Another Type of Virus? COVID-19, Hospitals, and Cybersecurity
David Hoffman, Steed Family Professor of the Practice at the Duke University School of Public Policy and Associate General Counsel at Intel Corporation
Art Ehuan, Vice President for Cyber Risk and Resilience Management Practice at The Crypsis Group
As if hospitals do not have enough to worry about during the COVID-19 public health emergency, there are now many reports of an increase in healthcare-focused cybersecurity attacks. On April 8, 2020, US-CERT published a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) warning of the increased number of cybersecurity attacks using COVID-19 themes. The advisory notes an increase in the following types of attacks:
· Phishing, using the subject of coronavirus or COVID-19 as a lure
· Malware distribution, using coronavirus- or COVID-19-themed lures
· Registration of new domain names containing wording related to coronavirus or COVID-19, and
· Attacks against newly—and often rapidly—deployed remote access and teleworking infrastructure
Microsoft published guidance on April 1, 2020, specifically calling out concern about ransomware attacks on healthcare organizations. For years now hospitals have been some of the hardest hit by ransomware attacks. Now that Congress, the U.S. Department of Health and Human Services (HHS), and the U.S. Food and Drug Administration has provided regulatory flexibility to allow for the greater use of telehealth solutions, there are new information technology systems that are rapidly being deployed by hospitals and healthcare providers. At the same time, many of these hospitals and providers are under great strain to handle the surge in COVID-19 patients who need care. Attackers always look for targets that are deploying new technology and are suffering with keeping up with capacity. Unfortunately, ransomware attacks on hospitals and healthcare sector organizations during this crisis are following that pattern.
With hospital information technology departments focused on allowing doctors to use new telehealth solutions and to combat these increased attacks, it is critical now for the healthcare sector to fully embrace the use of risk management processes to prioritize resources in protecting sensitive patient data and systems. As healthcare organizations also face budgetary shortfalls due to the COVID-19 pandemic, a priority should be placed on developing and implementing durable cybersecurity programs that are adaptable to the changing technologies of telehealth. A critical priority should be on governance structures for the board of directors and executives of these organizations. These processes should not be costly, as oversight should already exist in other areas including finance and quality of care. Top executive staff and the board should review the cybersecurity program at least quarterly and receive detailed briefings of the results of staff’s risk management analysis. These cybersecurity reviews will enable active involvement of top leadership to understand how the organization is protected and how to implement the most cost-effective and reliable solutions.
One tool hospitals should use to assist them with the risk analysis is the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity (CSF). In 2014 NIST released the CSF subsequent to Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity. EO 13636 also called on sector-specific agencies like HHS to “coordinate with the Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.” NIST identified five foundational activities for the CSF:
1. Identify: Developing an understanding of how to discover and manage cybersecurity risks
2. Protect: Supporting the ability to limit or contain the impact of cybersecurity events
3. Detect: Defining how to identify cybersecurity events
4. Respond: Outlining how to take action after a cybersecurity event is detected, and
5. Recover: Identifying how to repair and restore any services that were affected by cybersecurity events
Soon after publication of the CSF a healthcare sector working group published a report on how to implement the CSF in healthcare organizations.
Now is the critical time for hospitals and healthcare providers to implement the adaptable CSF for their organization. The CSF design is well suited to provide the board and executives with a high-level overview and understanding of cyber risk to their organization so that prioritized mitigation, based on the threat to a healthcare organization, can be planned for and implemented. The CSF provides, through its Framework Implementation Tiers (Tier 1 – 4) context on the level of risk exposure and management for the organization. An organization with an implementation score in Tier 1 has a higher risk vulnerability profile than an organization with implementation score of Tier 3 or Tier 4 across the five Functional activities identified above. Healthcare sector organizations should strive, within their existing budget and resources, to achieve the highest Tier Implementation score across their enterprise as soon as possible to assist in the minimization of risk from cyber threats as the pandemic rages across the globe.
It is understandable that all healthcare resources may be focused on directly combating COVID-19. However, to make sure we save the maximum number of lives, we also need to understand that malicious actors are attempting to use ransomware and other cybersecurity attacks during the emergency. Without focus on both types of viruses, our healthcare system may break.