Healthcare Hospitals and Laboratories

Cybersecurity for Healthcare Hospitals and Laboratories

USA Cybersecurity is a veteran owned small business located in Washington, D.C. certified to deliver cybersecurity and digital forensic services to government agencies, government contractors and commercial businesses.  

Healthcare Hospitals and Laboratories are vulnerable to cyberattacks because they store personal and sensitive information for thousands of customers through hundreds of digital access points within their primary and remote locations. Although many types of cyber crimes are perpetrated against U.S. businesses, Healthcare Hospitals and Laboratories are most vulnerable to social engineering attacks and ransomware.

Our managed services and regulatory compliance offerings include using the brightest security-cleared minds and the most sophisticated equipment available. Our primary focus is to secure the infrastructure of the Continental United States (CONUS). Our secondary focus is to secure the infrastructure of our allies and friends Outside Continental United States (OCONUS). All services are provided remotely or in-person.

Cybersecurity in healthcare
Over the past decade, the cyberthreat to the healthcare industry has increased dramatically, along with the sophistication of cyberattacks. Industry and government both recognize this new era. For each improvement delivered by automation, interoperability, and data analytics, the vulnerability to malicious cyberattacks increases as well.

Cyberattacks are of particular concern for the health sector because attacks can directly threaten not just the security of systems and information but also the health and safety of patients.

Healthcare organizations are attractive targets for cybercriminals for three main reasons:

  • Criminals can quickly sell patient medical and billing information on the dark-net for insurance fraud purposes.
  • Ransomware’s ability to lock down patient care and back-office systems make lucrative ransom payments likely.
  • Internet-connected medical devices are susceptible to tampering.

Cybersecurity issues in the healthcare industry
Health organizations, large and small, are prime targets for cybercrime. The growing number of healthcare-related cyberattacks is an indication that smaller health providers are falling victim to cybercriminals at an increasing rate. Large healthcare providers often have the resources necessary to mount a formidable cyber defense strategy. These large hospitals and health provider chains can often afford to hire a chief information security officer, staff a security operations center, and subscribe to the best threat intel services. Some of the most notable cyberattacks of the last decade were against healthcare institutions. Community hospitals, independent doctors, and dentists don’t often have the luxury of expensive cybersecurity defenses. Yet, they shoulder the same cyber risks and present an equal opportunity for criminals. The American Medical Association states that nearly 57 percent of medical practices in the U.S. have ten or fewer physicians, and about 10 percent are solo practitioners. Unable or unwilling to pay exorbitant ransoms, many small healthcare providers cannot survive these attacks and feel forced to close their businesses. These practitioners are fully aware that paying a ransom demand, by no means, guarantees that the hacker will release data or equipment. Nor does it ensure that they will not sell your patient’s data on the darknet. The American Dental Association reported that in August 2019, hundreds of dental practices were affected by ransomware. The attack focused on a dental-focused technology provider and locked dentists out of their data.

A ransomware incident in August 2019 forced Wood Ranch Medical in Simi Valley, California, to close its doors on December 17, 2019. A note on their website said, “Unfortunately, the damage to our computer system was such that we are unable to recover the data stored there. With our backup system encrypted as well, we cannot rebuild our medical records,” the note continues. “As much as I have enjoyed providing medical care to you, I will not be able to attend to you professionally after that date.” Arguably the most respected and informative security industry annual report is the Verizon DBIR (Data Breach Investigations Report). The 2020 DBIR indicates the substantial increase in the number of breaches and incidents overall is reflected in the healthcare sector. Healthcare suffered a 71 percent increase in breaches or incidents in 2020 over 2019. Financially motivated criminal groups continue to target the healthcare industry primarily with ransomware attacks. Lost and stolen assets are also a problem, and human error is alive and well in this vertical. Most healthcare cyberattacks are not launched from some clandestine bunker, it must be noted that nearly half of the breaches in this sector come from internal bad actors.

The 2019 DBIR reported that the healthcare sector had internal actor breaches (59 percent) exceeding those by external actors (42 percent). This year, external actor breaches are more common at 51 percent, while breaches executed by internal actors fell to 48 percent. However, this is a small percentage, and healthcare remains the industry with the highest amount of internal bad actors. As a glimmer of hope, the 2020 DBIR shows that privilege misuse incidents have declined across the board. In 2019 privilege misuse stood at 23 percent. This year it dropped to 8.7 percent. Privilege misuse is the direct result of poor access control. Users have more access rights than they need to do their jobs, and the organization fails to monitor the activity of privileged accounts properly and establish appropriate controls. The decrease in this type of event can be seen as reflecting improved security policies and training. These indicators denote an increase of security awareness within the organization.

