The Threat Is Real

Cybersecurity remains a critical concern for hospital systems

The ever-expanding cyber world in healthcare is a double-edged sword. Advancements in technology to electronically manage health records, track patient outcomes and communicate with, and even treat, patients virtually, contribute to a more robust and efficient healthcare system. But with every advancement comes a new potential threat. These are the risks at the top of healthcare cybersecurity experts’ lists and their advice on how to mitigate them.

Increase in compromised business email attacks

Matthew Webb

Cybersecurity professionals have been combating a significant increase in the use of phishing to compromise individuals and businesses alike, including hospitals. Phishing is the fraudulent practice of sending emails that appear to be from reputable companies in an effort to get a person to hand over sensitive information, such as passwords, bank accounts and credit card numbers. “In healthcare, we’re seeing individuals claiming to be a supplier or purchaser and using language to get people to take action,” says Matthew Webb, AVP of Product Security at HealthTrust.

How it happens

The emails typically target people in financial roles such as the chief financial officer. They are sophisticated, look legitimate and can often get past all security controls and firewalls. A phishing attack can come from anywhere—from other countries or from someone down the street who uses it as an opportunity to make some quick cash.

“Maybe it’s someone masquerading as a purchaser who appears to be in a hurry, saying they’ve changed bank routing numbers and need to make the update quickly,” says Webb. “They’re getting the person to provide the routing number and are effectively stealing a lot of money.” Every transaction may not be a big sum, but it adds up to a lucrative scheme over time.

Phishing can also happen via text message and phone. Since COVID-19 began, cybercriminals are particularly interested in manipulating online purchasing, where there isn’t a way to verify where the information is coming from. “With links in emails or texts, it may say that you must click this link in order to validate,” says Marc Sammons, Director of Security Sourcing at HealthTrust. That manipulates the user to click on that link.

What you can do

“If you’re at work and someone is asking you to provide information, think about steps you can take before complying,” says Sammons. “The first step is to use a separate communication where you talk to the person directly and validate that he or she is in fact the person who sent you something.” For example, if you get an email from your human resources director asking you to provide password information, call them on their known phone number to verify the email.

“Review the content of the message of what’s being asked and whether it seems suspicious,” says Webb. “If it’s the CFO or CNO, and they’re saying it’s urgent, ask yourself, would this message normally come through this way?”

If you suspect an email may be phishing, delete it and immediately report it to your IT help desk. Some organizations have an icon within the email or platform that employees can click on to notify the help desk of a possible phishing attempt or attack so that IT can investigate. It is also best practice for IT to then send out a companywide alert to be wary of the attack.

Preventable ransomware attacks

Like most of the world today, hospitals, suppliers and other healthcare organizations rely on computer systems for just about every facet of operations, but ransomware can render those systems inaccessible.

How it happens

Ransomware is a cyberattack that essentially locks up a set of systems or servers so that users can’t log in. Hackers then send a message telling the organization that, in order to unlock its computer system or service, it will need to pay a large sum of money. Otherwise, the information will be lost.

HealthTrust Launches New Supplier Product Security Program

HealthTrust is proud to introduce a new program that aims to enhance communication and establish a partnership among healthcare organizations and suppliers in order to better understand their approach to security.

Some HealthTrust members may be aware of prior efforts to include security agreements with contracts. The focus of this initiative has been expanded to include supplier security, with leadership from Matthew Webb, AVP of Product Security, and Marc Sammons, Director of Security Sourcing at HealthTrust.

“Through this program, we hope to serve as the bridge in helping healthcare teams understand how suppliers are addressing security within their organizations and products. Likewise, HealthTrust will help its suppliers to better understand the needs of their healthcare customers, so they can take the information back and apply it to the products,” says Webb.

The program offers specific purchase agreements and contractual security agreements that suppliers are required to sign. Members of the HealthTrust Supplier Product Security Program represent the concerns and feedback of a large portion of suppliers and users, and effectively disseminate information and updates about particular products, such as new features suppliers are implementing to address cybersecurity.

“We have a committee that makes sure agreements offer both adequate protection and contain risk mitigation measures should a breach occur. Committee members are really representing the eyes and ears of the current industry,” says Sammons. “Suppliers have an opportunity to present and receive feedback, which has been an effective communication mechanism for looking at important things that need to be addressed. It’s made for great collaboration.”

