On Oct. 28, 2020, three federal agencies ”” the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation and the Department of Health and Human Services ”” issued a joint advisory warning that cybercriminals were planning to increase attacks against the health care and public health sector, with a greater emphasis on using ransomware for financial gain.
Hospitals are particularly vulnerable to cyberattacks based on the quantity of computing devices they deploy; the security firm Zingbox determined U.S. hospitals average 10 to 15 connected devices per bed.
And the quantity of potential cyberattack targets within hospitals is matched by the paucity of resources devoted to protecting them from digital intruders. Research published in the Journal of Medical Systems found the average health care organization spends about 5% of its IT budget on cybersecurity, while the vast majority of funds are allocated to new medical technologies.
When hospitals are hit with a cyberattack, the results can be fatal. Another cybersecurity firm, Censinet, recently published a report that found nearly one-quarter of health care organizations that were hit with a ransomware attack in the last two years reported increases in patient death rates following the digital assault.
For James Kudla, general manager at Tarrytown’s Tarrytech ”” which was acquired by CompassMSP in July ”” a health care institution”™s first line of defense against cyberattacks is to acknowledge there is an excellent chance it will be targeted.
“Nobody thinks it’s going to happen to them,” he said. “You have to live in what we call an ‘assumed breach’ world. You can either approach it from a position of power and get under it and avoid yourself a ton of pain and heartache, or you can wait and maybe it will put you out of business.”
Kudla acknowledged that hospitals became very attractive targets for ransomware attacks during the Covid-19 pandemic, when they saw dramatically increased patient admissions that came with a new wave of confidential data being entered into computer networks.
“They basically want ransom or they”™re going to take all of your personally identifiable information and put it on the dark web,” he said about the cybercriminals. “The reason that they’re being targeted is because there was a sense of urgency during the pandemic for their networks to be up and running.”
Kudla advised the executive levels within hospitals to make cybersecurity planning their responsibility and not shuck it off to the IT department.
“It really has to come from leadership,” he said. “A plan can happen from people that are managing your network or the people that are using your network, but your organization has to decide that you’re going to get serious about cybersecurity and you’re going to do something about it.”
Kudla said that the entire hospital workforce needs to be cognizant of cybersecurity threats, especially in pandemic-era environments that encourage remote work.
“When the pandemic hit and people were working from home, people put whatever remote access systems in place they needed to do their job,” he said ”” noting that personal computers in a home office might not have the same security features as their workplace devices, and thus become a major vulnerability.
“As long as you get your job done, nobody realizes that they”™ve opened up a giant security hole,” he added. “You need to train your employees so that they know what they’re doing.”
Kudla advised against bringing computing devices from home into a health care setting and recommended having a separate wireless network where passwords have to be changed every 90 days along with a two-step authentication process for workplace email accounts. He also pointed out that relatively simple cybersecurity training tips, such as not clicking on an unfamiliar link in an email and never sending sensitive information in an unencrypted email, should not be overlooked.
A crucial element of a hospital”™s cybersecurity plan, Kudla continued, is ensuring all data is properly backed up in case a ransomware attack locks up their crucial information. But he cautioned that “not all backup is created equal” and each hospital needs to scale its backup solutions to meet its specific needs.
“You need to understand how many copies of the backup you have and how long the backup is good for,” he said. “Is it 10 days, 30 days, five years? And you need to have a copy that is not only on-premise, but you also need to have a copy that is going to be off-site so the bad actors wouldn’t be able to access that data from your local network.”
Kudla observed that there is one element unique to the hospital setting that opens a potential back door to cyberattacks.
“If you have a waiting room and you have patients, you want to be able to offer them wireless, right?” he said. “In most places, people expect that at this point. But if somebody’s got a compromised PC or smartphone and they’re going to be joining the same network that has your corporate computers and servers, you can clearly understand where the risk could be.”
A solution, according to Kudla, is ensuring patients and other visitors in the hospital are kept on a separate network and cannot access the organization”™s network and its valuable data.
Kudla lamented that “nobody wants to focus time, attention and money on this stuff,” while warning that cyberattacks cannot be viewed as something that only happens to other people.
“You’re going to need to deal with it,” he said. “The sooner you realize that, the better off you’re going to be.”
