In the past few years, the frequency and severity of cyberattacks have increased at a staggering rate.
If you read the headlines, it seems like these attacks confine themselves to large hospitals
or corporations. Little is known publicly about the attacks we see regularly: Individual
providers, small groups, and facilities that don’t recover easily from hacks or ransomware
attacks.
The key objective of almost all of these attacks is financial gain. The attackers seek to exploit weaknesses within cybersecurity systems to gather information with the ultimate goal of profiting at the expense of the exploited organization.
The devastating Solar Winds incident, in which foreign hackers spied on elite cybersecurity
firm FireEye, Intel, the California State Department of Hospitals, the U.S. Department of Homeland Security, and the U.S. Treasury Department, began with an Office 365 infiltration.1 The attackers then went on to exploit weaknesses in an obscure but frequently updated IT-management software called Orion. Many of the victim organizations were unaware they were using this software until their security officers were alerted by the private firm FireEye.
FireEye was the first organization to detect the breach within their own system.2 If you aren’t aware of what’s happening inside your own system or network, you may want to have your own trusted IT specialist take a look so that you can find out before someone else tells you.
The last thing you want is a breach or ransomware event that becomes the trigger forcing you to do this kind of inventory. Reaction is always more costly than proactive maintenance. Protecting your organization from cyberattacks is a critical function that must include repeatable, effective processes designed to detect these attacks as early and quickly as possible. Whether you’re a large or small organization, the attacks, the preventative steps, and the prescribed mitigating
measures follow a pattern, which we’ll explore in this article.
Cyberattack prevention
A prescribed cyberattack prevention plan must include an end goal, information, instruction, and warnings. Along similar lines, you’ll want to assess and strengthen your organization’s basic “cyber hygiene” practices sooner rather than later. Cyber hygiene refers to the steps involved in maintaining computer and online system health and improving overall cybersecurity throughout
your organization.
These practices are important because hacking and ransomware attacks are often
triggered by phishing emails, malware that gets through weak antivirus protection, or
reliance on weak passwords. One big fear we often hear expressed is the potential for
cyberattack against medical devices, which are now almost always connected to networks
and the internet. No one wants to imagine the outcome of a situation in which a medical
device such as a pacemaker gets held hostage by hackers. Although these types of concerns
are valid, fortunately, a medical device scenario has not actually taken place to date. White-hat hackers, the good guys who try to stay ahead of the malicious actors out there, have shown medical device cyber theft is possible, but, so far, this level of malicious hack seems unlikely. The difference between such a scenario and something like the recent Colonial Pipeline attack is what the hackers stand to gain—they’re oftentimes looking for a quick payoff and maximum pressure on the target organization.3
This is why your cybersecurity strategy should be focused on what’s most likely to happen: a hacker comprising your network whose goal is to make a quick profit. It’s a nightmare scenario for healthcare providers. Just ask staff at Irish hospitals, who came to work on the morning of May 14 only to find their computer screens dark.4 The IT systems for Ireland’s heath service experienced a ransomware attack that forced cancellation of many appointments, cut off access to patient records, disrupted lab tests, and delayed COVID-19 testing.5 As of late June, significant impairment continued for Ireland’s health service with IT teams working around the
clock to restore functionality.6
In recent years, healthcare professionals have adapted to using technology to assess,
monitor, and manage patient health, but, in many cases, strong practices around cybersecurity have not kept pace with the rapid growth and adoption of new and connected devices. It can be difficult to know where to start, but an event like the SolarWinds hack or the recent oil pipeline
hijack quickly refocuses our attention.
Adopt this 5-step plan
In a prescription plan, there should be regular monitoring to evaluate effectiveness of the plan and the specific remedies in the event of a breach. We suggest asking yourself these questions and taking the necessary steps to address them,
1. Where do you keep the crown jewels? In cyberspeak, the crown jewels refer to mission
critical information, otherwise known as sensitive patient or academic data. That’s what your potential hacker will target. Expensive medical equipment is not considered valuable
unless it contains data that will make the stakes high for the victim organization.
2. Is that information protected by layers of defense? Is this database secure? Does it require two-factor authentication for a select group of users? Is it backed up regularly in a segregated, perhaps cloud-based environment? Ideally, you should implement multifactor
authentication, next-generation antivirus software, email filtering, and segregated cloud backups. These are the threat prevention measures that will be most helpful to avoid falling prey to malicious actors. Your IT consultant should advise on viable vendors to put these “table stake” measures in place.
