With the outbreak of the novel coronavirus crisis, hackers smell blood in the water. Focused on addressing the crisis, already stretched super thin, and forced to improvise at each new turn, healthcare organizations in particular present an attractive target for hackers.
The situation has not been helped by the frenzied push for process and infrastructure digitization to support a rapid increase in telemedicine capabilities. This ramping up of telemedicine is viewed as a key measure toward pandemic preparedness and management. The goal is two-fold:
- Effectively increase care capacity by ridding care centers of patients who don't need emergency or intensive care.
- Reducing to a minimum the unnecessary congestion of clinics and, in so doing, limiting some of the most likely and dangerous vectors of transmission.
In those regards, the accelerated adoption of telemedicine is a decidedly good thing. On the other hand, almost by definition, more digitization means a wider attack surface. On top of that, the fact that adoption in this case has been so rushed means that many of the supporting IT systems have been erected on the fly, without the normal design process and without due security consideration.
Of course, the core issue of unsecured and undersecured connected medical and IoT devices is not limited to telemedicine. Indeed, ever since the Wannacry attacks thrust the issue to prominence in 2016, it's been a frequent topic of conversation among both cybersecurity professionals and healthcare leaders. Nonetheless, the current circumstances certainly elevate the risk.
In addition to vastly expanded telemedicine systems, hospitals also need to contend with the security complications that arise from connecting temporary and field hospitals to the organization's data infrastructure as well as an army of now remote workers.
If that weren't enough to deal with in the midst of a protracted public health crisis, healthcare administrations face threat actors more aggressive and more highly motivated than ever before.
Growing Threats, Rising Stakes
Since the novel coronavirus first began spreading internationally in early 2020, organizations across the globe have reported a dramatic increase in attempted cyberattacks. The state of anxiety gripping the public can provide fertile ground for bad actors to sew cyber traps.
For example, in the early stages of the pandemic — when information was somewhat scarce and the demand for it extremely high — spikes in searches around specific keywords were easy to predict. Cyber criminals acted on that knowledge and set up websites using those keywords to take advantage of the situation. In the context of an emerging global crisis — feeling panicked and starved for information — even when a website doesn't quite look right, people are more likely to suspend their suspicion and click through anyways.
Setting the stage for a possible windfall of ill-begotten gains, tens of thousands of domains with names related to COVID-19 have been newly registered. Of those, more than 20% are considered suspicious and 2% have been confirmed to be outright malicious.
Attackers have also looked to digitally impersonate trusted government and non-governmental organizations in ploys designed to extract people's personal information.
With the pandemic shutting down much of the global economy, governments have responded with massive stimulus packages. In the US, for example, the government's CARES Act has allocated $2 trillion worth of support. In order to expedite distribution stimulus funds, governments all around the world have opened dedicated websites through which businesses and private citizens are encouraged to apply for relief.Here too, bad actors have not hesitated to take advantage, creating malicious websites that spoof government pages and relief application portals. Users that visit these malicious domains instead of the official government ones risk having their personal information stolen — including bank account details.
Another tactic used to take advantage of public anxiety over the pandemic and thirst for information is the use of COVID-19 maps to distribute malware.
The cumulative impact of all these newly available and uniquely effective attack paths adds up quickly. Compared to pre-crisis levels, cyber crime reports are up between 300-400% — with healthcare being disproportionately targeted. Further quantifying the impact, Google placed the number of malware and phishing emails related to COVID-19 in April at an average of 18 million per day!
Phishing attacks in particular have seen a dramatic uptick on the back of the novel coronavirus, with Checkpoint estimating that more 90% of all COVID-19 themed attacks are phishing based. It probably doesn't come as much of surprise, but the fact is that in times of uncertainty, chaos, and confusion, people don’t really know what to expect and are therefore considerably more receptive to phishing. Under normal circumstances, for example, you might never expect to receive an email from the CDC; in the midst of a pandemic, however, you might not think twice before opening the email and clicking its link.
Perhaps even more concerning, in addition to the usual criminal element, it is believed that nation states are ramping up their offensive cyber activities in the hopes of securing access to research around treatment and vaccine efforts that other governments might not be sharing.
