Ransomware attacks on hospitals and health systems have continued during the pandemic, raising key cybersecurity considerations about infrastructure disruptions and COVID-19 test data integrity, according to security expert Jeff Tully, MD.
Dr. Tully wears multiple hats as a pediatrician, anesthesiologist and security researcher affiliated with University of California Davis Medical Center. And while cybersecurity hygiene is very important for hospitals and health systems during the pandemic, he told Becker's Hospital Review that he recognizes many organizations' resources are currently spread thin.
COVID-19 has caused hospitals and executives to spread priorities and resources, making it even more challenging to get attention focused on addressing cybersecurity challenges like ransomware attacks, which have been significant issues to healthcare cybersecurity even before the pandemic. Dr. Tully credited the security and hacker community and organizations like Cyber Volunteers 19, which have stepped up during the pandemic and are providing cybersecurity support for healthcare workers on the front lines.
"At a time like this, I'm definitely a physician first and a security researcher second," Dr. Tully said. "I empathize with everyone who is working on the front lines. As an anesthesiologist, I'm taking care of critically ill patients and patients undergoing surgery, and I think right now it's just really important to focus on the basics and practice good medicine first."
Here, Dr. Tully discusses the cybersecurity challenges associated with COVID-19, from testing platforms to security incidents that are difficult to detect.
Editor's note: Responses have been lightly edited for clarity and length.
Question: What impact will the COVID-19 pandemic have on hospital cybersecurity?
Dr. Jeff Tully: COVID-19 is a huge disruption to the healthcare system. Even before COVID-19, there were several significant challenges with healthcare cybersecurity. First being the amount of resources you could devote to it. Healthcare is typically an industry with razor thin margins, and it's often very challenging to find the resources needed to hire professionals, put the systems in place and work on some of these sort of quintessential foundational security issues. Now you're looking at major health systems experiencing billion dollar impacts and shortfalls as a result of disruptions associated with COVID-19, so it's even more challenging to dedicate attention and resources to a sort of tangential issue in the pandemic. Cybersecurity is still important and necessary, but obviously during this time it's really challenging to sort of get the attention and resources to address the challenges that existed before COVID-19.
Before the pandemic, we were actually making some headway and seeing some improvements in awareness and prioritization. For some of the security research work I was doing, I was talking with institutions even as early as January or February, and we were looking at ways we could run table top exercises for cybersecurity contingencies.
Q: What cyber threats do hospitals need to consider as telemedicine and remote monitoring technologies continue to become more commonplace?
JT: We've seen an absolute explosion in the number of telemedicine visits that clinicians and health systems are executing, so there is a host of security considerations and concerns with essentially building a telemedicine platform from scratch. But we're also seeing the possibility for very real clinical implications as well. Ransomware attacks are continuing unabated even during the pandemic, and organizations like Interpol actually say there may be some evidence of increase and more attacks on health systems.
Q: How can ransomware and other cyberattacks disrupt hospital operations, especially during the pandemic?
JT: These are disruptions to health infrastructure that can have actual, tangible outcomes in situations like COVID-19 where delays in care can lead to morbidity. That's just scratching the surface, but even getting into the concept of data integrity, or whether you can trust the reliability of information. That's obviously a key foundational concern with testing platforms. We've done some research before that shows it is possible for certain types of networks that don't have great encryption to manipulate certain lab protocols. For example, imagine you're a health system and you have a new COVID-19 testing system that you're using, and suddenly there's an attack such that you may not be able to trust the validity of the results. There's probably nothing more crucial or important in healthcare at this moment than the ability to reliably test for COVID-19. So, unfortunately even though the resources or the attention may not be there, cybersecurity is still an incredibly important issue for healthcare.
Q: Is there a way to prevent these types of attacks and data manipulation?
JT: The concept of data integrity attacks is something that my colleague Christian Dameff, MD, medical director of cybersecurity at UC San Diego, and I have explored in the past and demonstrated on critical concepts basis. It really requires a robust security presence and the ability to conduct detailed forensics to be able to know the degree to which these types of attacks may or may not be going on in hospitals. Obviously a ransomware attack that shuts down your systems and locks you out is fairly easy to detect, but there are a host of more subtle and not quite as dramatic incidents that may be harder to detect, particularly if you're a smaller, midsize hospital or a critical access rural hospital. That's a point we'd make before the pandemic with the ability to resource teams to monitor and detect these types of instances.
Q: Why would a hacker want to attack the integrity of COVID-19 data?
JT: I think there are certain subsets of people who are motivated to do these cyberattacks from the financial aspect. They don't really mind that there's a pandemic going on or that people may be particularly vulnerable, and I think that is consistent with what most law enforcement agencies including Interpol have said, which is these organizations and actors are becoming increasingly opportunistic because of the ongoing situation.
I think there's also an important point to realize which is that a lot of these episodes including even ransomware, they can often be automated and they can be very indiscriminate in the sorts of systems they are attacking, so if you have someone who writes a malware program and then kind of just releases it into the wild, there may be no active consciousness behind how that spreads and it may be simply infecting systems from an opportunistic standpoint without any sort of intent. That's why we say the digital boundaries of the internet don't necessarily stop at the walls of a hospital. Sometimes these programs aren't even aware that what they're targeting is critical hospital infrastructure versus some of these personal computers.