Privilege misuse incidents are responsible for user errors that result in data loss or unauthorized access by an adversary. Privilege misuse is not to be confused with internal bad actors. Another change that goes along with decreased insider misuse breaches is a corresponding drop in multiple actor breaches. The healthcare sector has typically been the leader in this type of breach. This type of breach usually occurs when external and internal actors combine forces to steal data used for financial fraud. The multiple actor breaches last year were at 4 percent, and this year dropped to 1 percent.

The top cybersecurity error experienced by the healthcare industry is incorrect delivery. This error tends to fall into two categories. One is when an email is sent to the wrong email address, or distribution list, and sensitive data is received by unauthorized personnel. The second is the snail mail equivalent; when address labels for a mass mailing get out of sync and confidential information is mailed to the wrong recipient.

Case study of cybersecurity breach in healthcare
In 2019 a small community health system in Wyoming fell victim to a cyberattack. Campbell County Health operates a 90-bed acute care hospital in Gillette and nearly 20 clinics across the county. Attackers locked up sensitive patient information and medical devices then demanded a ransom. As a result of the attack, Campbell County Health employees found it necessary to cancel services, including radiology, endocrinology, and respiratory therapy. Reports indicate that the organization transferred patients to hospitals as far away as South Dakota and Denver. Cash registers, email, and fax were all unavailable. Doctors had to resort to pen and paper to document medical conditions, and with prescription records inaccessible, patients were required to bring medication bottles to visits. Cyberattacks against healthcare organizations are increasing. 

In a video address to the community, Andy Fitzgerald, Chief Executive Officer of Campbell County Health, said, “CCH is not the first organization, hospital or otherwise, to be hit with a ransomware attack. Every organization is subject to this type of cybercrime. We were not the first, and, unfortunately, we won’t be the last to experience this. Individuals, as well as organizations, must remain constantly vigilant, at home and at work, in order not to become a victim of this kind of crime. CCH had strong systems in place before the attack, and we have invested in additional measures, but the threat remains for all of us.”

What makes cybersecurity challenging within the healthcare field?
The healthcare sector has all the cybersecurity challenges facing any business, plus unique challenges all their own. They must protect their networks, databases, and endpoints from attack. They are responsible for protecting private financial and medical information about their patients and employees. They often protect valuable intellectual property. Additionally, they have challenges few other businesses encounter. The number of connected medical devices has exploded over the last ten years. Nearly every conceivable piece of medical equipment is now web-enabled or connected to the organization’s operational network. Healthcare providers are deploying more connected medical devices every day, and they can make up as much as 74% of the devices connected to a hospital’s network. The prevalence of medical device hijacking has spawned the use of the term “medjacking” to describe these attacks aimed specifically at connected medical devices. These connected devices are often necessary to sustain the life of the patient. Disabling them, or modifying their functionality, can mean the difference between life or death. Like any digital device, updates are needed to keep them running and safe. Connected devices include patient tracking wristbands, equipment tracking for crash carts, ventilators, portable X-ray machines, and vital-sign monitors. All of these devices communicate across the hospital network providing doctors with valuable patient information entered into electronic health records. The transmitted data allows doctors to provide more affordable care. Clinicians can work faster and in safer conditions. And each of those devices acts as an entry point for cybercriminals to exploit.

A 2019 study by Black Book Market Research LLC surveyed over 2,800 security professionals from 733 organizations to identify gaps, vulnerabilities, and deficiencies that persist in keeping hospitals and physicians proverbial sitting ducks for data breaches and cyberattacks. The report showed healthcare’s cybersecurity struggles are caused by budget constraints. It is costly to replace legacy software. Past reports from security researchers show that the majority of healthcare medical devices operate on legacy platforms. Fifty-six percent of healthcare providers still rely on legacy Windows 7 operating systems. Many of these providers struggle with understanding or performing necessary patches. Nothing could be of higher priority than the health and well being of patients, and communication between healthcare providers and patients or between the various healthcare functions has been refined to an art. Below are some reasons healthcare profession struggle with cybersecurity.

