CYBERSECURITY DURING COVID-19:
CONSIDERATIONS FOR THE HEALTHCARE INDUSTRY
The potential to exploit vulnerabilities in the healthcare industry has increased as we turn our attention to the more pressing matters of managing COVID-19. The unfortunate truth is, this pandemic provides an opportunity for criminals to further their activities for financial gain, but there are ways for medical facilities to prepare.
The potential to exploit vulnerabilities in the healthcare industry, in order to steal patient data or hold medical facilities hostage for ransom, has increased as we turn our attention to the more pressing matters of managing the COVID-19 pandemic. The unfortunate truth is, this pandemic provides an opportunity for criminals to further their activities for financial gain. Their aim is to take advantage of the gaps created in medical facilities overwhelmed with responding to the onslaught of medical emergencies. Understanding the importance of saving lives above all else, the healthcare industry should remain vigilant to the digital threats that could impact their mission at this critical time.
With COVID-19, hospitals, small medical facilities, the medical supply chain, and even family doctors are seeing an influx of new patient data. But how is this data being handled, and how is it being secured? While a larger hospital system in New York City may have the resources to maintain a robust security infrastructure, an independent urgent care facility in Columbus, Ohio may not. Meanwhile, businesses and organizations not traditionally encompassed by or otherwise involved with the healthcare industry—which falls under additional scrutiny in terms of data protection—may now be responsible for data regulated by Federal guidelines.
Federal requirements under HIPAA mandate the safeguarding of patient data. Unfortunately, since this data is considered of higher value and importance, it also makes it more of a target for theft and extortion. To add to the security concerns, medical technologies operating on outdated infrastructure can also present a prime entry point for hackers.
We have seen numerous examples of ransomware campaigns targeting hospitals—networks are locked and doctors lose access to patient data until demands are met. The mindset of a criminal is that the mission of medical facilities is so critical, victims would be willing to quickly pay any sum to ensure they can resume conducting business. When ransoms are paid, usually because of inadequate recovery preparation, it only builds the confidence of criminals to continue their malicious activity. Knowing how grave the current situation is, there is little doubt criminals see opportunity here.
The theft of patient data is the other primary concern. As an FBI Special Agent, I investigated organized crime rings stealing identities to conduct fraud. This process began with the theft of names, social security numbers, and dates of birth of targeted populations, to include the deceased. As a nation, we are creating programs to provide fast economic relief to those in need, but the haste of these programs leaves them vulnerable to fraud. Warnings have already been issued to the general public to be cautious of virus related scams, but these opportunities pale in comparison to the trillion dollar packages now available for claim. The US Government is, understandably, hurrying to get cash into the hands of Americans; unfortunately, diligence will likely be an afterthought, and we can expect to see a noticeable loss due to fraud. Where will fraudsters obtain the identities needed to carry out their crimes? There are hundreds of thousands of patients flooding into medical facilities and providing their names, dates of birth, social security numbers, and addresses to receive care. Without the proper protections in place, this information could become an enormous pool of victim data.
So what can you do?
Educate, educate, educate. Despite the significant publicity cybersecurity has received in the last decade, user mistakes, most commonly through email phishing, are the top cause of cyber attacks. We have already seen malicious campaigns touting “urgent COVID-19” information and baiting users to install malicious applications or provide access credentials. You may be operating at 10x speed during this crisis, but remember to take a few extra seconds to analyze before clicking.
Know your data. Are you transmitting or storing data that falls under HIPAA protections? Is any of that data being cached, or downloaded, on the personal laptop of an employee now working remotely? What steps are you taking to encrypt personal data and dispose of it when it no longer needs to be retained? Protected data can easily be overlooked if it is not commonly encountered. Take some time to learn what types of information are in your organization’s ecosystem, and ensure you are protecting it appropriately.
Patch your systems. We have a phenomenal information security community—threat data is communicated quickly and software and hardware vendors work fast to fix vulnerabilities. Avoid being a victim by keeping your systems updated with the latest patches and ensure your third party vendors are doing the same
Have a business continuity and disaster recovery plan. What would you do if ransomware hit and your data systems were locked? Did you back up your data? Can you recover it without paying ransom? If you are a large organization with a dedicated security team, these questions should already have answers. But as a small business, you may not have considered the possibility. In many cases, a third-party IT company maintains your network. Have this conversation with them now; their job is to ensure your network is available at all times.
Know who to call. Large organizations will often have an incident response (IR) retainer with a cybersecurity firm. If you fall into this category, it may be a good time to ensure they have the most updated information on your IT infrastructure. If you are a small business, an IR retainer may not be economically feasible. At the least, research firms’ pricing and services now. Have a quick call with the firm you know you will want to use and develop a point of contact. Preparation will keep you from wasting valuable time Googling “ransomware help” during an emergency.
Contact the ShiftState Team.