Background
Public health and healthcare organizations are at the forefront fighting against unprecedented physical dangers from the COVID-19 outbreak. Simultaneously, there are threats propagating in cyberspace, as malicious actors target vital public health and healthcare systems. For example, hackers have zeroed in on the U.S. Department of Health and Human Services and the World Health Organization in an attempt to disrupt and undermine these organizations’ response to the pandemic. As health organizations rapidly make changes to their infrastructure, cybersecurity resilience should be prioritized, as successful cyberattacks will exacerbate current challenges.
Prevailing Vulnerabilities within Health Information Technology
The healthcare and public health (HPH) sector is a large and diverse sector that provides an array of goods and services that are essential to the health, safety, and well-being of citizens. Critical functions of the sector include, but are not limited to:
- Health plans and payers, who provide payment to caregivers for goods and services related to healthcare;
- A large system of private enterprises that manufacture, distribute and sell drugs, biologics and medical devices;
- Population-based care and surveillance provided by health agencies at the federal, state and local levels; and
- Hospitals and other medical care facilities including the first responders, nurses, doctors and other health professionals that support these facilities.
Public health and healthcare professionals are intrinsically focused on saving lives and providing quality care, not cybersecurity, although it is a priority for patient safety. For example, a healthcare organization in Wyoming fell victim to a ransomware attack that necessitated diverting patients to other hospitals and led to an inability to access patient records to continue care delivery. The organization worked for the next month to get its computer systems back online and consequently had to cancel many exams and procedures.
Cyberattacks such as this can expose sensitive patient information and force already stressed hospital systems to expend scarce resources to recover. Doctors, nurses, and other healthcare professionals understand the importance of hand sanitizing to prevent the spread of germs and should apply this same methodology to improving cybersecurity practices to throughout the organization. Good “cyber hygiene” and a culture of cyber awareness can prevent 80 percent of cyber-attacks.[3] While innovations in health IT can increase optimization and efficiency to address clinical care, fundamental research or population health, the technology will only work if it is secure.
Legacy Information Technology Infrastructure
Utilization of legacy software and systems plagues health and public health organizations, given their useful lifespans, many of these antiquated technologies were not built with cybersecurity in mind. While these systems could still be clinically useful, many may run insecure software and hardware, which leaves them vulnerable to attacks. For example, recent research suggests that an estimated 83 percent of medical imaging devices used throughout U.S. healthcare systems are currently running on outdated operating systems. However, for some hospitals and public health organizations, it is not financially feasible to replace these technologies even with the increased concern among health professionals for cyberattacks.
Medical Record Systems and Medical Devices Security
Healthcare organizations have long been an attractive and lucrative industry for threat actors because personal health information (PHI) is more valuable on the black market than many other types of personally identifiable information (PII). This information is exchanged throughout the public health system which is comprised of all public, private, and voluntary entities that contribute to the delivery of essential public health services within a jurisdiction. Therefore, cyber criminals have a higher incentive to target medical databases for personal gain. According to the U.S. Department of Health and Human Services, more than 15 million health records have been compromised due to data breaches. A public health system where information and data is exchanged securely and promptly with clinicians improves the coordination of care throughout each functional level. If the real-time flow of information and data is blocked – due to interoperability challenges or a security breach – then effective therapeutic interventions cannot be delivered. With the proliferation of electronic health record technologies within the critical functions of the HPH sector, it is vital for key stakeholders to address and manage the risks associated with cyber threats to HPH systems.
For example, due to the COVID-19 crisis, hospitals are using patient monitoring devices, such as vital-sign sensors, more than ever. These patient monitoring devices can be used remotely and deliver critical information to medical professionals to adequately treat a patient’s needs. Enabling devices to have remote access, however, increases the attack surface due to its increasingly networked and wireless nature. Medical device manufacturers are required by the U.S. Food and Drug Administration to comply with security regulations that include monitoring, identifying, and addressing cybersecurity vulnerabilities in medical devices once they are on the market.
