'We're not going to solve this through magical thinking': What hospitals need to combat cyber threats

Two health systems experienced cyberattacks in September that forced their IT networks offline for multiple days.

On Sept. 20, Nebraska Medicine reported it was forced offline due to a security incident. The health system also provides EHR support for several other Nebraska-based hospitals and health systems, forcing them offline for a week to 10 days while the systems recovered.

King of Prussia, Pa.-based Universal Health Services reported an IT security incident on Sept. 27 that shows the characteristics of a ransomware attack. "Many ransomware attacks today have evolved to double extortion. Usually, the attacker would exfiltrate a copy of the data before encrypting them," said Bindu Sundaresan, director of AT&T cybersecurity. "This way, the attacker not only prevents the victim from accessing their data, but also keeps a copy of the data for themselves. In order to claim responsibility and pressure the victim during the negotiation process, the attacker will often release small portions of the data online. If the negotiation turns out badly, the attacker then publishes all of the exfiltrated data or sells them to third parties."

The attacks are essentially a combination of a ransomware attack and a data breach, and victim organizations feel helpless when hit by double extortion attacks because their compromised databases likely contain proprietary information that would be destroyed then published or sold, said Ms. Sundaresan. "So, it's a double threat."

UHS was forced to go offline at all 250 locations across the U.S. to mitigate the attack and is still working on recovery efforts. The facilities have had to postpone services and elective surgeries, re-route ambulances in some cases and care for patients without their prior medical records at their fingertips.

Hospital and health system CIOs are reflecting on these incidents, making sure their systems are patched and sending out updated information to their organizations about avoiding suspicious emails and practicing good IT hygiene. However, cybercriminals aren't likely to stop targeting hospitals any time soon. Mitch Parker, executive director of information security and compliance at Indianapolis-based Indiana University Health sees them continuing.

"With the upcoming presidential election and global pandemic, we are seeing a significant upswing in cyberattacks," he said. "These attackers continue to probe for weaknesses and leverage them to their anticipated financial advantage. These current attacks highlight the measures that organizations need to take to protect themselves in this current very uncertain situation."

The upcoming implementation of the applications programming interfaces for the CURES Act final rule, increase in telemedicine and distributed workforce using mobile devices and working remotely all make healthcare providers more vulnerable to cyberattacks. Mr. Parker urges organizations to be vigilant in security controls and collaborate with peers and share threat intelligence to combat future attacks.

"We're not going to solve this through magical thinking," he said.

Health systems can either build their own cyber defenses or outsource. Billings (Mont.) Clinic relies on industry partners to provide a robust security operations monitoring center to its networks because effective cybersecurity programs are so complex. "These partners bring top-notch cybersecurity staff into every potential issue," he said. "This has helped position our organization with an effective managed detection and response by helping us find bad actors quicker."

Jesus Delgado, vice president and CIO of Community Healthcare System in Munster, Ind., is always keeping a careful eye on the companies and technologies coming across his desk promising to tighten security. Making a mistake could be costly for the health system.

"The market is filled with cybersecurity technology options and every day there is a better 'mouse trap' offering," he said. "We cannot afford to be distracted; we need a comprehensive plan, we need to execute on it quickly, and we need to be ready to realign our cybersecurity program priorities without losing focus."

More articles on cybersecurity:
'It's not a good week for healthcare': Health system IT execs react to recent ransomware attacks
Google Maps starts showing COVID-19 outbreaks & 13 other key notes
Ascension move to outsource IT will eliminate 'a few hundred' jobs

© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Featured Content

Featured Webinars

Featured Whitepapers