Global Unrest and Pandemic Boost Healthcare Cyberattacks
Over the past decade, the United States has seen an exponential increase in cyberattacks. The unpredictability and inevitable behavior of such attacks poses an ongoing threat to businesses large and small.
Amid the chaotically rapid transition online during the pandemic, according to Lisa Plaggemier, executive director of the nonprofit National Cybersecurity Alliance, many organizations have become an open target.
Networks were scattered, people were shifting to working from home, and IT teams had to catch up to ease the transition for organizations. Between February 2020 and May 2020, more than half a million people were affected by breaches in which the personal data of video conferencing service users was stolen and sold on the dark web. Cybercriminals found opportunity in emotional vulnerability and continue to do so today.
“At that time we were stressed and we’ve been the last two years with COVID, with a contentious election, with a war now in Ukraine,” Plaggemier said. Medscape Medical News. “From a social engineering perspective, cybercriminals will use any topic that is a hot emotional button for us and try to take advantage of our emotional vulnerability.”
A report on cybercrime breaches by Statistica indicates that the total number of data breaches in the United States in 2020 amounted to a total of 1001, lower than the previous 4 years. However, in the same year, more than 155.8 million people were affected by data exposures.
Since the pandemic, cyberattacks have become more common, especially for the healthcare sector. Healthcare facilities have proven to be an easy target for cyberattacks because they store a significant amount of patient data, including social security numbers, addresses, and other personal details.
Cybercriminals take advantage of preoccupied healthcare workers who typically don’t have the time or resources available to add online security processes to their often hectic workload. With new virtual threats being discovered every day, it’s not easy for healthcare organizations to decide where to allocate their budgets.
Attacks can affect millions of patients
The number of large-scale data breaches in the healthcare sector has continued to rise in recent years, from 18 cases in 2009 to 712 cases in 2021. Unfortunately, the high demand for patient and system information often obsolete are a recipe for disaster for installations.
In June, at the annual Boston Cybersecurity Conference, FBI Director Christopher A. Wray revealed an attempted cyberattack on Boston Children’s Hospital in the summer of 2021. Wray called the incident of “one of the most despicable cyberattacks I have ever seen”. Quick action by the FBI and the coordination of hospital personnel fortunately stopped this attack. If the attack went undetected, the hospital and its patients would face devastating damage.
A recent cyberattack on Massachusetts-based Shields Health Care Group Inc. is an unfortunate example of such damage. The actual number of people affected by the attack remains unclear, but officials say it had the potential to affect more than 50 health facilities that receive Shields’ services, meaning more than 2 million people likely to be affected. to have been affected.
It was revealed that the stolen data could have included full names, social security numbers, diagnoses, provider information, and more. In most cases, cyber criminals use this information against companies as ransomware or resell it on the dark web for profit.
After an attack, a good majority of organizations will pay a ransom to cybercriminals in exchange for their data. Yet when negotiating with criminals, cooperation is not always guaranteed.
“Sixty-six percent of surviving healthcare organizations reported experiencing ransomware attacks, and then 61% of them paid the highest percentage of any industry sector,” Plaggemier said, citing a recent Sophos study. “It’s really telling. What it tells the bad guy is that healthcare is a place where they can make money. So they’re going to keep doing it. If you pay more money for feed cybercrime, you will generally have more cybercrime in this sector.”
“A potential life or death situation”
Networks and databases are not the only risks for healthcare institutions. Medical devices – from those that monitor vital signs to those that dispense medicine – offer even more opportunities for cyberattacks. This can prevent organizations from providing necessary – and sometimes life-saving – treatment if devices are hacked and then shut down remotely.
In 2019, the FDA issued a warning about devices that could allow cybercriminals to change device settings, instilling the need to prioritize proper security protocol for all medical devices.
“When I think about the manufacture of devices and the vulnerabilities of those devices, it’s a potential life or death situation. It’s all the more reason why the industry should prioritize cybersecurity. , because you’re talking about people’s lives.” said Plaggemier.
The risk has not gone unnoticed in Congress.
Senators Jacky Rosen (D-Nev.) and Todd Young (R-Ind.) hope to further protect industries from cybersecurity threats with their new proposed legislation, the Strengthening Cybersecurity for Medical Devices Act.
The bill requires the collaboration of the United States Food and Drug Administration and the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security to publish industry-wide requirements for the cybersecurity of medical devices at least every 2 years. The legislation will also require the FDA to update its website with the latest information on cybersecurity vulnerabilities.
There is currently no requirement for how often the FDA must issue guidance on cybersecurity; the last one was released in 2018.
The Government Accountability Office will also be responsible for releasing a review of medical device cybersecurity challenges and recommendations for refining federal coordination on medical device cybersecurity.
It’s a good first step, Plaggemier said, and she expects the legislation to be just the start.
Planning and training can make the difference
As reliance on technology increases in healthcare and elsewhere, the risk of cyberattacks also increases, Plaggemier emphasizes planning to protect internal systems and patients.
Organizations that have plans and practice breaches actively minimize the damage and longevity of attacks. Plaggemier pointed out that organizations often jump to the conclusion that the decision is either to lose all your data or to pay, but that’s not the case. Organizations can be prepared, defend themselves and recover, she said.
“I’ve seen companies that have recovered in a day. They just go to their backup data, they have to reboot their systems and burn everything infected… Maybe they lost half a day activity or data and it’s not the end of the world.” said Plaggemier.
Ample resources are available to help organizations with preparedness plans. For example, the Cybersecurity and Infrastructure Security Agency offers programs where you can run a cyber attack test scenario.
In healthcare, the most common type of cybercrime is phishing. Phishing is a type of online scam where cybercriminals impersonate organizations via email, text message or advertisement in order to steal sensitive information. Organizations can send mock phishing emails to help employees identify malicious links. Plaggemier pointed out that if you’re in the healthcare industry and you’re not sending such tests to your employees, you should.
“Cybersecurity isn’t an event; it’s not something you fix and move on. It’s a process. It’s constantly evolving,” Plaggemier said.
Frankie Rowland is an Atlanta-based freelance writer.
For more news, follow Medscape on Facebook, TwitterInstagram, YouTube and LinkedIn