The mere fact of the COVID pandemic’s existence has pushed the American healthcare system to capacity, but another threat to that system has reared its ugly head – cyberattacks, particularly those based on ransomware, have become more common as the disease spread, targeting medical IoT devices and healthcare networks.
According to Forrester Research analyst Chris Sherman, two U.S. hospitals have already been attacked via virtual care systems, after a hacker targeted a vulnerability in a medical IoT device (specifically, a remote patient-monitoring sensor) and gained access to the hospitals’ patient databases. And in another type of attack, the Fresenius Group, a medical device maker and the largest private hospital operator in Europe, has been hit by ransomware.
“To me, it’s clear attackers are increasing their focus on medical devices,” Sherman said. “The attackers are directing their efforts really to any system that’s exposed to the internet, which is a concern given how flat most healthcare networks are.”
The precise extent to which threats have risen due to the pandemic is unclear, but most experts agree that there seems to be a correlation. Sherman said that some reports place the figure as high as three to five times the number of attacks that would ordinarily be expected, but argued that those figures might be a slight exaggeration.
Healthcare providers are particularly ripe targets for ransomware attacks for several reasons. Medical IoT devices are, all too often, poorly secured against intrusion, according to NTT Canada’s cybersecurity practice lead, Stew Wolfe.
“A lot of these machines are not designed with security in mind, so they’ll have default passwords in a manual you can look up on the Internet,” he said, adding that there’s a physical security element that’s also worrisome. Many hospital wards and clinics are effectively open to the public, making it relatively simple to gain direct access to insecure devices.
“Getting access to this stuff is pretty easy,” Wolfe warned. “You can just walk around and get into some of these areas that you shouldn’t.”
Sherman said the spike in the use of telehealth and virtual-care systems represents a response to a tempting attack vector. These are systems that, typically, were isolated on networks local to the hospital, “but now they’re enabling these to be used remotely, and it’s being done very fast without an emphasis on security,” he said.
Not all analysts are convinced that healthcare is a particular target for malicious hackers at this point, however. Gregg Pessin, a senior director and analyst at Gartner Research, said that hospitals and clinics may well fall victim to ransomware, but that the greater threat vector is phishing attacks that might not be targeting them specifically.
“In most cases, healthcare is not in the gunsight, the malware is just sent out to the world, and if a healthcare employee hits the bad link their organization falls victim,” he said.
Still, ransomware attacks against healthcare providers may be a more likely payoff for criminals, given the mission-critical and time-sensitive nature of medical networks. A hospital that needs its technology to be functional at all times for the sake of patient care is more likely to simply pay the ransom than to attempt to recover systems that have been locked up by ransomware.
One of the main ways that healthcare providers can protect themselves against medical IoT-threats is the use of network segmentation, or making sure that potentially vulnerable operational devices aren’t connected to the same parts of the network as IT systems that can reach sensitive and infrastructure data, Pessin said.
Before that happens, however, it’s important to have an awareness of and visibility into the full range of devices on a given network. Pessin said that many healthcare providers are already investing in inventory and tracking software that can autonomously detect medical IoT devices on a network and track whether they’re behaving suspiciously or not. Patching devices that have that functionality is crucially important as well, said Sherman, as is updating older systems that have known vulnerabilities and can’t be patched remotely. “It can be expensive, but it’s really necessary,” he said.
Finally, according to Wolfe, simply having a better organizational awareness of the presence of security threats can be a big help in combating them.
“Train your doctors and nurses to recognize a malicious email, and work with the [medical-device maintenance] teams in the hospitals” to secure devices against threats, he said.