Western governments have publicly acknowledged this threat, warning healthcare leaders to assume a general and sustained posture of vigilance as APT groups target healthcare and research institutions to steal information about efforts to contain COVID-19. In the U.S., for example, active investigations have been announced into a number of incidents involving pharmaceutical companies, research institutions, and universities.
Recently one of the largest COVID-19 testing facilities in the Czech Republic came under attack and was forced to shut down for a week. In another case, police in Romania arrested a group of hackers as they prepared to unleash a string of ransomware attacks on local hospitals.
In the UK, Hammersmith Medicines Research suffered an attack that resulted in some disruption as well as data exfiltration. In the US, though details remain sparse, we know that at least ten different healthcare organizations were attacked in March. (As it happens, March has so far represented the peak of the coronavirus crisis, from a cyber perspective.)
In June, the University of California San Francisco (UCSF) was attacked by the Netwalker criminal gang and extorted to the tune of $1.14 million.
Of note is the fact that the medical research arm of UCSF has been working on a cure for COVID-19. It's also worth noting that Netwalker has been linked to at least two other ransomware attacks on universities in the preceding two months.
So, while the rest of us suffer through a pandemic and the beginnings of a certain economic disaster, cyber criminals are in the midst of a bonanza. And it's easy to understand why. Under normal circumstances, healthcare organizations can ill-afford down time. In the midst of the current crisis, the criticality of uninterrupted operability is only heightened.
An Expanded Cyber Attack Surface
For hospitals needing to find a way to move non-essential workers and non-critical patients off premise, the novel coronavirus has given digital transformation programs a double shot in the arm.
When it comes to patient care, telehealth-powered virtual visits and remote monitoring are seen as the most effective and most accessible means to decongest care centers — offsiting routine consultations, expanding outpatient capabilities, and shortening interned recovery times.
In fact, Forrester Research puts virtual healthcare interactions on pace to exceed last year's total by more than 5X — topping out at nearly 1 billion by year’s end. And that estimate may actually turn out to be on the lower end.
Consider, for example, that prior the pandemic, the all-time high for virtual doctor's visits in a day at Stanford Children’s Health stood at 35. During the early days of the COVID-19 crisis, though, it reached 500.
For another example, consider the fact that, over the course of March, the Cleveland Clinic saw its telemedicine appointments skyrocket — increasing by more that 1,700% and totaling over 60,000.
Over the same period of time, tele-visits to the Mayo Clinic were said to have increased 10X.
By the end of March, NYU Langone Health had seen its daily average tele-visits go from around 50 to around 900.
Though we're definitely seeing a disproportionate increase in telemedicine among the larger healthcare delivery organizations with greater resources, it's fair to say that the trend is significant across the board. Perhaps what's most interesting about this rapid embrace of telemedicine though is that most in the industry see the effects of the crisis as more of a tipping point for a shifted healthcare paradigm rather than a temporary departure from the norm.
In addition to the investments made and commitments demonstrated by the healthcare organizations themselves, the US government has also busied itself in the embrace of telemedicine — among other things, authorizing an expansion of Medicare to cover telehealth services and establishing an FCC fund to grow hospitals' tele-capabilities in the face of the pandemic.
The private sector has also made a point of hitching their wagons to the tele-horse, with several large health insurers have even gone so far as to waive copays in an effort encourage tele-visits.
To help accelerate the desired shift to digital patient throughput capacity, the Department of Health and Human Services went so far as to announce a policy of temporary “enforcement discretion” of HIPAA's Security Rule with regard to telemedicine. According a HHS statement on the matter, "OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency."
The HHS statement goes on to further explain, "Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications."
While these efforts are hugely encouraging from a "get it done" point of view, they also leave serious concerns for the long-term security and infrastructural integrity of the healthcare system's telemedicine offering. To make things run smoothly on the frontend of telemedicine, there's a lot of design and development that's needed on the backend and that needs to be highly secure, highly integrative, and highly interoperable.
When systems are thrown together in a hurry, that backend is likely to be a lot less thoughtfully engineered and more problems are going to crop up over time. That's especially true when these systems are built to temporarily diminished standards. While the regulatory leniency will surely fade, the systems themselves will endure — possibly on compromised foundations.
