The main focus of healthcare cybersecurity has typically revolved around protecting the confidentiality, integrity and availability of information. However, the focus now for many healthcare organizations is on availability of information in light of the COVID-19 pandemic.
But, how much availability is too much availability? If a healthcare organization is lax about its cybersecurity protections, it does not really matter how available systems, networks and information are, as threat actors are always looking for ways to infiltrate healthcare organizations. Lax healthcare cybersecurity makes organizations low hanging fruit. This, in turn, translates into less assurance that information remains confidential and has integrity. In other words, there is relatively little assurance that the information has not been tampered with. Threat actors are well aware that many healthcare organizations have lowered their shields.
Relatively few healthcare organizations have robust incident response, business continuity and disaster recovery plans. A lax robust incident response program means that healthcare cybersecurity incidents are not blocked and tackled as quickly as possible. This can lead to adverse impacts to the information, systems and networks as a result of significant security incidents that may occur.
Financial information, patient information and intellectual property may be stolen by the threat actors. The latter is especially of concern for healthcare organizations that are either treating COVID-19 patients and/or developing vaccines to help combat the virus, as progress may be hampered or stalled as a result.
Poor business continuity and disaster recovery programs mean that a significant security incident that severely disrupts business, IT operations, and/or clinical care may adversely impact the organization and the organization may experience more downtime as a result of the event.
For these reasons, more aggressive ransomware campaigns are predicted in the near future. More ransomware operators are stealing information and then encrypting it. The stolen information is used as leverage to coerce payment of the ransom with the ransomware operators threatening to leak the information. This coercion results in more ransom payments occurring, thus significantly benefiting ransomware operators. A successful ransomware attack can cripple systems and networks and significantly interfere with IT operations and clinical care.
The most important element of a healthcare cybersecurity incident response plan is the human element. Effective, clear and timely communications are essential elements for ensuring that incident response is swift and appropriate. Ensuring that all employees have resources to educate them on policies, procedures and who to go to for what is critical in planning your incident response strategy.
Watch Kim talk with HIMSS TV about the cybersecurity landscape during COVID-19.
With more people working from home, the ability to “trust but verify” has diminished and phishing attacks have significantly increased. Colleagues are no longer able to pop their head into an office to confirm or verify transactions. The best way to verify a potentially suspicious or unusual request, after all, is with an out-of-band communication. For example, if a phishing email is received which comes from a colleague, instead of responding to the email (or clicking on any links or opening up attachments), calling the other individual via telephone or another method (such as a collaboration application) may be a better way to obtain more information about whether the communication/request is authentic.
Remote access server attacks have been on the rise with more people working from home. These servers may be compromised and may be used as a means for pivoting to other parts of the network (and the machines and devices that are connected). This problem is further exacerbated in that many users tend to use weak passwords that are easy to guess and/or reuse passwords. However, it is quite common for passwords to be compromised by way of a dictionary attack or a brute force attack. Further, threat actors do take note of passwords that have been previously leaked or breached. These passwords can be tried again in an effort to see if any may work when trying to gain access to a remote access server.
With this, healthcare cybersecurity requires organizations to scrutinize the resources—and assets—used by workforce members who are working from home. Further, identity governance, identity management and lifecycle management must also be carefully provisioned to ensure that proper access is appropriately granted and revoked in a timely manner.
As a prerequisite to this, healthcare organizations must know exactly who their employees, contractors, and volunteers are and who needs access to what and when. Human resources related information, such as name, title, department, and role must be clear and consistent. When access is granted, too, it must be done with the principle of least privilege in mind. Any privileged accounts should also be proactively managed and monitored. Multi-factor authentication should be deployed as widely as possible as well. In essence, a robust identity and access management solution must be deployed and, in preparation for the foregoing, robust planning must occur.
Without a doubt, the COVID-19 pandemic has changed the face of healthcare. Hospitals and other healthcare providers may no longer have physical borders and the virtual borders will also continue to blur. There will be lessons learned from the COVID-19 pandemic that must be examined, understood and carried forward.
Whether we face another pandemic or other public health crisis in the future, these valuable and historic times will only serve to inform us better and point the way to even more robust solutions and innovation. Now is the time to leverage technology and shore up our capabilities—before it is too late.
December 7–8, 2020 | Digital Conference
Get the latest updates on cyberthreats, explore how to maximize your existing technology investments, hear best practices on creating a security-first culture; take away strategies to fill the gap in finding talented staff and learn how to create a resilient security framework.