– The COVID-19 pandemic has fueled the pace of change in the healthcare sector, from telehealth expansion to the rapid deployment of temporary hospitals. But the increase in telework, mobile tech, remote care, and temporary hospitals has also expanded the threat landscape, which could have lasting consequences.
Indeed, cybercriminals have rapidly worked to take advantage of the new landscape, targeting virtual private networks (VPNs), cloud service platforms, and remote workers in an effort to financially benefit from the pandemic.
Given the pace and scope of the deployment of remote technologies and temporary sites, healthcare organizations should be closely monitoring its systems to ensure they’re protected from these new threats.
“Because these healthcare facilities are essentially an extension of the healthcare industry (i.e. hospitals and doctors’ offices), they offer hackers a lot more room to work with,” Jake Olcott, BitSight vice president of Communications and Government Affairs. “Given this, the hackers specifically targeting the healthcare industry will continue to do so, especially as the temporary hospitals lack the necessary security.”
“As temporary hospitals were first constructed, securing the infrastructure that they run on was an afterthought, not done at the same time they were constructed as they should have been,” he added. “A critical patient’s loss of life should not be due to the weak security of the building they’re in — the medical devices they rely on must be defended at all costs.”
Brian Foster, the senior vice president of MobileIron, stressed that the ongoing work from home environment is accelerating what was already happening across the enterprise: more and more employees working from outside of the perimeter defenses, instead of in the enterprise.
“The larger the attack surface, the easier it is for a threat to become reality.”
Most organizations are dealing with an increasing number of new apps being hosted in the cloud or in the public cloud space, said Foster. The number of mobile devices has also increased over the last five years. Notable in healthcare, where 25 percent of providers faced a mobile-related breach in 2018.
As a result, enterprise users are getting onto the network using their personal internet to gain access to company data. And as the pandemic surged, the acceleration of devices connecting to the enterprise network in this way has followed suit.
In the past, entities had more visibility and control over what users were allowed to do on the network, as it was contained to the organization’s perimeter. Foster explained that the pandemic has forced entities to address these issues faster than initially planned.
“To get visibility and control into the new picture, accessing data through the cloud, the question becomes where do you insert that control?” Foster said. “Certainly, with telehealth, device security becomes very important for those healthcare organizations, with internal tools to handle those exploits.”
“Remote medical facilities have expanded their attack surface beyond the traditional network perimeter, creating the perfect storm for hackers to exploit vulnerabilities,” said Olcott. “Given the recent rise in cyber threats against hospitals, this is a major problem: The larger the attack surface, the easier it is for a threat to become reality.”
To Olcott, given the speed and scope of these deployments, it’s likely the security posture of these rapidly deployed devices and networks is lacking the necessary security provisions required to protect, provider, patient, and financial data.
Commonly Overlooked Security Elements
To address some of these concerns and potential risks, organizations should be reviewing possible areas where security may have been overlooked. For Olcott, the first place to start is visibility.
“Seeing into and managing cyber risk across the digital ecosystem can be difficult because security teams may not know everything that exists within their digital assets (including hidden risks),” Olcott said. “They need to have visibility into their digital assets so they can be secure no matter where they are.”
For example, CHIME and KLAS research around medical devices found the average number of connected network devices alone was about 10,000, and that’s not counting the broader connected systems.
For half of those healthcare organizations, a lack of asset visibility or inventory caused a host of vulnerabilities.
At the time, Safi Oranski, vice president of business development for CyberMDX, told HealthITSecurity.com: “The first and foremost question providers need to ask when it comes to inventory and visibility is knowing what you have to protect. Many know how many CT scanners they have and other machines, but it’s all of the little things, like patient monitors, infusion pumps, and the like.”
“For larger hospitals, sometimes it’s hundreds and thousands of devices that, once again, pose a bigger risk. Although, economically and operationally, medical devices aren’t typically seen as part of a hospital’s framework,” he added.
As the number of remote technologies, mobile devices, and other devices have increased amid the pandemic, the need for visibility into those technologies is paramount. Olcott stressed that the need for visibility is especially critical for VPN, remote environments, makeshift clinics, or new cloud instances, as “you can’t secure what you can’t see.”
The second risk to address amid the COVID-19 crisis is facility network risks. Olcott explained that field hospitals running on the networks of area convention centers or stadiums are particularly vulnerable to attacks as the security postures of these network are entirely unknown.
“If the hospital’s digital assets and patient data are compromised, catastrophic events could take place.”
“Hospital security teams need to implement basic security procedures to protect critical equipment such as connected medical devices,” Olcott said. “Security teams can leverage remote office risk discovery tools to easily identify vulnerabilities and infections on IP addresses known to be associated with remote operating environments.”
“These tools help security teams discover otherwise unknown security issues across remote endpoints continuously,” he added.
Added Risk and Needed Mitigation
Throughout the crisis, federal agencies and security researchers have routinely shared insights into common vulnerabilities, fraud methods, and attack techniques being leveraged by hackers to take advantage of the new remote landscape. One overlying theme in these attacks is credential theft.
Foster explained that in this new world, employees and other users are accessing cloud applications often reusing credentials they leverage on personal email accounts. As the biggest threat to the enterprise right now is phishing, it’s imperative organizations educate employees and employ strong password policies to harden enterprise defenses.
Repeatedly noted by a host of federal agencies and industry stakeholders, Foster stressed organizations need to take a hard look into implementing multi-factor authentication across all internet-facing endpoints.
“In this new remote environment with more people working from home, it’s what the enterprise needs to do,” Foster said. “The number one risk is phishing, which can obtain credentials. And the number one way to prevent that is to implement two-factor or multi-factor authentication.”
The additional challenges to logging in can deter cybercriminals, and combined with employee education, enterprises can reduce a key vulnerability, Foster explained. Microsoft has shown that MFA blocks 99.9 percent of all automated cyberattacks.
“If the hospital’s digital assets and patient data are compromised, catastrophic events could take place,” Olcott said. “Healthcare organizations will learn that they need to revisit basic cybersecurity hygiene practices and take a risk-driven approach to security performance management to boost their defenses even during ‘normal’ times.”
“The most secure-conscious hospitals and health systems will continuously assess risk exposure across their newly extended attack surfaces to prioritize remediation and the continuity of patient care and treatment ensured during this critical time,” he added.