When building out or expanding their telemedicine services, hospitals need to create patient portals that facilitate patient-physician communications, allow users to request and receive prescriptions, provide access to test results and relevant patient files, schedule appointments, and more.
Standards and requirements need to be set out and an enforcement framework should be devised. Patient cameras may need to meet minimum hardware requirements, for example, to ensure image quality and avoid liability issues around doctors missing important diagnostic indicators because of pixelation.
The system needs to be able to process new users and properly handle intake documentation prior to virtual visits. There should be some sort of guided screening process where users answer a series of questions so that the severity/urgency of their condition can be assessed and so that they can be assigned to specialists/generalists as needed.
Databases need to be built for the system and integrated into the hospital's and possibly the EMR provider's network architecture. Segmentation and isolation regimes will need to updated with a context-aware view of required and appropriate telehealth workloads. Files will need to be synced and synthesized across systems and access privileges may need to be extended — including to third-parties. Primary care physicians will need access to updated records and patient notes and system will need to allow for real-world care coordination.
Third-party partners and service providers need to be identified and their technologies need to be worked into the televisit user flow. Servers need to be provisioned and configured appropriately. Video conferencing suites may need to be built. Connectivity infrastructure and services may need to be bolstered to ensure the necessary internet bandwidth.
Call/support centers will need to be set up to receive inquiries and assist user. Staff will need to be trained to man those centers. The system will also need to integrate follow-up and remote patient monitoring capabilities.
That's a lot to account for and an especially tall task when making sure it's all done in a manner commensurate with maximal reliability, privacy, and security. When projects of this sort are being completed in weeks rather than months and on top of other chaotic projects like pop-up testing centers, isolation ward conversions, and improvising temporary field/overflow hospitals, it's very unlikely that all your boxes will get checked.
More often than not, when something's gotta give on IT projects, it's security. Even if that weren't the case though, this increase in healthcare digitization would already constitute an expanded attack surface simply by virtue of the fact that there are more point of digital connection and interaction that need to be secured.
Add to that the involvement of third-parties and off-prem patients — the security of whose policies and devices you can neither vouch for nor control — and it becomes quite clear that no matter how you cut it, the rapid embrace of telemedicine has placed hospitals into a far riskier cyber landscape.
Distracted Defenders Must Take a Practical & Prioritized Approach
Hospital staff are busy and tired and already summoning all the vigilance they can muster for other tasks. It’s understandable that cybersecurity might not remain top of mind and there may be a prevailing sense that, at least for the time being, standard operating procedures of organizational precautions should fall by the wayside.
Unfortunately though, in the context of the coronavirus crisis, hospitals are more targeted and more exposed than ever before. As such, administrators are struggling to prevent a dangerous drop off in cyber hygiene and mindfulness.
The lion's share of cybersecurity responsibility does not belong to staff, but to administrators. And there are a great many steps that administrators can and should take to secure their telemedicine services.
The following measures are recommended:
- Map regulatory requirements to the specific practices, processes, and functional structures you will need to embed in the backend of your telemedicine offering.
- Identify any additional tools or technologies that will need to be developed or procured.
- It's of course important to bear in mind that even when regulatory enforcement is relaxed during a crisis, enforcement will eventually return and your systems will need to comply.
- Introduce the matter of design and process level security early into the vendor selection process.
- Vendors should be pressed to provide assurances for built-in security best practices and ongoing support in service level agreements.
- An independent assessment of the vendors' cybersecurity and compliance risk posture should be conducted and weighed prominently into the selection criteria.
- Make sure you have strict business associate agreements (BAAs) in place for third-party technology/service partners and providers.
- This will hold those partners and providers accountable for the HIPAA-compliance and security best practices of their activities and technologies.
- Provide dedicated devices for physicians to use for telemedicine purposes.
- Configure dedicated telemedicine devices restrictively to block user downloads, internet browsing, and email clients.
- These devices should be furnished with only the software and applications required for their intended use.
- Identify and remove external/third-party connections to the network's telehealth segments that are not operationally required.
- Be sure to have web application firewalls in place and properly configured.
