Healthcare News & Insights

3 ways hackers are exploiting COVID-19 to attack hospitals

The COVID-19 crisis has prompted unprecedented change and collaboration across the healthcare industry. Examples include institutions launching operational reorganizations, sharing data between competing health systems, and calling on clinical volunteers to help respond to and prepare for the new wave of cases across the country. 

Cyber-criminals, however, are seizing the opportunity created by this massive disruption to infiltrate hospital information systems. In April, INTERPOL warned healthcare providers of the increased number of attacks to “hold hospitals and medical services digitally hostage, preventing them from accessing vital files and systems until a ransom is paid.” One such hospital, Parkview Medical Center in Pueblo, CO, was a victim of such an attack the same month. Only weeks later, the information systems for Fresenius Group, the largest private hospital operator in Europe, were partially shut down after a successful ransomware attack.

Numerous factors contribute to a hospital’s risk of falling victim to cybercrime during the pandemic. Three of those red flags include:

1. Staff exhaustion

Cybercriminals just need one person off guard at the wrong time for a noxious hack to occur. With frontline clinicians working overtime, their understandable exhaustion may cause them to be less vigilant when encountering an official-looking email that’s a social engineering cyberattack designed to steal credentials. COVID-19 has been a common theme in the fraudulent emails used by cybercriminals. For example, emails from an attacker may appear to be from a colleague and request the recipient to click a seemingly benign link or open a document about COVID-19 – only to have a virus unleashed on the network.

2. Home-workers’ personal networks and unsecured IoT devices

Requiring so many staff to work from home is another massive change that hospitals and health systems executed at an extraordinary pace. Gil Shwed, CEO of cybersecurity firm Check Point, recently characterized the massive operational shift this way: “What happened in the last three months pushed forward five, maybe even 10 years of technological evolution. … This rapid change means hackers will find a way … The hackers can find a way to hack a personal computer of an employee and through them get into our Crown Jewels.”

A key vulnerability of staff members working from home is their hospital laptops sit on both the home network and the hospital’s enterprise network via a Virtual Private Network (VPN). This favors the cyber-attack technique called “Island Hopping,” where the cybercriminal edges closer to the laptop by exploiting easier vulnerabilities available around the target, gathering information and credentials. With staff working from home, using laptops sitting both on the controlled hospital network and less-controlled home networks, Island Hoppers have a new playground.

3. New connected medical device vulnerabilities

Another IoT (Internet of Things) risk hospitals are facing is within their facilities, namely medical devices and the hospital network. In such cases, the risk introduced by these devices depends greatly on the security of the hospital’s medical device integration (MDI). For example, ventilators, which are typically not connected devices, are becoming increasingly integrated for safe and efficient clinical surveillance of patients with COVID-19. An unsecured or minimally secured MDI solution could increase the hospital’s attack surface as more devices are connected, raising the level of risk on hospital information systems, but also on patient safety.

How hospitals can protect themselves

Despite these challenges and the operational disruption that still exists for many organizations, hospitals can protect themselves from the potential increase of opportunistic cybersecurity issues and attacks.

For staff working from home and within hospital facilities, multi-factor authentication, where the user signs in to an application or network with a password and another identity confirmation method, such as a personal identification code sent to her mobile device, is essential to limit vulnerability to phishing’s adverse consequences. This authentication method will protect access to the VPN and, in turn, the entire hospital network.

Within the hospital, using IoT security solutions to continuously scan and analyze all activity on and around the hospital networks is a best practice for early detection and for efficiently adding new devices and clinical systems without a compromise to the overall security. Such a strategy will help hospitals determine when a new device on the network is legitimate while controlling the network behavior of each device and optimizing the network defenses. This can help also detect suspicious activities from a home worker’s laptop used as an Island-Hopping step.

Although the previous helps detect potential issues, healthcare organizations need first to protect their assets. On top of the usual IT technologies such as network segmentations and firewall, medical devices, one of the most important assets, can be better protected with a security-efficient MDI infrastructure. Not only will it not increase their attack surface while expanding the number and variety of medical devices in their fleet, but it also can make securing medical devices less complex by allowing a more homogenous design to their protection.

Applying lessons learned

A cybersecurity plan can’t be designed and deployed in a day, especially in the middle of a public health emergency. In the meantime, hospitals can establish some safeguards while educating staff and clinicians on security threats. After the pandemic has subsided, hospitals can learn from the threats posed during the crisis, and develop a robust, flexible and proactive security strategy that protects patient and institutional data no matter where devices or staff are located.

Author: Christophe Dore is a senior manager overseeing hardware products and cybersecurity at Capsule Technologies.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.