As the United States continues to deal with Covid-19, our healthcare providers bear an enormous strain as they try to simultaneously provide patient care and minimize contact.
The sudden shift to remote contacts exposes new weaknesses in many applications, and adds to the challenges of healthcare IT and cybersecurity teams.
Healthcare providers have always been a target for attackers and, unfortunately, both nation-states and criminals have increased their efforts to attack those providers during the Covid-19 pandemic.
Fortunately, there are fundamental tactics that can be adopted to help limit the consequences of a successful attack. But, to understand those methods, we first must understand the vulnerabilities.
Many healthcare providers rapidly adopted telehealth solutions as the country went into quarantine lockdown in March.
IT managers barely had time to understand the basics of these tools, let alone the full scope of the risks before they were deployed.
Telehealth tools possess a broad attack surface. First, they typically utilize cloud storage and online platforms that are exposed to constant attack. Also, third-party tools, remotely accessible medical devices, VPN connections, and the patient’s own home networks provide potential vulnerable access points.
Unfortunately, even with the increasing number of possible vulnerabilities, the most likely weakness remains the human factor. Doctors and patients seek ease-of-use, and they often lack the technical expertise needed to take precautions.
Additionally, a high percentage of the elderly population isn’t tech savvy, which introduces more problems through simple mistakes.
The sudden telehealth adoption also put increased pressure on the application providers … who continue to find flaws in their software. Babylon software allows users to speak to healthcare providers by using smartphones. It also can send prescriptions to nearby pharmacies.
Unfortunately, in June, users found that a glitch in Babylon’s application allowed for them to see unrelated patient data on their own access.
Although Babylon reacted quickly to address the problem, the exposure of patients’ data potentially triggers regulation & privacy violations. It’s not clear whether Babylon or the healthcare providers will bear the legal responsibility for the GDPR or HIPAA damages from the breach.
Open Holes in Security
Experts also fear that the rapid deployment has led to loosened controls, which expose the healthcare systems and networks, such as:
- Doctors may be using unsecured tablets to service parking lot clinics.
- Firewall rules may have been relaxed to allow for remote work and have exposed new vulnerabilities to attackers.
- Cloud-based data stores may be misconfigured
Some of these theoretical concerns have been fully realized, as two-of-the-five largest health data breaches in 2019 originated from misconfiguration breaches. While these issues are not unique to healthcare, the additional penalties for HIPAA violations create even more pain points.
Meanwhile, there are plenty of unaddressed holes in healthcare security stemming from the medical equipment. Early in 2020, researchers located a set of vulnerabilities in GE’s healthcare products, such as exposed private keys, hard-coded credentials, and insecurely stored remote desktop credentials.
Unfortunately, these types of vulnerabilities are common and can be quite difficult to fix. Not all medical devices update firmware regularly or easily, so some vulnerabilities could remain open for the lifetime of each device.
The Food and Drug Administration (FDA) implemented stronger regulations for medical devices. It also developed a mechanism to issue recalls of devices that cannot be secured. Unfortunately, while a device can be in good standing if it issues patches within 60 days, it forces the healthcare IT team to secure that device in the interim.
Healthcare Under Attack
As Covid-19 issues grow, so too does the the threat of attack.
In addition to the many Covid-19 themed attacks, the FBI and Cybersecurity & Infrastructure Security Agency (CISA) warns that Chinese and North Korean sponsored hackers now specifically target healthcare providers. These attackers seek to identify and extract technology related to vaccines, treatments, and testing. The main vulnerabilities exploited in these attacks include: Apache Struts, and Microsoft’s Object Linking and Embedding (OLE) technology.
Despite promises from some leading ransomware gangs to spare healthcare targets during the Covid-19 pandemic, the attacks continue. A sampling of the notable attacks since March include:
- Vaccine test center Hammersmith Medicines Research hit by Maze ransomware
- Woodlawn Dental suffered a breach from a ransomware attack affecting 14,400 patients
- Mat-Su Surgical reported an attack that may have leaked data for more than 13,000 patients
- Illinois Public Heath Website hit by NetWalker ransomware
- Parkview Medical Center in Colorado shut down by ransomware.
This is a continuation of the aggressive trend that saw a 350% increase in attacks against healthcare providers in the fourth quarter of 2019. These attacks are broad, and they do not discriminate. They’ve been recorded by large entities — such as hospitals and health systems, IT vendors supporting healthcare — and hundreds of smaller clinics, dental offices, and nursing facilities.
Tips for Protecting Healthcare Environments
Healthcare IT teams often deal with restricted, non-profit budgets.
That said, to keep costs down, security managers can focus on key vulnerabilities to mitigate the effectiveness of attacks. A key component to mitigating ransomware attacks is to create a comprehensive and tested backup program.
By periodically backing up data (encrypted) to removable media (hard drive, USB flash drive, etc.) on a regular basis, you’ll counter the current ransomware tactics which delete network connected backups.
Furthermore, the use of strong passwords and implementation of multifactor authentication can decrease the effectiveness of a credential compromised by a phishing attack.
A whopping 91% of ransomware attacks begin with phishing attacks, and 75% of healthcare organizations don’t deploy scanning and filtering tools on emails. Implementing an such a screening on emails has been shown to reduce the likelihood of a successful ransomware attack by 33%. It also decreases the possibility of compromised credentials.
Poorly secured remote desktop protocol is associated with a 37% increase in the likelihood of successful ransomware attacks, and unpatched VPN vulnerabilities have been a favorite exploit of ransomware gangs. The first step in protection will be to keep remote access systems fully patched and carefully monitored.
To prevent issues resulting from home networks and other remote user-based attacks, healthcare providers should minimize the sensitive data that will flow to unsecured locations, carefully monitor credentials for unusual behavior, and provide simple easy-to-use solutions. To reduce the damage from the inevitable data leak, encryption can also be easily added to protect data at rest and increase the difficulty for attackers to harm the organization.
To minimize issues from exploitable IoT devices, you should isolate your mission critical (MC) networks. Care-critical devices connected to patients, such as infusion pumps, ventilators, patient monitoring, and anesthesia represent the most critical devices to isolate to avoid direct harm to patients. However, diagnostic machines servicing radiology, ultrasound, and laboratories create the next tier of critical devices since they directly support the healthcare mission.
If connectivity is needed outside if the MC networks, dedicated routers or firewalls can be implemented to restrict data strictly to required data flows. Connections to information exchange (IX) networks should be similarly isolated and restricted.
And, the following ports should be strictly controlled if not blocked:
- TCP Port 22 for SSH and TCP
- UDP Ports 137, 138, 139 and 445 for NetBIOS and SMB
- TCP Ports 5225, 5800, 5900, 10000, and 10001
The Right Support
For most organizations, the risk of failure can be constrained to damage to their reputations and to their bottom lines.
Healthcare organizations carry additional burdens, as system failure might affect patient outcomes or even cost lives.
Additionally, many healthcare organizations maintain a non-profit or government structure that limits their funding for IT infrastructure and security. Judiciously working with consultants such as Ideal Integrations and Blue Bastion can provide opportunities to advance the overall safety and security of the IT Infrastructure within budget resources.
Ready to get started? Contact us today and let our team of cybersecurity & IT experts keep you safe and secure, 24/7/365.