In the course of the past decade, the US has witnessed an exponential increase in cyberattacks. The unpredictability and unavoidable demeanor of such attacks pose an ongoing threat to organizations big and small.
Amidst the chaotically quick transition online during the pandemic, according to Lisa Plaggemier, executive director of the nonprofit National Cybersecurity Alliance, many organizations became an open target.
Networks were scattered, people were transitioning to working from home, and IT teams had to catch up in order to facilitate the transition for organizations. Between February 2020 and May 2020 more than half a million people were affected by breaches in which the personal data of video conferencing services users was stolen and sold on the dark web. Cyber criminals found opportunity in emotional vulnerability, and continue to do so today.
“At that moment, we were stressed out and we have been for the past couple of years with COVID, with a contentious election, with a war now in Ukraine,” Plaggemier told Medscape Medical News. “From a social engineering perspective, cybercriminals are going to use any topic that is an emotional hot button for us, and try to take advantage of our emotional vulnerability.”
A report on cybercrime breaches by Statistica indicates that the total number of data breaches in the United States in 2020 came in at a total of 1001, lower than the previous 4 years. However, over the course of the same year, over 155.8 million individuals were affected by data exposures.
Since the pandemic, cyberattacks have continued to become more common, especially for the healthcare industry. Healthcare facilities have proven to be an easy target for cyberattacks, as they store a significant amount of patient data, including social security numbers, addresses, and other personal details.
Cybercriminals take advantage of preoccupied healthcare workers who typically don’t have the spare time or resources to add online security processes to their often hectic workload. With new virtual threats being uncovered each day, it isn’t easy for healthcare organizations to decide where to allocate their budgets.
Attacks Can Affect Millions of Patients
The number of large-scale data breaches in the healthcare industry have continued to rise in recent years, going from 18 cases in 2009 to 712 cases in 2021. Unfortunately, high demand for patient information and often-outdated systems is a recipe for disaster for facilities.
In June, at the annual Boston Conference on Cyber Security, FBI Director Christopher A. Wray disclosed an attempted cyberattack on Boston’s Children’s Hospital in the summer of 2021. Wray deemed the incident “one of the most despicable cyberattacks I’ve ever seen.” Swift action by the FBI and coordination of hospital staff thankfully halted this attack. If the attack would have gone undetected, the hospital and its patients would be facing ruinous damages.
A recent cyberattack on Massachusetts-based Shields Health Care Group Inc. is an unfortunate example of such damages. The actual number of those affected by the attack remains uncertain, nonetheless officials say it had the potential to affect over 50 healthcare facilities that receive Shields services, meaning upwards of nearly 2 million people who may have been affected.
It was disclosed that the stolen data could have included full names, social security numbers, diagnoses, provider information, and more. In most cases, cybercriminals use this information against companies as ransomware or it is sold on the dark web for profit.
After an attack, a fair majority of organizations will pay ransom to cybercriminals in exchange for their data. Yet, when negotiating with criminals, cooperation isn’t always guaranteed.
“Sixty-six percent of surviving health care organizations said they experienced ransomware attacks and then 61% of them paid the highest percentage of any industry sector,” said Plaggemier, citing a recent Sophos study. “That is really telling. What that says to the bad guy is that healthcare is a place they can make money. So they are going to keep doing that. If you pay more money to fuel cybercrime, you are going to have more cybercrime typically in that sector.”
“A Potential Life or Death Situation”
Networks and databases aren’t the only area of risk for healthcare facilities. Medical devices — from those that monitor vital signs to ones dispensing medication — provide even more opportunity for cyberattacks. This can prevent organizations from providing necessary — and sometimes life-saving — treatments if devices are hacked and then shut down remotely.
In 2019, the FDA issued a warning about devices that could allow cybercriminals to change the settings of the device, instilling a need for prioritizing proper security protocol for all medical devices.
“When I think about device manufacturing and vulnerabilities in those devices, that’s a potential life or death situation. That is all the more reason the industry should be prioritizing cybersecurity because you are talking about people’s lives.” Plaggemier said.
The risk has not gone unnoticed by Congress.
Senators Jacky Rosen (D-Nev.) and Todd Young (R-Ind.), hope to further protect industries from cybersecurity threats with their newly proposed legislation, the Strengthening Cybersecurity for Medical Devices Act.
The bill requires collaboration by the US Food and Drug Administration and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to release industry-wide requirements regarding medical device cybersecurity no less than every 2 years. The legislation will also require the FDA to update its website with the latest information on cybersecurity vulnerabilities.
There are currently no requirements for how often the FDA has to issue cybersecurity guidance; the last was released in 2018.
The Government Accountability Office will also be entrusted with issuing a review on medical device cybersecurity challenges and recommendations for refining federal coordination on medical device cybersecurity.
It’s a good first step, Plaggemier said, and she expects the legislation to only be the beginning.
Planning, Training Can Make a Difference
As reliance on technology grows in healthcare and elsewhere, so does the risk of cyberattacks, so Plaggemier stresses planning to protect internal systems and patients.
Organizations that have plans and train for breaches actively minimize the damage and longevity of attacks. Plaggemier emphasized that organizations often jump to the conclusion that the decision is either to lose all of your data or to pay, yet that isn’t the case. Organizations can be prepared, defend themselves, and recover, she said.
“I have seen companies that have recovered in a day. They just go to their backup data they have to restart their systems, and burn down anything that is infected…Maybe they have lost half a day of business or data and it’s not the end of the world.” Plaggemier said.
Ample resources are available to aid organizations with preparation plans. For example, the Cybersecurity and Infrastructure Security Agency has programs where you can run a test cyberattack scenario.
In healthcare, the most common type of cybercrime is phishing. Phishing is a type of online scam where cybercriminals impersonate organizations via email, text message, or advertisement in order to steal sensitive information. Organizations can send out simulated phishing emails to help employees identify malicious links. Plaggemier stressed that if you’re in the healthcare industry and you aren’t sending such tests to your employees, you need to.
“Cybersecurity is not an event; it’s not one thing you fix and move on. It is a process. It is constantly evolving,” said Plaggemier.
Frankie Rowland is an Atlanta-based freelance writer.