Managing Cyber-attacks through the Remote Work and Telehealth Explosion
The pandemic of 2020 accelerated digital transformation for nearly every industry sector, but none more acutely than healthcare - particularly those who were thrust into its epicenter, healthcare providers.
Cybersecurity leaders and teams have been caught in a web of rapidly changing infrastructures, increased attack surfaces, and a triage of infected patients.
The implementation of remote work and telehealth was a forced element of the transformation hospitals had to undertake over the past year, which had to rapidly provision these services at the expense of focusing on securing their networks from cyber-attacks. As noted in the Wall Street Journal this week, “a constantly changing mix of office and remote workers, devices that move in and out of the company networks, and cybersecurity staffs stretched thin … is a hacker’s dream.”
As a result, a new wave of concerns faces hospital IT and security staff – the very devices hospitals used to provide remote services to staff and patients are driving increased risk of breaches at an alarming rate.
Unlocking the back door?
To provide remote work or telehealth options, hospitals must rely on technologies that allow communications with staff or patients.
Remote staff or patients typically leverage consumer-grade infrastructure and standardized communications applications that aren’t subject to the same level of security that is required at a hospital. This includes readily available applications such as Zoom, FaceTime, Google Hangouts, or Skype.
Recognizing this – and the urgency for hospitals to offer telehealth services during a public health emergency – the U.S. Department of Health and Human Services announced that it would not impose penalties against hospitals using audio or video communication technology that does not comply with the regulatory requirements under HIPAA.
While relaxing the restrictions has made it far easier for hospitals to offer telehealth services, it potentially “unlocks the back door” for threat actors to gain unauthorized access to the hospital’s network and PHI data.
Hospitals have been cautioned
In October 2020, the FBI, CISA, and HSS published alert AA-302A, which outlined the threat of malicious cyber actors targeting the healthcare sector.
Healthcare Delivery Organizations (HDOs) have become a primary target for ransomware attacks as they operate in a 24x7x365 environment that could be significantly impacted by any downtime. Losing access to patient records, or even the ability to operate life-saving medical devices would put patient health and safety at risk.
Knowing this, threat actors expect that HDOs are far more likely to pay a ransom quickly to restore operations and regain access to this critical data.
It should come as no surprise that ransomware attacks against healthcare organizations rose by 123% in 2020, resulting in nearly $21 billion in downtime and over $2 million in ransoms paid.
This trend is expected to continue, as the demand for telehealth services increases. According to the CDC, 95% of all HDOs studied during 2020 reported offering telehealth services to patients.
When you consider all the applications that now touch healthcare data, the next normal will be how hospitals not only protect clinical networks from cyber-attacks, but also all the new risks they’ll face outside their normal scope, such as remote work and telehealth services.
The vast number of devices or people that may connect with an organization’s network systems presents a significant risk to their security.
Some of the major concerns are not knowing what devices are present and whether those devices are HIPAA compliant, regardless of relaxed penalties observed during the pandemic. Numerous recent studies have shown a large part of medical and IoT devices have severely compromised security because of their outdated and often unpatchable operating systems, as well as their tendency to transmit unencrypted data.
While strategies for combating cybersecurity vulnerabilities are critical, getting full buy-in throughout the organization is essential. That starts with the heads of the organization and creates a culture that encourages the end users to participate.
Healthcare C-Suite executives should make it a point to invest in cybersecurity training and solutions that can protect their clinical networks, as well as their patient’s information and their safety.
Above all, hospitals need to recognize that as their technologies and networks evolve, so do the methods and sophistication of the attacks against them.
Staying vigilant and informed will only help hospitals evolve their cybersecurity posture to ensure continued safety of staff and patients.
For More Information:
If you want to learn more, below are several sources for your reference.
- Video – Use Case - Hackers take advantage of Remote Work Processes
- Brochure – CyberMDX Healthcare Security Suite
- Case study – CISO of Metro Health Secures All Devices