Over the past two weeks, several cyberattacks on hospitals and health systems have forced computer systems offline.
The largest breach occurred at King of Prussia, Pa.-based Universal Health Services, a 26-hospital health system with hundreds of clinical locations. The health system reported an IT security incident that began on the evening of Sept. 27 and is ongoing, although on Sept. 30 the health system released a statement that some IT systems have been recovered and are becoming operational again.
On Sept. 20, Nebraska Medicine reported its IT system was forced offline due to a security incident. Las Vegas-based Valley Health System also experienced an IT security incident on Sept. 27 that forced computers offline, and Ashtabula (Ohio) County Medical Center reported a computer outage on Sept. 27 that forced it to cancel procedures.
Although unconfirmed by the health system, it has been widely speculated by news sources including CNBC and The Wall Street Journal that ransomware was behind the attack on UHS. On Sept. 10, a ransomware attack on a hospital in Dusseldorf, Germany, encrypted 30 hospital servers and forced it to re-route emergency patients, which may have caused at least one patient to die before receiving treatment.
“There’s been an unfortunate increase in cyberattacks on healthcare organizations, and I don’t anticipate this trend changing anytime soon,” said Jesus Delgado, vice president and CIO of Community Healthcare System in Munster, Ind. “Therefore, the investment on cyber security technologies needs to continue to be carefully considered and properly communicated to executive leadership. The cybersecurity program needs to be carefully orchestrated. It is imperative that CIOs and CISOs join forces to develop a program that includes technology, an incident response plan, a business partnership, corporate policies and a user awareness program”
Cybersecurity has always been top of mind for CIOs and health system IT leaders, but it has become critical after these recent attacks. While some cybercriminal organizations pledged to halt attacks during the pandemic, it appears at least some have resumed hits on hospitals and clinical organizations. Several compounding factors have made healthcare organizations targets at this time; they are likely to pay the ransom to restore systems as quickly as possible and resume patient care. They also hold valuable information about COVID-19 research and vaccines.
“Today, most every health system is combatting the COVID-19 pandemic in some way. This pandemic has our staff stressed and tired. These two combinations can affect the attention to details when using technology tools such as email; processes such as patching equipment; periodic maintenance on clinical equipment etc. This generates risk for any health system,” said Brian Jones, CIO of Billings (Mont.) Clinic. “Locally, our cybersecurity approach is always being reviewed from the position of risk to the organization and patients we serve. We believe in a holistic approach from investing in staff education and have them as our front-line cyber-defenders, exercising simulated phishing attacks, ensure our network alignments and segmentation effectively add a layer of defense for our clinical products and of course multi-factor authentication.”
The shift to remote work during the pandemic has also potentially made it easier for cyberattacks to occur.
“It’s not a good week for healthcare,” said Kathy Hughes, CISO of Northwell Health in New Hyde Park, N.Y. “Healthcare is and has been the No. 1 target for cyber crime and the number of attacks on healthcare organizations have been increasing exponentially over the past few years, primarily because of the value of data they can obtain from a successful attack, and the fact that cybercriminals know that if they lock up systems and data, that has a significant impact on operations.”
Ms. Hughes said the recent attacks have caused her and her team to reflect on their systems and hold internal discussions about the controls and intelligence in place to combat cyberattacks. She said Northwell has a “defense in depth” strategy that layers physical, administrative and technical security measures to minimize any attacks.
“It’s having multiple layers of protection and defense in place that provide the best defense and outcomes from an event because you aren’t relying on one technology or method to protect the environment,” she said. “We are revisiting basic cyber hygiene organizationwide and making sure our systems are patched. It’s become a challenge now with the expanded remote workforce that we’ve been living in since COVID-19, but we are making sure systems are patched and that they have encryption and malware protection in place.”
She also said the health system is focused on securing endpoints in addition to having the right firewalls in place.
“The concept of firewalls on networks is a thing of the past,” she said. “We are focused on making sure the points of entry, whether phishing attack or user interaction with an email, clicking on the link, opening an attachment, or providing credentials, are shored up. Our people are the last line of defense and are our human firewalls.”
Northwell already had the pervasive message organizationwide that everyone should be looking out for potential cyberattacks and report any suspect activity to the help desk. The health system also published a message recently on the system’s intranet reminding people to stay vigilant against potential threats and reconfirming their role in keeping the system secure.
“Everyone in the organization is a member of the security team in preventing this kind of attack,” she said. “We want to make sure we have good backups in case something does happen and promote security awareness so everyone will be vigilant and tap into the threat intelligence resources we have to get the latest and greatest information and ensure best practices are in place. We are constantly monitoring and detecting and responding to incidents that come up for review.”
Mitch Parker, executive director of information security and compliance at Indiana University Health said cyberattacks will continue to grow and sees partnerships as a vital part of defenses.
“The approach to IT Security that we need to take is to continue to be vigilant, focus on the effectiveness of security controls, and continually re-evaluate and improve them,” he said. “Collaboration with our peers and threat intelligence are no longer nice-to-haves, they are requirements. The only way we are going to improve and reduce the effectiveness of these attacks is through continual re-evaluation, collaboration, and intelligence-sharing. We’re not going to solve this through magical thinking.”
Dave Summitt, CISO at Moffitt Cancer Center in Tampa, Fla., reiterated the importance of working with teams to prevent cyberattacks.
“It pains me to hear of healthcare organizations getting attacked. Disrupting healthcare operations can be dangerous and life-threatening. Without knowing specifically what has happened at UHS, it’s difficult to draw conclusions; however, this event should be a reminder to all healthcare organizations that certain items should never go unattended or maintained, such as downtime procedures, business continuity and disaster recovery plans,” he said.
“In addition, cyber teams should be in a constant state of monitoring and proactively looking for issues within their network and systems and be quick to respond. System updates and patching are always critical and all cybersecurity programs should include a very detailed and robust security awareness program as nearly all cyberattacks are initially carried out through a single user’s action.”
More articles on health IT:
Employees describe chaotic scene at UHS hospitals amid IT incident
Las Vegas health system says IT issue forced 6 hospitals offline: 5 details
Ohio hospital postpones more surgeries due to weeklong computer system outage
© Copyright ASC COMMUNICATIONS 2020. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.