Cybersecurity threats and vulnerabilities can impact the confidentiality, availability, and integrity of IT networks and the medical devices connected to these networks. A distributed denial-of-service (DDoS) attack could potentially have devastating physical consequences for patient care if systems are compromised and contribute to a loss of confidence in healthcare providers.
Preparedness and Readiness Challenges
Within the healthcare industry, professionals are focused on providing quality patient care. They understand how to use technologies to make more accurate diagnoses and provide better treatment to patients but may not easily understand the risks surrounding cybersecurity. Many health organizations have limited funding for cybersecurity resources, limited education and awareness programs for healthcare professionals, and lack dedicated cybersecurity personnel. With the magnitude of the threat growing exponentially, the funding required to secure this information has lagged in comparison to other industries. The primary focus for any HPH organization is care, but stakeholders also must shore up their defenses to protect their digital infrastructure.
Lack of investment is not only a challenge in the private sector. Members of public health departments also report that without experiencing a security breach or data loss, many have difficulty demonstrating the importance of cyber protections and how proactive risk mitigation can save money and protect against damage long-term. In a survey conducted by the National Association of County and City Health Officials (NACCHO), local health departments (LHDs) ranked cybersecurity as one of their top three concerns. Yet, when it comes to specific preparedness actions, like running a cyberattack exercise, LHDs most often report that they have not conducted preparedness activities in this topic area. In a survey delivered to emergency managers within a statewide hospital association found that only a third of respondents had an all-hazards plan and a continuity of operations plan that could be used during a cyberattack. Making the decision to prioritize and resource cybersecurity in public health will require organizational culture shifts, increased financial resources, the appropriate personnel and support from leadership to create a robust cyber preparedness plan. Agencies must also consider applicable federal and state legal requirements for ensuring the security of electronic health records, such as the HIPAA Security Rule.”
Current Threat Landscape for Healthcare and Public Health Organizations
With healthcare resources being stretched due to the COVID-19 response, cybercriminals have increased the number of attacks targeting hospitals and government public health organizations.
Cyber espionage: Russian, Chinese, North Korean and Iranian hacking organizations have used COVID-19 as a lure in their campaigns. A cybersecurity firm reported that a Chinese hacking group, Advanced Persistent Threat 41 (APT41),[3] carried out a broad hacking campaign during the onset of the pandemic. APT41 is a sophisticated Chinese state-sponsored group that specializes in espionage against healthcare, high-tech, and political interests. This campaign sought to exploit vulnerabilities in networking equipment, cloud software, and telehealth services during this pandemic.
Social Engineering: Hackers use social engineering to manipulate the natural human tendency to trust and gain access to sensitive information. The FBI issued a warning to alert the general public that nefarious culprits are quickly adapting their social engineering tactics, techniques, and procedures to take advantage of the current public health emergency. Credential phishing campaigns have directly targeted U.S. healthcare organizations with emails that claim to provide COVID-19 financial relief to adults.
Ransomware: There has been a significant increase in the number of attempted ransomware attacks against health and public health organizations. Cybercriminals are using ransomware to hold hospitals and medical services hostage unless a ransom is paid. As most organizations have moved to a remote workforce, hackers have identified a new target: virtual private networks (VPN). Once a network is infiltrated, adversaries can perform thorough reconnaissance, gaining privilege and access to systems based on security weaknesses.
Actors are also employing social engineering related spoofing, smishing, and vishing techniques to give off the impression of authenticity, which leverages the misplaced trust in the security of phone services.
