Emerging Threats in Healthcare Information Security

How Vulnerable Systems Lead to Cyber Attacks in Healthcare

December 24, 2020
A healthcare provider using an internet-enabled device to look up information on a patient.

The healthcare industry has long been known to lag behind in the process of securing their technology, including using outdated operating systems (OS), applications, and devices, which accounts for major gaps in cyber security, especially mobile device security. These gaps can lead to serious vulnerabilities in hospitals and healthcare organizations. If that wasn’t bad enough, the pandemic has pushed doctors and other professionals to quickly move to new systems and new methods of reaching patients. While this move was necessary, it caused an increase in security vulnerabilities. What are some of the areas of concern?

Growing Security Concerns in Healthcare

Mobile Healthcare, Telehealth and Growing Security Concerns

Hospitals and private institutions have increasingly turned to telehealth and mobile healthcare during the pandemic. This exacerbates the threat landscape available for attackers to target. Even if the hospitals were able to deploy new applications and software, it is possible that outdated operating systems, devices, and technology are still in use. In any infrastructure or technical upgrade project there is a possibility of missing or misconfigured security controls. These missing controls leave gaps for attackers to conduct phishing campaigns, or even compromise entire healthcare networks with cyber attacks.

Increased Network Risks from Remote Work

As some workers moved from the office to home, users are increasingly adopting virtual desktop or virtual private network solutions to connect to the office. Without proper training, these solutions can create a tunnel for attackers to exploit a potentially outdated or unprotected network. Both this year and last year, hospitals saw increases in phishing campaigns and ransomware, showing that even during a pandemic, hospitals are a target for attackers (Health IT Security, 2020).

COVID-19 Healthcare Hacks

Not only were hackers interested in hospital records and patient data, they were also interested in laboratories and medical research facilities that are working on a COVID-19 vaccine. In July, the US Department of Justice indicted two Chinese individuals for hacking into the computer systems of hundreds of victim companies, governments, and non-governmental organizations, as well as individual dissidents, clergy, and democratic and human rights activists in the United States and abroad.  

In some cases, the defendants acted for their personal gain; in others, they acted for the benefit of Chinese government agencies. The hackers stole terabytes of data and created a sophisticated and prolific threat to U.S. networks. Even during a pandemic, attackers will exploit vulnerabilities and search out proprietary or sensitive information. Phishing attacks are also used to steal information or trick unsuspecting individuals to click on “COVID trackers” or other COVID data-related sites.

Insider Threats to Hospital Cybersecurity

External attackers are not the only issue within the healthcare system. Insider threats and improper use of data are still major causes for concern in data breaches. As our healthcare system is strained with doctors, nurses, and technicians working overtime, the chances for mistakes increase. Additional strain and lack of resources put medical workers in a tough situation. It is essential for security and IT teams to be vigilant in data protection and alert for potential data exfiltration or improper use. A smaller number of attacks are done by insiders, but it is still an important component to consider during technical refreshes or when considering purchasing data loss prevention tools.

Healthcare Cybersecurity Solutions

Improving Remote and Mobile Device Security

Altogether, these factors—increased telehealth, mobile devices, and phishing campaigns—create an environment ripe for increased attacks on the healthcare sector. But there is hope! And there are ways to deal with this situation in both private practices and larger institutions. Here is a three-tiered approach:

  1. Carefully consider technical refreshes and ensure that inventories of both applications and hardware are complete prior to upgrades. These refreshes should be done in combination with security assessments during the project. Including assessments ensures that all software is up-to-date and that maintained documentation exists for current inventory and processes for upgrades, in addition to showing that security controls are properly in place.
  2. Create (or update) continuous monitoring and incident responses to match the technical refreshes. These programs should be updated to ensure both IT operations and security teams are on the same page for the new systems.
  3. Re-train users on how telework environments should be used, and how any new technology is implemented into routines. Given that healthcare professionals use and manage sensitive and private data, these are important points to make during training sessions to ensure even remote workers are careful about the security and privacy of PHI (Protected Health Information).

Recognizing the Importance of Network Security

These possible improvements are not all-inclusive and there are many tools, applications, and guidelines available for protecting the healthcare sector. Standardizing security controls and removing end-of-life applications can greatly improve overall security. Attackers will continue to research and use new methods of attack, which is why our defenders must pursue new methods of prevention. As the proverb says, “necessity is the mother of invention.” With the COVID-19 healthcare crisis, all sectors are finding new ways of using technology and must equally find new ways of securing it.

Dr. Nikki Robinson is an adjunct faculty member in the Touro College Illinois Healthcare Cybersecurity Certificate Program.

Resources:

BBC, “US charges Chinese Covid-19 research ‘cyber-spies’”

Security Magazine, “How hackers are using COVID-19 to find new phishing victims”

Consolidated Technologies, “Security threats in healthcare systems”

University of Illinois Chicago (UIC), “Top 4 threats to healthcare security”