Doctors unable to access patient records. Lab work held up. Critically ill patients rerouted. Life-saving wireless medical technology rendered useless in sending real-time data. These are just a few of the real and significant results of cyberattacks on healthcare systems and medical practices. And compounding the catastrophic human impact is the financial and public relations nightmare of redressing and recovering from a security breach.
In late October, the FBI issued a joint alert with two other federal agencies warning of the growing threat of international cyberattacks, particularly of ransomware, targeting the healthcare sector. Coupled with a spike in COVID-19 cases and the heightened stress of this highly politicized time frame, the attacks are calculated to capitalize on an already taxing period to extort the greatest amount of profit for cybercriminals.
The nature of the threat
The October 28, 2020 joint statement, revised on November 2 to include further information on specific types of malware, warns that cybercriminals are targeting healthcare systems with ransomware that infiltrates networks, allowing criminals to steal sensitive data and cause serious disruption to healthcare services.
This wave of attacks is linked to a Russian-based enterprise of cybercriminals using a type of ransomware called Ryuk, which they spread through a platform known as Trickbot. The attacks are often initiated via phishing emails with links to fraudulent websites or with attachments that, once opened, introduce malware to the system.
While the warning indicates the that the threat is growing, it isn’t new. In fact, attacks on healthcare systems and medical practices have been on the rise for the past 18 months. In September, an attack crippled all 250 hospitals and facilities run by Universal Health Services, Inc. nationwide.
Local healthcare systems have also experienced security breaches. In February, Monroe County Hospital and Clinics disclosed that their email system was compromised between October 28, 2019 and January 20, 2020, exposing the personal health information and even some social security numbers of more than 7,000 patients. And in 2018, hackers had free reign with the internal email accounts of Iowa Health System—doing business as UnityPoint Health—for almost a month. The second cyberattack of the year for UnityPoint Health, this one compromised the data of 1.4 million patients with whom Iowa Health System ultimately agreed to a $2.8M settlement.
What healthcare systems and medical practices can do now
It’s clear the healthcare sector is being targeted, and the high concentration of valuable personal information coupled with the critical importance of the industry to personal and national well-being makes it unlikely that cybercriminals will abandon their attempts anytime soon. But there are measures that healthcare systems and medical practices can take now to mitigate their risk of falling victim to a cyberattack. These include:
- Being diligent and consistent in conducting security risk analyses. The HIPAA Security Rule already requires regular risk analysis, so diligence here serves double duty in ensuring regulatory compliance as well as providing critical and continuous insight into your system’s security status and potential vulnerabilities.
- Fostering a security-conscious work culture. One unwitting click on a malicious link or attachment is all it takes to expose your network to attack. For this reason, it is absolutely essential that all employees and staff be trained on current HIPAA regulations as well as how to be vigilant in observing them with proper protocols for accessing and handling data.
- Implementing strategic control of access to sensitive information. This means restricting access to electronic health records and other sensitive data exclusively to the personnel who directly work with the information. However, it also means creating a subnetwork for guests, so that visitors have their own wi-fi access separate from access to your internal network.
- Working with a trusted MSP. A managed service provider (MSP) is a key partner not only in helping your network, hardware, and software to run efficiently, but to providing cybersecurity to ward off the threats and attacks that can result in data breaches.
The role of managed service providers in supporting cybersecurity
A good managed service provider can be an essential line of defense against cyberattacks by implementing and managing anti-virus, anti-phishing, and anti-spyware measures, as well as a host of other web defense capacities including advanced URL filtering, IP and user-level authentication, real-time threat reports, and more. In a future installment, we’ll delve into these and other cybersecurity functions MSPs can deploy to help healthcare systems face the growing challenges presented by today’s increasingly sophisticated and unscrupulous cybercriminals.
Healthcare and medical practice CEOs are entrusted with the care as well as the personal health information of patients. Both are threatened by cyberattacks, but with the proper tools, training, and cybersecurity partners, the healthcare sector can shore up its defenses and protect its systems from data breaches.