3. Do you double-check your vendors’ cybersecurity practices before contracting with them? Hackers are not always looking to access your network directly. Like in the SolarWinds case, their target can be another company that your systems interact with, or vice versa. They are most likely looking for a side door you forgot to lock—which could actually be a partner or vendor’s interface with your systems. Still, under the Health Insurance Portability and Accountability Act, the responsibility for safeguarding patient data does not transfer to those third parties; it’s yours. The impact can be harsh. The 2019 cost of a healthcare breach was about $408 per patient record, not including the costs of lost business, productivity, and reputation.7 Those costs can drive some smaller practices straight out of business, which is exactly what happened to Wood Ranch Medical in Simi Valley, California, in 2019.8
4. In the event of a cyberattack, could you operate without access to the network or server? If hacking occurs, having a backup plan to ensure you remain functional is a necessity. Make sure you have policies and procedures in place and ensure that your partners do as well. We recommend an Incident Response Plan that includes immediate actions required, as well as accountability for each step taken.
5. Are you and your employees trained to identify suspicious emails and avoid clicking
on dangerous links and attachments? Human error is still a major source of hackers gaining access to company networks. Implement a training program and conduct follow-up sessions annually. In addition, a phishing simulation can help assess your and your employees’ readiness to defend against cyberattacks.
To keep your organization protected, it is imperative that you understand your current vulnerabilities, implement best-in-class prevention products and mitigation strategies, and educate your team. Unfortunately, cyberattack education is the exception rather than the norm, which is why 75% of doctors and hospital administrators recently reported feeling “inadequately trained or unprepared to mitigate cyber risks that may impact their hospital,” according to research from Abbott.9
Comply with the Safe Harbor Act
Encouragingly, the recently enacted Safe Harbor Act legislation may reward U.S companies
for upgrading their cybersecurity posture. That is, companies may be able to avoid fines from the Department of Health and Human Services and the Federal Office of Civil Rights if they can show they are making a good-faith effort to identify, protect, detect, respond, and recover from cyber threats.10
Clearly, MPL insurers, healthcare organizations, providers, and other MPL stakeholders have a vital interest in securing their systems and preventing cyberattacks. Don’t let this priority slip off your radar—lapses could not only be costly financially but also from a liability standpoint.
References
1. “The US is Reading Sanctions Against Russia over the SolarWinds Cyber Attack,” Business Insider, April 15, 2021, https://www.businessinsider.com/solarwindshack-explained-government-agencies-cyber-security-2020-12.
2. “Scope of Russian Hacking Becomes Clear: Multiple U.S. Agencies Were Hit,” The New York Times, Dec. 14, 2020, https://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-securitypentagon.html.
3. “Cyberattack forces a shutdown of a top U.S. Pipeline,” The New York Times, May 8, 2021, https://www.nytimes.com/2021/05/08/us/politics/cyberattack-colonialpipeline.html.
4. “10 days after ransomware attack, Irish health systems struggling,” ABCNews.com, May 25, 2021, https://abcnews.go.com/International/10-daysransomware-attack-irish-health-systemstruggling/story?id=77876092.
5. “Irish Hospitals Are Latest to Be Hit by Ransomware Attacks,” The New York Times, May 20, 2021, https://www.nytimes.com/2021/05/20/technology/ransomware-attack-ireland-hospitals.html.
6. “HSE Cyber Security Incident,” Ireland Health Service, June 21, 2021, https://www.hse.ie/eng/services/news/media/pressrel/hse-cyber-security-incident.html.
7. “Healthcare’s number one financial issue is cybersecurity,” Healthcarefinancenews.com, July 30, 2019, https://www.healthcarefinancenews.com/news/healthcares-number-one-financial-issue-cybersecurity.
8. “Wood Ranch Medical Announces Permanent Closure Due to Ransomware Attack,” HIPAA Journal, Sept. 30, 2019, https://www.hipaajournal.com/woodranch-medical-announces-permanent-closure-due-toransomware-attack/.
9. “A Prescription for Better Healthcare Cybersecurity Strategies in the New Year,” BeckersHospitalReview.com, Feb. 8, 2019, https://www.beckershospitalreview.com/
healthcare-information-technology/a-prescription-forbetter-healthcare-cybersecurity-strategies-in-the-newyear.html.
10. “An Introduction to the Components of the Framework,” U.S. Department of Commerce National Institute of Standards and Technology, May 14, 2021, https://www.nist.gov/cyberframework/onlinelearning/components-framework.