By Isaac Kohen, Teramind
The healthcare sector is in the midst of a digital transformation. Recent years have seen everything from patients’ records to conversations with doctors move from the analog to the digital.
Technology has played a key role in helping medical organizations become more efficient and provide better service to patients. We can credit the advancements in telehealth services that allow patients to receive care from their medical professionals over apps with minimizing the harm during the COVID-19 outbreak when physical visits to the doctor were limited to the most urgent cases.
However, the move to embrace information technology solutions has not been without its risks. Criminals now target medical data and even hospitals for financial gain, threatening our privacy and safety.
In hopes of learning how the healthcare sector can better protect itself and its patients, it is important to understand what risks are and define the basic principles of security that are under threat.
Why Do Hackers Target Healthcare?
In targeting the healthcare system, hackers are generally attempting to compromise information that is either itself valuable or can be used to help them gain something of value later. Alternatively in the case of ransomware attacks, they may be seeking to limit our ability to access information when we need it, potentially putting lives at risk.
But why would someone want to hack healthcare providers? What do they have that is valuable?
For starters, medical records are chock full of valuable personal information. Beyond the content of a person’s health and conversations with their doctor, there are plenty of bits that can be used for fraud and identity theft. Personally identifiable information (PII) such as social security numbers, dates of birth, addresses, and family details are just to name a few. If hackers succeed in accessing these private data, then its confidentiality, and possibly its integrity, have been breached.
Criminals can use this information for applying for credit cards or loans in someone else’s name or sell it on the Dark Web for others to do so.
In the case of ransomware attacks, the criminals jump straight to shaking down the healthcare provider for cold, hard bitcoins. Here, hackers can infect a hospital’s network and encrypt their data. They then issue an ultimatum to the hospital to either pay a ransom or lose access to their data. Hospitals, under pressure to regain access to avoid impacting patients, will often pay quickly to the tune of tens if not hundreds of thousands of dollars.
Imagine losing access to important records on medication dosages or other critical care concerns, and it is easy to understand why hospitals find themselves so vulnerable.
For as heartless as it is to attack a medical provider, the fact is that they are targeted so often because they are relatively soft targets. In 2016, 88 percent of all ransomware attacks were against hospitals. Healthcare institutions from the small family doctor’s office to the scale of have shown themselves to be woefully unprotected to attacks. The WannaCry attack in 2017 that used a vulnerability in unpatched Windows systems to lock down Britain’s National Health Service stands as a painful reminder of how even four days of interruptions to services can have a significant impact on the healthcare system.
Security Challenges Facing Healthcare
It is safe to say that security and IT are generally not the primary focus of healthcare organizations. They mostly care about providing quality care for their patients. This means that updating operating systems to the latest secure versions or putting in place systems to guard against incoming threats from emails with suspicion is not top of their list — budgetary or otherwise.
In most cases, attacks are carried out by phishing emails that contain a document or link containing malicious code. Once executed, hackers can gain a foothold to launch their malware and harm the local systems or access other parts of the network to find something worth stealing.
A degree of social engineering is used to encourage the victim to click on the lure. Healthcare staff, especially in accounting or other public-facing departments, are used to receiving emails with links and documents all the time. In most cases, these are probably invoices, follow up documents, and other normal files. Defending against phishing is difficult during normal times. During the current pandemic, it has become increasingly difficult to guard against.
COVID Adds Complexity
Beyond the direct challenge of caring for those infected with the virus, the system has been under strain to continue providing day-to-day care during the COVID-19 crisis. In practice, this has meant turning to technology like telehealth services that give patients and doctors a way to connect virtually when in-person appointments were too risky.
However, the quick pivot to remote work for the healthcare industry has not been without its challenges. For starters, while many of the platforms that were established before the outbreak are compliant with regulations like HIPAA, many are not.
Platforms like Zoom, which are not encrypted end-to-end, are vulnerable to confidential communications being intercepted by attackers. Even if they are convenient, they may lack the necessary security.
There are also concerns about a healthcare worker’s home network or devices which may not be sufficiently updated or secured.
Given the added complexity of COVID on top of the long-held threats, how can healthcare organizations work to improve their security posture?
3 Basic Tips For Better Security In Healthcare
Everything is hackable with the right amount of time, resources, and determination. But that does not mean that you have to make it easy for the attackers. Thankfully, the vast majority of attacks can be prevented with a few simple measures.
Try these out for your organization, big or small, and you can significantly reduce the risk of a successful breach.
Think Before You Click
Even with the best technical solutions for blocking phishing attacks, your staff is still the final line of defense. Therefore, it is up to you to educate them on how to spot a suspicious email and not automatically open attachments.
Let them know that it is ok to send suspicious emails to the security team if you have one for some additional inspection. There’s no shame in that, especially since many of these criminals are sending higher quality emails with fewer spelling mistakes and stories of Nigerian princes.
If you want to take the extra step for a little more protection, then have your system admin disable Powershell and macros as they are the most common ways that hackers use to infect a system. Since most users do not need these features, it is better to deny them to hackers as a vector of attack.
Verify On A Separate Channel
As was mentioned before, social engineering often plays a significant role in many attacks. Especially when it comes to phishing.
The threat of social engineering is compounded by remote work since it becomes harder to walk down the hall to ask Julie if one of her vendors had mentioned something about changing their payment details.
If someone on your team receives a sketchy email from someone that they supposedly know — particularly one asking them for information, to open something, or even to make a new payment — then make sure that they verify with that person on a different channel from the one that the message came in on.
For example, if Ann gets an email from Bob that looks out of the ordinary, then she should be sure to not reply to that email. Instead, she can call him on his mobile number to verify that it was really him that had made the request.
Always Stay Up To Date
One of the simplest ways to guard against hackers is to update your software to the latest version.
Software companies like Microsoft do a lot of work to fix vulnerabilities when they find them and release the fixes in updates and patches. But it is still up to us to do the updates.
If your hospital or office is running unsupported versions of Windows like XP (think WannaCry), then you are far more vulnerable to attacks.
Establishing Trust With Stronger Security
In the years to come, the healthcare industry will continue to become more dependent on IT and larger sets of collected data.
If we manage it well and securely, then there are endless opportunities for creating efficiencies, providing better service, and hopefully reaching better health outcomes for patients. However this will all depend on gaining public trust for some of their most personal data, and in some cases, their lives.
Therefore, it is important that at this critical juncture where COVID is pushing more healthcare services to embrace digital solutions that we push for the industry to implement the highest standards of security. This starts with getting the basics right and building the public's confidence over the long run.
About The Author
Isaac Kohen is VP of R&D at Teramind, a leading, global provider of employee monitoring, insider threat detection, and data loss prevention solutions. He recently authored the e-book: #Privacy2020: Identifying, Managing and Preventing Insider Threats in a Privacy-First World. Follow on Twitter: @teramindco.