Cybersecurity Best Practices for Health and Public Health Organizations
Define and Streamline Cyber Governance: Cybersecurity is an elected official or C-suite level issue, as senior leaders are owners of any associated risk due to the negative impacts cyberattacks may have on the entity overall. As the chief executive of their state, for example, governors have a strong leadership role to play in mitigating cyber risk. Cyber resilience can only be achieved with active engagement from the top. While assuming the responsibility as risk owner, senior leadership should delegate cyber risk management experts to drive an enterprise wide cybersecurity strategy. The cybersecurity leader helps to define roles and responsibilities and coordinates with relevant stakeholders to adopt a cybersecurity framework. Any good governance model should actively include non-traditional personnel outside of IT professionals and device manufacturers (i.e., Administrators, HR personnel, Finance and the Emergency Management departments). This holistic approach ensures cybersecurity is effectively communicated to leadership to gain stakeholder buy-in to increase resources availability.
Upgrade or Secure Legacy Systems: Health and public health organizations must: (1) take inventory of their clinical environments and document unsupported operating systems, devices and electronic health record systems; (2) replace or upgrade legacy or unsupported systems where possible; (3) leverage network segmentation and other risk reduction tools to increase the security and resilience ofmedical devices and health information technology.
Employ Identity and Access Management Tools: Defining the roles and access privileges of users and the circumstances in which users are granted or denied those privileges is the cornerstone of any secure network. By ensuring that employees only have access to data that is essential to their jobs, organizations can significantly limit the scope of their potential attack surface. Tools like multifactor authentication –two-factor authentication, especially for remote access, ensures that a compromised password cannot alone be used to gain access– provide greater assurance.
Improved Cybersecurity Awareness and Education: HPH organizations must effectively convey to employees the heightened risk of social engineering attacks tied to COVID-19 that exists at the present time. In addition, employers must also provide their workers with the knowledge and tools they need to effectively handle and defuse any attempted social engineering attacks they may encounter. In particular, organizations should properly educate their workforces on how to spot and address social engineering scams in real time. Beyond training employees on how to identify these attacks, employers should provide their workers with guidance on proper cybersecurity practices to follow.
Improve information sharing of industry threats, risks, and mitigations. Information should be tailored in a way that makes for easier consumption by small and medium-size organizations that rely on limited or part-time security staff. Organizations should consider joining the Health Information Sharing and Analysis Center (H-ISAC) to have a broad scope and further reach when it comes to information sharing across the healthcare industry. Organizations should focus on creating more effective mechanisms for disseminating and utilizing data from the H-ISAC.
Response Planning: It is imperative for healthcare and public health organizations to implement and maintain incident response and disaster recovery plans that can be activated immediately with adequate resources to respond to an executed cybersecurity attack mentioned above. Organizations should also review their plans with key personnel to ensure that everyone is up-to-speed on their roles and responsibilities in the event the plan needs to be put into action. Exercising incident response plans helps all relevant stakeholders to deconflict contingencies and quickly address lesson learned to improve such plan.
Conclusion
Cyber criminals are continually adjusting their tactics to take advantage of new situations and the current COVID-19 public health crisis is no exception. Malicious actors are working feverishly to take advantage of the public’s concern over the health crisis and its high appetite for COVID-19-related information, which presents a prime opportunity to utilize social engineering methods to deliver malware and ransomware, therefore stealing user credentials. As the world continues to grapple with the COVID-19 pandemic, public health and healthcare organizations must sufficiently invest in resources to mitigate risk and reduce vulnerabilities resulting from software, hardware, and humans relying on both to deliver critical services.
For questions or concerns related to the contents of this memo, please contact NGA staff:
- Khristal Thomas (kthomas@nga.org; 202.624.7810)
- Maggie Brunner (mbrunner@nga.org; 202.624.5364)
Funding for this memo was made possible (in part) by the Centers for Disease Control and Prevention. The views expressed do not necessarily reflect the official policies of the Department of Health and Human Services.
For more on the current threat landscape and additional recommendations to address these issues, see NGA’s Cybersecurity and COVID-19 Memorandum, which details recommendations for state governments looking to collaboratively encourage cyber resilience for private sector healthcare partners.
All NGA COVID-19 memos can be found here, or visit COVID-19: What You Need To Know for current information on actions States/Territories are taking to address the COVID-19 pandemic; as well as advocacy, policy, and guidance documents for protecting public health and the economy.