On the evening of Friday, April 24, as the Pueblo Department of Health in southern Colorado reported the county’s 120th confirmed case of COVID-19 and ninth death related to the virus, news broke that the largest healthcare center in the county had suffered a crippling cyberattack.
The attack took out the Parkview Medical Center’s system for storing patient data, leaving its medical staff with only pens and pads to record information on an influx of new patients with coronavirus symptoms. The hospital had been hit with a destructive ransomware attack that locked up an unknown number of computer files at the 370-bed facility, rendering its internal IT inoperable for over a week.
Initially, a hospital spokesman explained the outage as an “IT incident under investigation,” but declined to comment further. The next day, Parkview confirmed the attack, but assured patients they would “not see any impact to the level or quality of care being delivered.”
Attacks on healthcare organizations and the theft of valuable patient information have been part of a broad surge in cybercrime over the past few years. Hackers stole more healthcare records in 2019 than in the six years from 2009 to 2014, according to the HIPAA Journal’s 2019 Healthcare Data Breach Report. A 2019 Ponemon Institute study shows that, while the average global cost of a stolen record in any given industry is about $150, a stolen record in the heavily regulated healthcare industry can fetch up to $429.
At the peak of the global coronavirus pandemic, many healthcare providers and medical facilities engaged with the virus response saw a significant increase in attempted cyber attacks, even as they buckled under the weight of new cases. As coronavirus cases surge again in several parts of the country, cybersecurity experts and government institutions warn the healthcare sector remains dangerously vulnerable to cyberattacks.
“Disruption of our critical health infrastructure is a major threat to the United States right now,” said Nick Espinosa, a spokesperson for the COVID-19 Cyberthreat Coalition, a group of more than 4,000 volunteer information security professionals who have been fighting COVID-19 related cybercrime since March.
Espinosa said the Coalition is a response to the unprecedented scale of cyberthreats that has emerged in recent months. In April, Interpol issued a ‘Purple Notice’ to alert police in all of its 194 member countries of the heightened threat.
Hospitals globally have reported attacks similar to the one Parkview faced. A ransomware attack at Brno University Hospital, the Czech Republic’s second largest hospital and a major COVID-19 testing center, forced the hospital to shut down its network, cancel all surgeries and turn away patients. In Spain, staff at several medical centers received “information on COVID-19” emails, with PDF attachments that downloaded and activated ransomware on their systems. In Illinois, the Champaign-Urbana Public Health District reportedly paid $350,000 in ransom to hackers, after its website was disabled by the notorious Netwalker ransomware and staff were unable to access patient records for several days.
The vast and confederated nature of the American healthcare system poses unique challenges and vulnerabilities. “The bigger the healthcare system,” said Espinosa, “the better of a target it is for any kind of disruption.”
“The single largest threat we have in cybersecurity is the human factor,” Espinosa continued. “If I’m looking at a situation where we have a stressed employee population running critical infrastructure like a hospital, we might have good cyber defense strategies in place, [but] we then have to really focus on the employees because you never know when that person who’s worked an 18-hour shift dealing with coronavirus patients sees something that looks legitimate and then opens it up.”
Threats from ransomware are particularly acute. In a technique commonly known as ‘spear phishing,’ employees receive emails with embedded links or attachments. Assuming they are real, employees may click on these links and unwittingly download malware that takes over their devices and encrypts some or all user data, often disabling a website or network. Hackers can monetize stolen data by holding it for ransom or selling it over the dark web.
Ransomware operators move with the efficiency of organized crime gangs, lying in wait for their moment to cash in. Attacks have become increasingly targeted, sophisticated and socially engineered.
“When a threat actor, regardless of motivation, is trying to carry out a spear phishing operation, they may leverage something that’s going on in the news,” said Luke McNamara, a threat intelligence analyst with the FireEye cybersecurity company.
“The beauty of COVID-19, from a spear phishing standpoint, is there’s universal interest around this topic,” said McNamara.
As COVID-19 began to wreak havoc around the world, several ransomware operators pledged not to go after healthcare providers, but various information security experts say there has not been a significant decrease in the overall level of activity. FireEye says attacks are often more direct, purposeful and extortion-minded.
“They’ll go after and target specific entities,” said McNamara. “They’ll compromise their networks, move around laterally and look for anything they can do to increase the pressure. The need to keep those hospital networks up and running is such that, if you get hit with ransomware, you have a higher need potentially to pay out the ransom and keep operating.”
Keith Duemling, a cybersecurity professional with over 15 years of experience in healthcare, said the amount of devices, applications and aspects of the supply chain that can now be targeted by attackers is worrisome. In his role as director of cybersecurity technology protection at the Cleveland Clinic, one of the nation’s largest and best-ranked medical centers, Duemling has seen a targeted threat to caregivers.
“We have seen a significant amount of sites and services that have sprung up that attempt to utilize the situation by disinformation and draw caregivers to those websites, so that their machines can become compromised,” Duemling noted.
He added: “We’ve seen specific threats to the at-home workers, where threat actors know that if a person takes their laptop into their home, they’re not necessarily under the same protective umbrella that extends on premise.”
The threat does not end with healthcare providers. Research institutions across the country that have partnered with pharmaceutical companies to develop potential vaccines for the coronavirus have also garnered the attention of cyber criminals.
Northern Arizona University (NAU) is one of those institutions.
