Healthcare organisations have come under intense pressure following the outbreak of the Covid-19 coronavirus in 2020. But they are also battling a dramatic increase in cyber security incidents linked to the pandemic.
According to recent research from cyber security firm Check Point, cyber attacks in the healthcare industry have grown by 45% since November 2020. It also found that ransomware, botnets, remote code execution, and DDoS attacks are the most common cyber security incidents faced by healthcare organisations.
While 2020 may be (thankfully) over, there are no signs of cyber security threats aimed at healthcare organisations slowing down any time soon. And the pandemic continues to leave this sector vulnerable to attack by opportunistic cyber criminals. So, how can healthcare organisations mitigate these threats in 2021?
A vulnerable industry
For many healthcare organisations, tackling cyber crime has traditionally been a major challenge due to various factors.
Mark Ward, senior research analyst at the Information Security Forum (ISF), says: “The healthcare industry has always been in a difficult position when it comes to cyber security. It has to balance its focus on helping people get better against its need to protect the very sensitive information the treatment generates.
“And, because it is a heavily regulated industry, a lot of the resources it could put towards effective security controls can get used up ensuring compliance with the plethora of regulations that impinge upon it.”
Over the coming year, the healthcare industry will continue to face growing cyber security pressures on top of the continuing pandemic, says Ward.
Mark Ward, Information Security Forum
“2021 will only see that pinch become tighter as more regulations around sensitive health data are rolled out and the ongoing fight against the pandemic leads to more demands to share the data healthcare organisations hold,” he adds.
Ward believes that security leaders working in the healthcare industry should treat their organisation as another patient, saying they should look for signs of sickness, treat the symptoms, and act swiftly if the patient’s condition suddenly worsens.
“As with medical care, early work to prevent problems emerging is better and cheaper than acting once the damage is done. In practice, this comes down to getting the basics right – putting in those policies, practices and technologies that protect against the most common threats,” he says.
“Just like we’ve all had to wear masks and wash our hands more regularly, [best practice] gives organisations the best chance to avoid contracting a nasty malware infection. And, if there is an incident, then cyber insurance might be a good option. The aftercare that good policies provide, at a cost, can help the clean-up, analysis and the return to normal.”
Battling unempathetic hackers
Even though launching cyber attacks on any organisation is illegal and wrong, targeting the healthcare industry is morally disgraceful.
But according to Sean Wright, application security lead at Immersive Labs, this doesn’t concern most cyber criminals. They aim to make cash out of victims and know healthcare institutions are more likely to pay ransoms.
“Unfortunately, many attackers have very little sympathy regarding their targets, so anything which will gain them any advantage, typically financial gain, will be fair pickings for them,” he says.
“This is combined with the fact that they don’t have to witness any of the horrific consequences. We’ve unfortunately seen some of this play out this year, with ransomware attacks targeting hospitals.”
Because healthcare organisations are focusing so much of their time and resources on responding to Covid-19, they are struggling to stay ahead of increasing cyber security threats as a result. The pandemic has, in many ways, made them more susceptible to cyber breaches and an attractive target for hackers.
“Combine this with the increased pressures from the current pandemic, I think medical centres – especially hospitals – will have a really tough time trying to keep up and protect themselves,” says Wright. “Not to mention that they will likely face even more limits around finances as the toll of Covid starts to rack up.”
But despite this, there is a lot of positive work going on to protect the healthcare industry from increased cyber crime. “Thankfully there are some good things happening in the community, with a few volunteer groups started with the aim to help healthcare organisations. Groups such as Cyber Volunteers 19 who have done some amazing work,” says Wright.
If the healthcare industry is to ward off the threat posed by cyber criminals, it needs to focus on fostering good security practices and hygiene, he adds.
“Ensure systems are patched, have appropriate monitoring in place, and have a suitable antivirus – which is also regularly updated so that new rule sets can be downloaded – in place,” he says.
“For systems which can’t be updated, ensure that they are sufficiently segmented and, if possible, isolated in their own network. Perhaps the most important of all is appropriate awareness and training for staff, and making sure they are aware of common risks and attacks such as phishing.”
A cyber crime pandemic
Since the outbreak of coronavirus in early 2020, all spheres of the healthcare industry have faced a range of increased cyber security risks.
Adam Enterkin, Europe, Middle East and Africa (EMEA) senior vice-president at BlackBerry, says: “From over-stretched hospital wards to vaccine development labs, healthcare organisations have seen an increase in attacks during Covid-19.
