With the ebbs and flows of COVID-19, pandemic-related hurdles – particularly hospitalization surges we’re currently experiencing – are top of mind for hospitals. However, my biggest fear, and I’m sure also for others involved in cybersecurity prevention, is how ransomware attackers can use the pandemic as an opportunity to target hospital systems and exploit their vulnerabilities.
Data breaches are extremely common today. Locally, Lawrence General Hospital reported a small patient data breach in September that caused the hospital to go offline for 36 hours, leading to a new software installation to safeguard its computer systems.
Though resources and staff are stretched thinner than ever, it is vital for hospital leadership to always have cybersecurity on their minds and in their ongoing operational plans.
In late October, federal agencies, including the FBI, Department of Health and Human Services, and Cybersecurity and Infrastructure Security Agency issued an advisory warning that U.S. hospitals will face increased cybercrime threats and recommending organizations beef up protections.
Electronic medical records provide a huge breadth of data: Social Security numbers, billing details, health concerns and overall demographic details. To sophisticated attackers who can act quickly, hospitals are enticing for that reason.
In pursuit of this data, attackers detect vulnerabilities from several angles, locking up systems and/or encrypting valuable information and, at times, forcing hospitals to pay hefty sums of money to get back online.
Attacks on U.S. hospital systems can be particularly profitable, creating more reason for international attackers to focus their energy on institutions here in the states. Rather than something that can be permanently fixed, cybersecurity is more like a chess game hospitals are forced to play with attackers. They set up their defenses; the hacker attacks. And, if they get through, the hospital responds with a counter-move as well as new defenses against future attacks.
As daunting as that sounds, hospital leadership, especially chief information officers, plays a key role in how to keep their network structures safe. It’s a tough spot to be in, as putting protections in place means investing in the appropriate software, IT technologies, medical devices as well as skilled cybersecurity experts within their organizations.
Whether hospitals and healthcare organizations spend a few hundred dollars or a few million, they are vulnerable. But when challenges like COVID-19 divert plans and saturate budgets, hospitals can quickly fall behind. Unfortunately, as budgets get tight, the “if it ain’t broke, why fix it” mindset can quickly take hold, further delaying plans.
However, many hospital networks are already vulnerable to cyberattacks, making hospitals open to financial risk. For CIOs, their main challenge is convincing CEOs, chief financial officers and other decision makers to proactively invest in cybersecurity planning and ongoing education within the IT team.
This includes beginning to understand their cybersecurity vulnerabilities and setting up defenses to them. It also includes taking an inventory of all network components and the vulnerabilities each introduce. At the end of the day, the hospital network is only as secure as its weakest link. Hospitals leave themselves open to attackers by using legacy technology -- older, often outdated technologies that still do the job but are unable to protect against cyberattacks.
Legacy technology exists everywhere but tends to be more prevalent in places like healthcare and government organizations. The city of Methuen’s computer system, for example, was running an older version of Windows and threatened earlier this year by a cyberattack. The city subsequently spent $272,000 on protective hardware and software as well as an IT system audit to ensure that it had the proper defenses in place.
For hospital CIOs, they not only must consider the security of their computer systems but also the security of every medical device running on the network. For example, one of the most commonly used devices in hospitals, infusion pumps, are legacy devices and often not very secure. As a result, they represent that weak link on the hospital network and a potential point of attack for savvy hackers.
And, once on the network, that hacker can launch subsequent attacks on other devices or systems, resulting in possible ransomware attacks or disruptions to patient care.
In addition to technology vulnerabilities, human error is a vulnerability as well. In the case of Methuen’s computer system, the threat originated from an employee unknowingly opening an email attachment containing ransomware. In a large hospital, with many people using many different types of systems, software and devices, this vulnerability grows exponentially.
And one of the primary defenses is education and being vigilant in the monitoring and detection of these types of attacks. Attackers are incredibly resourceful and often determined to identify and exploit hospital vulnerabilities, constantly looking for ways to penetrate the hospital network.
And though COVID-19 is stressing the resources within hospitals in many ways, hospitals should not let it distract them from continuing to strengthen their defenses against cybersecurity threats.
Investing in the right people, the right education, the right technologies and the right processes is key to playing in the high-stakes game of cybersecurity. Not doing so can place the hospital at risk financially and disrupt their ability to deliver care.
George Gray is chief technology officer of Ivenix, a North Andover-based medical technology company with the vision of eliminating infusion-related patient harm.