“We’re seeing an uptick in attempted exploitations and nefarious activity in our network at all levels, ranging from phishing attacks targeting university officials down to the sort of probes that you see initiated by nation-states,” said Dr. Steven Craig Burrell, NAU’s chief information officer.
According to Burrell, the uptick in attacks began as the coronavirus pandemic hit the United States. “We know there’s a systematic effort on the part of nation-states, namely the Chinese, to establish footholds in university networks, and we’re particularly conscious of COVID-19 related probes,” he said.
Burrell described the attacks as so widespread throughout the NAU network that they are like a “dragnet,” targeting even seemingly irrelevant parts of the university, like the recreation center. “The idea is to just grab as much cyber territory as possible and use it to launch more attacks,” Burrell said.
Nation-state attacks originate from a desire to gain sensitive information or to gain a competitive advantage, said Cleveland Clinic’s Duemling, who has seen the persistent threat of such attacks in his information security roles across the industry.
“They’re seeking intellectual property that will advance their healthcare programs and help them overcome challenges without necessarily investing in the same research and development that a lot of European and American healthcare providers consistently invest in,” he said.
Lawmakers and federal law enforcement agencies have expressed concern over the foreign threats facing hospitals and the medical research industry.
In April, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a rare joint advisory with the United Kingdom’s National Cyber Security Center, detailing the threat from advanced persistent threat (APT) groups, hackers that typically receive direction and support from nation states, to healthcare services.
In a letter to CISA Director Christopher Krebs and Cyber Command Commander Paul Nakasone, a bipartisan group of U.S. senators, including Mark Warner (D-VA), Richard Blumenthal (D-CT), Tom Cotton (R-AR) and David Perdue (R-GA), called for “immediate measures to strengthen our defenses, coordinate with hospitals, and work to fight off targeted hacking campaigns instigated by our foreign adversaries.” The letter directly cited hacking campaigns backed by Russia, China, Iran and North Korea, as well as organized cybercrime groups.
“From enabling telehealth to facilitating contact-tracing efforts, new and emerging technologies have played an essential role in our response to COVID-19,” said Sen. Warner, in a statement.
“Unfortunately, the technologies that we increasingly rely on have emerged at a much quicker pace than the development of the crucial cybersecurity measures needed to protect our information,” he said. “The truth is, when it comes to using these technologies to handle something as sensitive as health data, serious privacy concerns can come into play – and sometimes, vulnerabilities pose not just a privacy issue, but an issue of national security.”
Supply chain management has become yet another area of focus for information security officers in the industry, as concerns over vendors and suppliers have grown exponentially. From the HVAC system that runs through a medical facility to the PPE company meeting the demands of frontline workers, hackers can pinpoint weaknesses to exploit throughout the supply chain.
“Generally there’s a business associate agreement that is signed by the vendor, which generally includes cybersecurity requirements that the vendor must implement before doing business with the hospital,” said John Riggi, a senior cybersecurity advisor to the American Hospital Association (AHA). “Those agreements are not standard though and they vary by hospital.”
Unsecured and poorly secured devices anywhere in the supply chain can provide an access point for malicious actors. Riggi, who has worked on federal cyberdefense issues in the FBI and CIA, noted that some devices purchased from large retailers were manufactured overseas and had already been embedded with malware.
“It is really a multi-faceted cyber threat that hospitals are facing these days,” said Riggi. “From the very basic phishing emails all the way up to the very sophisticated cyber campaigns by Russia and China to steal research related to COVID-19.”
At larger organizations like the Cleveland Clinic, employees are trained with cybersecurity awareness programs so that they know how to practice ‘cyber hygiene’ and remain vigilant about the threats to their devices. These measures are typically also complemented by internal monitoring, resources for employees and preventative controls that allow caregivers to report suspicious activity.
“We haven’t really done anything that we aren’t already doing,” said Keith Duemling. “We have just intensified the velocity at which we’re doing those previous actions and making strong progress to improve our security posture.”
Small to midsize organizations face a more serious threat, however, as many lack the resources and capital to invest in a robust and holistic cyberdefense approach. Healthcare is one of the most heavily regulated industries in the United States, with stringent privacy and compliance standards on patient data and patient care, but as Nick Espinoza of the Cyberthreat Coalition has observed, these standards can sometimes be more of a sliding scale than a benchmark.
“When you have a certain level of compliance like HIPAA (the Health Insurance Portability and Accountability Act), you’ll see one hospital that has got everything enterprise 24/7 and they’re HIPAA-compliant times 100,” said Espinoza. “Then you’ve got another hospital that just went to BestBuy and bought the basic router. They’re technically compliant, but they’re not doing nearly as much. By virtue of that, the standard ends up being a massive range from low to high.”
Universities and research institutions have some options to better protect themselves from cyber attacks, said Dr. Craig Burrell of NAU. These include recognizing that even single individuals working in a COVID-19 related university lab are seen by hackers as high value targets, sharing safety information widely and often among staff, and employing talented cybersecurity professionals to monitor networks.
AHA advisor John Riggi said any good cyber defense strategy must rely on robust and recurrent risk assessment, in order to ensure or attempt to ensure that adequate resources can be devoted to the cybersecurity program.
“When we talk about prioritizing risk, we always talk about protecting people first,” said Riggi, who has served on the White House Cyber Response Group under several administrations.
“Protecting data is important, but it’s secondary to protecting the patient.”