- Consider restricting telehealth connectivity to whitelisted application and server ingress/egress points that are confirmed legitimate and necessary.
- Schedule semi-regular meetings between application owners, IT, and security teams to track dependencies and ensure a fully patched, maintained, and interoperable functionality.
- Configure dedicated telemedicine devices for remote, centrally orchestrated update and security management.
- Confirm that telemedicine services utilize legitimate, secure, up-to-date/patched, and properly configured VPNs.
- Carefully document any standard policy deviations or leniencies that have been allowed in the effort to rapidly expand telemedicine service to meet the demands of the pandemic.
- This is important so that when the situation calms and stricter governance is restored, managers will know precisely when to focus their efforts and what actions to take.
- Review, update, and validate all relevant policies including access control, acceptable use, and password protection/authorization.
- Tag telemedicine hosts/endpoints for NAC level monitoring and regular activity log reviewal.
Of course, no telemedicine infrastructure exists in a vacuum and it's important that organization-wide security-forward practices be put in place and complemented by strong policies. The staff should be trained not only on how to responsibly use new telemedicine tools and systems, but generally on the basic principles of cybersecurity.
Training should cover the basics of good credential management, how to spot threats, what to do and who to contact if you engage with suspicious material, restricting browser use on purpose-specific devices and clinical assets, enforcing physical access controls, resisting social engineering ploys, etcetera. As a rule, healthcare cybersecurity is really only as strong as its weakest link, so it's vital that your staff not amplify any faults in your system and infrastructure.
Securing Healthcare Networks More Generally
Among the most fundamental steps to improving security posture across the board is defining risk-aware micro-segments throughout the network.
Unlike legacy perimeter cybersecurity paradigms, micro-segmentation assumes threats are everywhere — including within the network. A micro-segmented approach draws new perimeters internally around strategic network entities that share similar risk profiles so that even when breaches occurs, intrusions can be contained and the spread of malicious content and illegitimate privileges halted.
Because they share a fairly distinct risk profile, the network entities directly related to telehealth services should be isolated from the broader network and in many cases from each other according to device and application type groupings.
In addition to micro-segmentation, it is further advised that hospitals investing in telemedicine programs reexamine and reinforce their existing network security practices with respect to the broader operation. The following best practices are recommended:
- Take and maintain an accurate inventory of the organization's device fleet
- This inventory should be detailed and include device characteristics such as location, vendor, model, version, hardware IDs, device type, operating system(s), patch status, antivirus status/compatibility, assigned VLAN/network segment, connective and port configurations, and network adjacent devices.
- Review fleet inventory against known vulnerabilities and security updates using threat intelligence and vendor advisory feeds
- When vulnerabilities/updates are found to be applicable, ensure all affected devices are scheduled for update/mitigation at the nearest possible operational allowance.
- Make sure network firewalls are up-to-date and properly configured.
- Wherever possible NGFW should be enabled to provide cloud access security broker, drive-by download, and malware sandboxing protections.
- Firewall rules should be regularly updated to block known malicious IP addresses.
- Consider extending automatic restrictions based on the associated threat level of IPs from specific geographical blocks.
- Consider shifting to a zero-trust model and blocking connections by default — only permitting connections that are pre-approved for a valid business reason.
- If the above is deemed too extreme, then consider blocking uncategorized URLs to limit access to newly created sites (i.e. those least likely to have legitimate use and most likely to be malicious).
- Survey network to confirm that device compatible anti-viruses are installed and current for all relevant agents.
- Utilize a passive scanning technology to check that sensitive or vulnerable assets are not externally exposed.
- Identify remote vendor access channels and whitelist them.
- If possible, restrict remote access beyond the identified vendor channels and internally validated/whitelisted connections.
- Leverage intrusion detection and intrusion prevention systems to patrol the network for attack indicators.
- Update signatures to detect and block malicious files or traffic
- Routinely monitor remote access, firewall, MFA, server, NAC, AD/LDAP/CAS logs for signs of suspicious activity.
- Establish network traffic baselines and monitor for deviations.
- Create an automated alert and notification system so that when deviations are detected, the relevant parties can be notified and investigations can be launched.