The top cybersecurity challenges facing the healthcare industry are:

  • Patient information is valuable on the darknet.
  • Medical devices often lack adequate security controls.
  • Medical professionals need the ability to access medical data remotely.
  • Insufficient cyber risk training among healthcare workers.
  • Outdated technology used in many healthcare facilities.

Healthcare providers shoulder extraordinary cybersecurity risks. Their position as the most attacked business sector has not escaped notice. The issue of cybersecurity has risen to the forefront of concerns for this sector. There are seminars, conferences, white papers, and myriad of cybersecurity training opportunities for healthcare professionals. Like any other business sector, efficiencies are introduced to enhance competitive advantage. One of the significant efficiencies leveraged by healthcare providers is how much time they spend with each patient. Too much time with one patient means someone else’s medical needs may not receive attention.

Cybersecurity solutions for the healthcare industry
Currently, the healthcare industry is losing ground in its battle against cybercrime. Antiquated computing systems and too few trained cybersecurity professionals combined with an increase in connected medical devices have left this sector vulnerable. Technological advances in patient care equipment, systems, and processes have outstripped improvements in backend support systems where valuable patient information is stored. The current global pandemic only exacerbates these problems. In May 2020, Bitdefender Labs, a leading cybersecurity vendor, reported, “With healthcare systems under constant strain amid the SARS-CoV-2 global pandemic, hospitals and healthcare facilities around the world have also been hit by a wave of cyberattacks, including ransomware attacks. While officials have already issued warnings that hospitals, governments, and universities may be more conscious about losing data and access to critical systems, Bitdefender telemetry reveals that the number of cyberattacks and ransomware incidents directly targeting healthcare significantly increased over the past couple of months. The number of cyberattacks detected at hospitals in March increased by almost 60 percent from February, according to Bitdefender telemetry. This is the highest spike in our global evolution of cyberattacks detected at hospitals reported over the past 12 months, showing that cybercriminals have clearly leveraged the pandemic to launch these campaigns.”

Cybersecurity solutions for healthcare organizations should provide safeguards that exceed those of most businesses. Arguably, these systems and devices should be equal to or surpass those used in financial organizations in terms of the level of protection provided. To achieve this goal, healthcare institutions must look at each new platform proposed in terms of the medical benefits provided to their patients and the risk of cyberattacks.

How to Keep Your Healthcare Organization Safe
There are several key measures to follow that help lower the risks of breaches and keep your organization and customers’ data safe.

  • Build a risk-aware culture
    • Thoroughly examine and determine where security risks lie in your organization.
    • Educate and communicate with employees to help them understand how they can help close the gaps.
    • Implement the right tools that continuously monitor and identify vulnerabilities as well as alert employees so that your organization can act quickly to reduce the risks.

  • Implement foundational controls and basic security hygiene
    • According to SANS, implementing the first six CIS Controls provide a highly effective and efficient level of defense against the majority of real-world attacks. They also help to create the necessary foundation for dealing with more advanced attacks.

  • Automate all security and compliance efforts
    • Discover and profile all business-critical assets such as patient care systems, medical devices and payment systems.
    • Quickly repair configurations errors. 
    • Adjust security controls based on system changes and business impact.
    • Monitor, measure and report compliance with security and privacy requirements.

  • Manage incidents with intelligence to help your organization to respond more quickly
    • Implement intelligent analytics to help monitor operations.
    • Implement automated response capabilities.
    • Integrate next generation threat intelligence solutions with change detection for advanced threat detection and response.

Good Security Delivers Effective Compliance
The solution to the unprecedented cyber threat problem that healthcare organizations face is to implement foundational controls that integrate into other solutions to proactively respond to threats. If an organization has implemented good security processes and controls, they could be well on their way to meeting multiple compliance and/or security standards. USA Cybersecurity supports many compliance mandates (including HIPAA and FDA, CMMC FERPA FFIEC, NERC-CIP PCI SOX, CSF FEDRAMP 800-53 V4, NIST 800-53 V5 DFARS 800-171) as well as others. That support, combined with USA Cybersecurity's advanced compliance solutions, gives you proven, industry-recognized security and the ability to meet almost any compliance mandate while protecting your network and infrastructure. 

Healthcare Hospitals and Laboratories Next Steps
As the IIoT continues to gain momentum, enterprises need to consider security threats coming from all endpoints and take steps to protect themselves from harmful and potentially life-threatening cyberattacks. Contact USA Cybersecurity