“The urgency of this crisis has made distributing malware easier than ever for cyber criminals looking to exploit the critical nature of medical data. Phishing emails have capitalised on this urgency, with subject lines including test results and PPE availability.”
With hospitals having to deal with record numbers of patients requiring medical care, cyber security has taken a back seat. “At the same time, the NHS has been forced to divert resources away from cyber security to prioritise immediate patient care,” Enterkin says. “Often, paying a ransom seems like the only way to do this. BlackBerry research found that payment is most common in healthcare over other industries.”
Adam Enterkin, BlackBerry
Enterkin believes that healthcare organisations are particularly vulnerable to cyber crime because they don’t have large and highly skilled teams to mitigate these threats. But he takes the view that they can protect themselves by investing in automated technologies.
“Automation is key, and technology must take on the heavy lifting. To allow healthcare professionals to prioritise both immediate care and ever-present cyber threats, AI [artificial intelligence] and machine learning are the solution, due to their continuous learning capabilities and proactive threat modelling which grows in sophistication over time,” says Enterkin.
“For instance, if a healthcare professional clicks on a suspect link, cutting-edge algorithms and artificial intelligence can step in proactively to protect them, preventing threats like malware, viruses, ransomware, and malicious websites.”
Andrew Rogoyski, an independent technology expert, points out that the coronavirus vaccine development has been a major motivator for hackers. “There are political, economic and societal factors driving these attacks – the cost of developing new drugs is measured in billions, requires large numbers of highly skilled scientists and normally takes years of investment before taking a new medicine to market,” he says.
“In something as important as a vaccine for Covid-19, where regimes may fall or economies fail without a vaccine, there may be an imperative to steal or even disrupt another country’s progress.”
Mitigating cyber threats in healthcare
Although healthcare organisations have been experiencing unprecedented cyber security risks during the global pandemic, there are many different ways they can address these effectively.
Tamara Davis, CEO of Recon Secure Computing, says: “Infosec [information security] and cyber security teams should expand their threat profiles, increase edge-network vigilance and impose a higher set of restrictions on installed software applications.
“Access to home peripherals, including home IoT [internet of things] devices, should be monitored closely. The goal is lowering the threat profile for VPN-connected [virtual private network-connected] devices to maximise the user security while minimising the user disruption. With a Covid lockdown, you need a cyber security lockdown.”
Irfahn Khimji, country manager of Canada at Tripwire, believes that healthcare organisations should educate all stakeholders of new cyber security risks. “As family healthcare practices have started to take virtual appointments for non-urgent matters, a new vector of attack has arisen,” he says.
“Family practices that have previously not had any remote-style infrastructure are now interacting with their patients via teleconferencing, emails and online portals.
“It is very important that the healthcare industry looks at educating and creating awareness for the doctors, nurses, staff and patients around various phishing scams as well as protecting their patient data.
“Smaller practices often do not have the budget for large-scale security programmes, but they need to be mindful of how to best protect their patients and staff from these threat vectors.”
Irfahn Khimji, Tripwire
Medical technology company Q Doctor, which has been working with NHS England to provide virtual consultations throughout the pandemic, is taking a plethora of steps to mitigate cyber security threats.
Company founder Chris Whittle, who is also a clinician and anaesthetist, says: “We have robust systems in place and regularly stress test our system to ensure it is secure and protected against any potential cyber attacks. This is performed both on an internal basis and an external one, with third-party penetration testing.
“Cyber security is assessed in a number of ways: with the tests themselves; the frameworks, accreditations and toolkits led by the NHS; the Data Security and Protection Toolkit, where we publish our practices, and Cyber Essentials Plus, which is an information governance accreditation that we have achieved.”
Nicola Whiting, chief strategy officer of Titania, says healthcare organisations have unique challenges in securing legacy systems. “For example, some essential equipment can require specific operating systems to function. This creates challenges to delivering essential security updates. The rise of Covid-19 has seen a corresponding spike in ransomware and other attacks which seek to take advantage of unpatched systems.”
However, there are several things health organisations can do to stay safe and secure. “To protect against these attacks requires a combination of user training, to reduce effectiveness of phishing and other typical malware entry points; risk assessment and protection of critical systems; and isolation for those systems that cannot easily be updated or protected,” says Whiting.
“This is a critical time for security professionals in the healthcare sector, and our industry has rallied to support them,” she adds.
The healthcare sector has long been a core target for cyber criminals, although the coronavirus pandemic has made it even more lucrative. As healthcare organisations continue to face increasing cyber security incidents in 2021, it is paramount that they pay close attention to these pressing issues and take swift action. Otherwise, they are not only putting themselves at risk, but also their patients.