at risk more than ever before, and at the worst time possible.
“You have to be vigilant. The bad guys haven’t called a truce. They have increased their attacks,” says John Riggi, AHA’s senior advisor for cybersecurity. What should CEOs be doing to shore up their data security during the pandemic?
Be vigilant about phishing
Phishing attacks will be an increased threat during the COVID-19 pandemic because local and federal government information is crucial and time sensitive. In essence, hackers are banking on organizations to let their guard down, says Troy Young, chief technology officer at AdvancedMD.
“Phishing is always going to be an extremely powerful tool for the bad guys. What’s different about COVID-19 is the way users respond. Everyone is getting urgent messages from the CDC and government organizations that are legitimate. Because we expect those messages to come, I think more and more people will fall for these phishing attacks,” says Young. “We need to be even more vigilant than we have in the past.”
Riggi says he’s seen an increase of phishing emails that contain malware since COVID-19 started. Perpetrators are offering links to scarce supplies, such as personal protective equipment, and targeting an organization’s supply chain. He says CEOs must ensure employees are continuously trained, communicated to and tested on phishing. Caleb Barlow, CEO of CynergisTek, a security firm, says records with “about 1.4 million doctor’s contact information” were sold on the dark web and used for phishing purposes in the last week alone.
Ensure safety for ventilators/life saving devices
In America, there have been numerous attempts at ransomware attacks on ventilators and life-saving devices at hospitals, Riggi says. None of them have been successful yet, but in the Czech Republic, a cyber attack forced a hospital’s computer system to shut down.
One of the top priorities for hospitals, Riggi says, is to focus on updates and vulnerabilities of network connected and network capable ventilators, and other mission critical life support medical devices.
Address telehealth vulnerabilities
With hospitals and health care organizations utilizing telehealth at a rapidly increasing rate, the same protections that are needed for ventilators and life saving devices will be necessary when running virtual care initiatives.
“We’ve accelerated telehealth usage by five to 10 years,” says Barlow. “Regulators have put aside the traditional security concerns with telehealth on a temporary basis, but I don’t think that genie is ever going to go back in the bottle. It’s great from an innovation standpoint, but the security needs to rally quickly and close any vulnerabilities associated with that software.”
Secure remote workers
Many health care organizations have sent non-clinical staff home to work remotely through this crisis. This adds another security vulnerability. One of the biggest challenges for all health care software related vulnerabilities is organizations using outdated operating systems, such as Windows 7, that don’t have security updates anymore.
If a device or computer is running an outdated operating system, for instance, Riggi suggests network segmentation and separating those systems from the main network. This concept of network segmentation can also be used to separate different areas of the hospital, Barlow says, such as critical departments that need to be doubly protected. Riggi recommends health care organizations have two backups of their systems—one on premises and one in cloud.
“We’re all operating outside the corporate firewall, so we need to put a protection from the actual endpoint that we’re working on at home,” Barlow says.