While healthcare providers work tirelessly to care for Covid-19 patients, pharmaceutical companies race to find a vaccine, and public health officials scramble to keep a lid on the coronavirus, the crisis has also presented a golden and rather nefarious opportunity for one group: hackers.
Access to data will ultimately determine the Covid-19 winners and losers in terms of leveraging data to help curb the spread, navigate re-opening the economy and drive delivery of care.
When Investment Rhymes with Canada
Canada has a proud history of achievement in the areas of science and technology, and the field of biomanufacturing and life sciences is no exception.
However, hackers, like digital ticks, are looking to feed on this data. Providing access to multiple sources of sensitive data to enable key functions like contract tracing and monitoring hospitalizations also means increased vulnerabilities and the emergence of entirely new attack surfaces — putting these essential global public health initiatives in grave danger.
Healthcare is lagging in the fight against hackers
For context, healthcare organizations tend to devote about three percent of their IT budgets to security, which is a fraction of the spending in other industries, like financial services. This translates to money lost and sensitive data in dangerous hands. Playing catch-up with security always puts the bad guys ahead.
Year over year, there’s been a marked increase in attacks on healthcare institutions: in 2019, there were 510 incidents that compromised more than 41 million healthcare patient records in 2019, nearly triple the number of records breached in 2018.
In addition to increased attacks, the threat surface expanded significantly. The use of telehealth has been accelerated dramatically and in some cases is leveraging endpoint hardware and collaboration platforms, e.g. Zoom, that were never designed to comply with the security demands needed to handle sensitive health data. Add to this the thousands of employees and vendors now working remotely with shared workstations and hastily configured VPNs.
Health Benefit Consultants, Share Your Expert Insights in Our Survey
Caleb Barlow Caleb Barlow is the President and Chief Executive Officer of CynergisTek, a top-ranked information security and privacy consulting firm focused on the healthcare IT industry Prior to joining CynergisTek, Caleb led the IBM X-Force Threat Intelligence organization. In 2016, he built X-Force Command which is part of a $200M investment in a global […]
In the race for a Covid-19 vaccine, there are also new motivations to attack research institutions and pharma companies – threatening financials with ransom demands and putting key intellectual property at risk of being stolen or breached. ExecuPharm and Gilead were hit by hackers, looking to not only cash in with ransomware but also possibly access proprietary data linked to Covid-19 research.
Do hackers have any humanity? Think again.
While hackers said they would “put down their arms” and call a truce when it comes to hospital attacks during Covid-19, many believe it’s just an altruistic pipe dream. The reality is that attacks have not stopped during Covid-19. There are a few factors at play: security is a backburner issue right now and healthcare institutions are slow to report any attacks. Additionally, with the newly-minted remote workforce, it’s been harder to measure the number of attacks that have no monitoring on networks.
Although there may appear to be a lull, make no mistake the hackers aren’t sitting on the sidelines and are still leveraging phishing attacks, making their way on servers and networks to gain intelligence — waiting for the optimal time to strike.
What happens when they do attack? Worst-case scenarios include vaccines and treatments could be delayed or proprietary data gets into the wrong hands and resource-strapped hospitals may be forced to divert patients elsewhere due to EHRs being locked up.
Why security matters in healthcare — with or without COVID
There are so many priorities in healthcare, but security is one area that’s often ignored. And as consumers become more cognizant of how entities protect their data, lawmakers are finally stepping up to reinforce how entities must comply and responsibly manage consumers’ privacy and the use, retention and destruction of that data.
Recognizing all the challenges healthcare institutions are facing during the pandemic, it’s definitely easy to push anything other than care delivery, the healthcare supply chain or therapy research to the back burner. We’ve discovered that old models of incident response, disaster recovery and continuing business operations don’t work in the current climate with the sudden shift to a remote workforce. And while we’re still figuring it out, hackers are plotting their next move – which could threaten the vital functions of our healthcare institutions in the middle of a pandemic.
While the task may be daunting, fortifying security is a lot like preventive care. The more time and resources invested in the front-end creates better outcomes. This means taking an assessment or “getting a physical” of the current IT infrastructure to examine security posture and pivot accordingly to implement an enhanced security program that strengthens privacy and compliance and accounts for the new realities the industry is facing.
One thing is for sure, we will need to be smarter and more creative in finding solutions. For example, the Centers for Medicare and Medicaid Services is working on new rules for data sharing rules around the entire continuum of care and security isn’t mentioned at all. This is an opportunity for regulators to incorporate these lessons learned on security now we’ve seen issues emerge around unsecured and controlled data sharing. New models, new policies, and new procedures will need to be implemented, tested and modified as needed to help navigate the uncertain waters ahead.
Caleb Barlow is the President and Chief Executive Officer of CynergisTek, a top-ranked information security and privacy consulting firm focused on the healthcare IT industry
Prior to joining CynergisTek, Caleb led the IBM X-Force Threat Intelligence organization. In 2016, he built X-Force Command which is part of a $200M investment in a global incident response services, updated watch floors, the industry’s first immersive cyber range, and an incident command system for responding to major cyber incidents. In 2018, Caleb invented the Cyber Tactical Operations Center which is a first-of-its-kind training, simulation, and security operations center on wheels.
Caleb has a broad background having led technical teams in product development, product management, strategy, marketing, and cloud service delivery. He has also led the integration efforts of on multiple IBM acquisitions.
