The word “unprecedented” has come up a lot these days, but as cliche as it sounds, these truly are unprecedented times when it comes to security in the healthcare sector. As was the case for countless other industries, healthcare organizations were suddenly forced to find ways to make care available virtually. And while this move was essential, it also made healthcare a prime target for criminals.
Flaws in the System
Even before the coronavirus pandemic began, healthcare organizations already faced a high risk of cybersecurity attacks and the pandemic not only exacerbated existing security issues, it created new ones. The urgent need to start working remotely introduced a slew of new vulnerabilities that hackers are only too willing to exploit. Between February and August 2020, HIPAA-covered entities reported 192 large-scale data breaches to the US Department of Health and Human Services, Office of Civil Rights, more than double the number that had been reported in the same time frame in 2019.
As the pandemic grew, restrictions on HIPAA enforcement were temporarily eased to accommodate surging demand for telehealth services, making it possible for medical professionals to meet with patients using programs like Zoom and Skype without penalty even though those programs would not have been HIPAA compliant before the pandemic. Further, many healthcare organizations took steps like loosening restrictions on firewalls to make it easier for people to work remotely.
Simple human error represents another serious security flaw. Given the overall strain on the healthcare system during the pandemic, many healthcare workers have been exhausted trying to keep up and when people are feeling overwhelmed and tired, they’re more likely to make mistakes. Ransomware has been particularly problematic for the healthcare sector throughout the pandemic because cybercriminals know that these organizations are essentially easy targets. Being locked out of their systems at a time like this would be disastrous, which means they’re likely to pay up to regain access as quickly as possible. And all it takes to launch a ransomware attack on a healthcare organization is a phishing email reaching the right harried person.
Phishing and ransomware attacks are among the most common types of cybersecurity threats aimed at healthcare organizations, but while these schemes are most typically associated with emails, they can also involve voicemail. The National Law Review writes, “Some health care organizations are using legacy phone systems known as Private Branch Exchange (PBX) to automate calls and record voicemail messages that are sent to users’ inboxes so employees don’t miss important messages while working remotely. The scheme involves the attackers spoofing messages from the PBX system and informing an employee that they have a new voicemail message. To hear the message, the user is directed to a website that spoofs PBX integrations with the aim of stealing credentials. The hackers rely on the fact that users have the same access credentials across multiple platforms, which may contain personal or proprietary information.”
What’s at Stake With Cyberattacks
Not only can cybersecurity attacks lead to sensitive patient information falling into the wrong hands, but it can also potentially cause long-term harm to the doctor-patient relationship and jeopardize the quality of patient care. In Cybersecurity Risks in a Pandemic, it’s noted that once a data breach occurs, patients may be reluctant to disclose certain parts of their medical history in the future. And if a cyberattack results in networks being taken out of commission, the longer a system is down, the longer employees are unable to access vital patient information.
As valuable as patient information can be to cybercriminals, it’s not the only thing at risk right now. With so much research and development going into things like COVID-19 vaccines and the virus in general, that information can also be a lucrative target. It can also impact the ability of organizations to convey important information to the public, such as when the U.S. Department of Health and Human Services website became the target of a DDoS attack.
Finding a New Way Forward
Coronavirus certainly isn’t the first global pandemic in history, but in this case, it’s not always easy to draw on experiences the healthcare sector went through during previous pandemics and use them as a frame of reference. The coronavirus pandemic is most commonly compared to the 1918 flu pandemic, and while there are lessons that can be learned from the 1918 pandemic, the 100+ year gap between the two events means the past doesn’t offer solutions or insights to all of today’s problems.
In 1918, problems like HIPAA compliance, cybersecurity, and data breaches were several decades away from existence so there simply isn’t much existing research into cybercrime in healthcare during pandemics of this scale. Generally speaking, cybercrime tends to increase during any event that brings on heightened emotions and uncertainty, like natural disasters and other tragic events, so the increase of cybercrime that came with the coronavirus pandemic wasn’t necessarily unexpected, but that doesn’t make it less concerning.
In response to the COVID-19 crisis, government agencies including CISA, HHA, and the FBI have all issued guidance to healthcare providers to help them protect themselves against cyberattacks. While some of the advice they offer can be used by anyone to prevent cyberattacks even if they don’t work in the healthcare sector, like routinely changing passwords, not using the same passwords on multiple sites, and regularly installing computer system updates, it’s particularly important for healthcare organizations to make sure data is routinely being backed up with data backups being kept offline to make it easier to get back up and running if you are attacked.
Wachler & Associates, P.C. emphasizes the importance of including employee education as a key part of a cyberattack mitigation strategy. In the case of ransomware attacks involving phishing, it’s very important for employees to be educated about how to spot phishing emails, as well in how to respond if they believe they’ve been hacked. In some cases, emails sent as part of a phishing scheme can look very deceptively authentic, even to people who know what to look for, so training people about how to respond to a potential attack is a crucial part of the process.
It remains to be seen how, exactly, the coronavirus pandemic will shape the healthcare sector in the long term. But as we continue to work our way through this crisis, the lessons we learn in regards to security will allow us to improve patient experiences and build a stronger future for technology-driven healthcare solutions.