As Covid-19 spread across the world last year, hospitals and healthcare facilities became increasingly vulnerable to another kind of dangerous attack—this time, thanks to the nefarious efforts of cybercriminals. Since the global WannaCry ransomware attack occurred in 2017, healthcare-related cybersecurity incidents have grown at an alarming rate. According to Becker’s Hospital Review, medical data leaks and breaches cost the healthcare sector approximately $5.6 billion every year in the US alone. We spoke with one of the HIMSS21 keynote speakers, Michael Coates, CEO and co-founder of Altitude Networks and formerly Chief Information Security Officer at Twitter.
MedicalExpo e-magazine: How would you describe the level of threat facing hospitals and other healthcare facilities from cyberattacks today?
Michael Coates: I would say that the threat level is dramatically high and increasing, it’s considerable. The reason it’s increasing is that the people perpetrating these attacks have found an effective way of eliciting money. They have found that through things such as ransomware they can effectively take critical healthcare systems hostage until they receive payment. This is going to keep driving the threat level upwards.
On top of this, the situation is morphing from one where ransomware attacks are being launched against healthcare institutions from individuals and organizations into one where ransomware is being developed as a service. This evolution is what we have seen in other areas of cybersecurity crime. This means it is not just one party carrying out the entire malicious operation. It is a complex ecosystem where people specialize in different areas, from the development of the software to selling the software, to running actual support hotlines to help people who buy the software.
MedicalExpo e-magazine: What does a typical healthcare cyberattack look like? What exactly is being attacked?
Michael Coates: How cybercriminals are breaking into healthcare systems varies. They’re taking advantage of the lowest common denominator of a security vulnerability. What I mean by that is if you have a vulnerability in your Microsoft Windows software patch, they will simply use that. They are taking advantage of the fact that hospital networks often lack even basic security controls. What they are targeting is basically anything they can get at—that could be administrative servers, it could be patient or billing records, it could be the actual medical device in the hospital room, it could be the software that’s communicating with ambulances. Cybercrime is opportunistic; the software being used is designed to spread throughout a system and find an entry point. I liken it to sinking a submarine: it doesn’t matter where you poke the hole.
“What they are targeting is basically anything they can get at—that could be administrative servers, it could be patient or billing records, it could be the actual medical device in the hospital room, it could be the software that’s communicating with ambulances.”
MedicalExpo e-magazine: Who is perpetrating these attacks?
Michael Coates: Most of these groups appear to be based out of Russia, deduced from things such as the use of Russian language and the fact that Russian entities aren’t being targeted. These are entire operations that are set up to bring in as much money as they can, which often involves the hiring of small armies of entry-level workers. Is such activity state-sponsored? In many cases, it’s certainly state-ignored.
MedicalExpo e-magazine: What impact has Covid-19 had on healthcare cybersecurity? And what about the rise of telemedicine, touchless robots, remotely-controlled ventilators and AI systems?
Michael Coates: The evolution of technology is critical for hospitals and healthcare in terms of advancing medical care. The challenge is that the change in technology exposes new points of weakness. We are already seeing underinvestment in healthcare cybersecurity—new complex and unique technology only makes things harder. The impact of Covid-19 is multi-faceted. Firstly, the importance of a particular healthcare system working during a pandemic is even more critical than it is normally. Secondly, Covid-19 has changed the way people work, such as more remote operations. This puts healthcare institutions at greater risk because people are doing things differently, leading to new methods of exploitation.
MedicalExpo e-magazine: What about cybersecurity solutions for healthcare? How can healthcare institutions boost their defenses?
Michael Coates: One of the most important things that hospitals and healthcare institutions can do today is invest in the four controls of security (prevention, detection, response and prediction). This sounds like a no-brainer, but it’s actually hard to do this well and consistently at scale—it requires investment. There’s also a need to balance the fact that the number one priority at hospitals is to save lives. So if you say to a healthcare provider we can have a more secure system, but it’s going to slow you down, they’re simply going to say no. The more sophisticated systems are maximizing security, but doing it in a way that’s not intrusive, that’s where innovation is going to go.
“The more sophisticated systems are maximizing security. But doing it in a way that’s not intrusive, that’s where innovation is going to go.”
Solutions are not all about expensive software. Hospitals need to address known weaknesses across all their devices and systems, and this is where many are currently failing right now. Keeping up to date with patches and security updates is critical. It’s also important to minimize impacts. If someone opens a malicious file in billing, will it affect the entire hospital, for example? What’s the so-called blast radius?
The third issue is access. Every individual in a hospital should have a level of administrative access commensurate with their role. And last but not least, hospitals need to plan for disaster. Cybersecurity or IT professionals at every hospital need to get around a table with management and not only work out whether they are prepared for an attack, but also what to do if an attack does occur. In many countries, healthcare systems are already stretched to the breaking point, so allocating resources to this is really challenging. On the other hand, the cybersecurity threat is real. Hospitals are now being regularly shut down by ransomware, which is clearly impacting their ability to save lives.