“Ransomware takes advantage of weaknesses in operating systems where patches haven’t been applied properly,” says Sammons. A patch is a security update to a computer system to fix vulnerabilities or bugs.

These attacks are paralyzing because of the loss of data, as well as the disruption to communications. “There have been situations where a number of supplier servers were locked up so an entire online solution was down because they couldn’t communicate,” Sammons explains. If the healthcare facility doesn’t have a manual workaround in order to provide care, these attacks can ultimately affect patients.

Cybersecurity experts note that attackers are targeting larger health systems with ransomware. It hasn’t yet affected medical devices as much since they are often proprietary or running on a different operating system. But as a physician communicates medical information to a server, those servers are being targeted.

What you can do

Applying patches effectively is key. Just as with phishing, the vulnerability in ransomware attacks lies with the users. “One of the easiest ways to infiltrate a system is through people because, as healthcare professionals, we generally want to help others, and attackers prey on that nature,” says Sammons.

In addition, criminals take advantage of the growing number of computers we depend on, making it harder to keep up with system patches. It’s important that organizations continue to work with suppliers and IT partners to ensure there is a well-defined patching schedule. Sammons notes that there have been situations where attacks have been deployed on systems that haven’t been patched in two years. “Some degree of patching, whether it’s monthly, quarterly or even annually, is better than nothing,” he adds.

Vulnerabilities in connectivity & the internet of things

Alexa, Siri, Fitbit, the Ring Doorbell. In our personal lives, we’ve become accustomed to having endless surveillance data available at our fingertips. But we don’t often stop to think about what the potential impact would be if that data were to get into the wrong hands—or if that data involved our health information. Medical devices can expose those vulnerabilities.

“These devices are immature in their development because the software components don’t yet have the security to protect them,” says Webb. “We are trying to balance the value that these devices bring to support a patient, while balancing the maturity to ensure the protection that they don’t yet have in themselves.”

For example, a pacemaker may be Bluetooth-enabled. When a patient goes to his cardiologist’s office, and a nearby device starts reading the telemetry off his implant, how soon could cyberattackers read the data or, worse yet, harm the patient by interacting with the device itself? “It is a question of when, not if, the attackers will have that capability,” explains Webb.

The good news is suppliers are aware of these risks and, along with the Food and Drug Administration, are working to mitigate threats. For example, some suppliers have safeguarded their systems to allow devices to operate only within a certain proximity so their connectivity is limited.

The added complexities of telecommuting & telehealth

During the past year, the increase in telecommuting rates has led some companies to expand their talent pool when hiring for certain positions. Hospitals have been able to become more flexible and bring on exceptional cybersecurity professionals who may live in another part of the country.

However, this may also increase exposures. “Remote work expands the areas that need to be covered by cybersecurity,” explains Webb. “With more folks working from home, it puts devices further away and outside the bounds of company security controls. People are more at risk to click on links and messages that can redirect them off their home network.”

Telehealth has been an important way to deliver care throughout the pandemic, and experts expect it to be heavily utilized even when we’re past the threat of COVID-19. The good news is that healthcare IT and business leaders have met the challenge and have taken steps to ensure that these systems remain safe and available for the long haul. “I’m excited about the immense progress that’s been made to ensure systems are safe and available,” says Sammons.

Regulating privacy

Security and privacy are converging to the point where it won’t be possible to have one without the other. The European Union recently passed a larger privacy law that regulates how companies must protect citizens’ personal data. States like California are at the forefront of passing stricter privacy laws that require businesses to provide consumers with information about their privacy practices and about how consumer information is being used and shared, as well as the right to have data deleted or opt out of certain practices. For example, Zoom uses cookies to track and analyze user activities in order to gather information and use it to promote their other products. With the California Consumer Privacy Act (CCPA), this practice may be considered a “sale” of personal information, and users can choose to opt out. Other states are not far behind passing similar laws.

“We expect to see growth in privacy regulations, and suppliers and negotiators can expect a greater focus on incorporating privacy policies and agreements into their language,” says Webb. Just as there may be a comprehensive security agreement, healthcare organizations can expect to see the same type of approach when it comes to privacy. Webb adds, “Privacy will be a key factor in suppliers being able to deliver what they say they can, and it will be something that their customers will want to know more about and ensure it’s part of the solution.”