Feb 16 2021

How to Build Security Resilience in Healthcare Beyond COVID-19

For some organizations, the pandemic has exposed vulnerabilities related to ransomware and phishing campaigns.

The COVID-19 pandemic has expanded telehealth and compelled a shift to remote work, but the flexibility of these activities also has added vulnerabilities to many healthcare organizations.

Texas Children’s Hospital in Houston shored up its security infrastructure in early 2020 by establishing an incident command center. Its objective was to continue the ability to safeguard the network and enable clinicians to provide quality patient care, says Teresa Tonthat, CISO and assistant vice president of IT at Texas Children’s. Since the health system had already enabled secure remote work technologies, it was prepared to scale remote work to thousands of employees, she says.

“As the nation’s largest pediatric hospital system, we understand the importance of the continuous enhancement of our cybersecurity program at Texas Children’s,” Tonthat says.

Hackers Use Pandemic-Related Tactics in Phishing Scams

During the pandemic, Texas Children’s has seen a 100 percent increase in scam emails related to the coronavirus, COVID-19 and personal protective equipment, Tonthat says. Many of the attacks targeted the supply chain and accounts payable groups.

“Email could be our worst enemy sometimes because that’s the gateway in,” she says. When suspicious emails come in, Tonthat’s team reviews those that pass through the email security stack to confirm their validity.

“We see it happen all the time — there has definitely been an increase during COVID,” Tonthat says. “We’ve been faced with many targeted attempts around PPE-type fraud schemes.”

Luke McNamara, a principal analyst at the Mandiant Threat Intelligence unit of FireEye, saw the incorporation of COVID-19 into various phishing campaigns as a theme amid the surge of cases in the U.S. last spring, similar to the jumps in thematic phishing that happen during tax season or the holidays. Such emails often have a malicious link or attachments, he says.

“The intent is to get the user to open that file and deploy the malware — unwittingly, of course — or click on a link and enter their credentials into what appears to be a legitimate web page, which then get captured,” McNamara says.

Any emails with COVID-19 in the subject line or in an attachment filename should be examined carefully.

Texas Children’s has established multiple layers of defense for email. The stronger the security, the more likely actors will give up and go to an easier target, Tonthat says. She notes that customers using Microsoft 365 gain an additional layer of email defense.

MORE FROM HEALTHTECH: See how AI can increase efficiency in healthcare.

A proper security setup includes multiple controls such as a proxy, network firewall, application-level firewalls, encryption, dedicated denial of service protection and two-factor authentication, Tonthat says. She also advises that, where possible, organizations consider geolocation blocks to guard against overseas threat actors.

Health systems also should implement systems like “tap and go” to log on to EHR systems, and facial recognition is another tool for consideration. Together, password, badge and physical access comprise the multiple layers of strong access management for a hospital.

Texas Children’s conducts phishing simulations to train staff to respond appropriately to malicious emails. The idea is to ensure that physicians, nurses and staff aren’t caught off guard as they focus on attending to patients, Tonthat says.

During the pandemic, simulations to enhance workforce vigilance have been considered critical, she said.

“We send them a phishing email, and we monitor who clicks, who forwards, and make sure they take the required training,” Tonthat says. “Cybersecurity is everyone’s responsibility. During the pandemic, we have engaged our executives to help raise awareness of cybersecurity threats to their teams, and we have seen a very positive shift in human behavior.”

Ransomware Poses a Threat to Health Systems

Ransomware has been one of the biggest threats facing hospitals, particularly the prospect of this type of attack slowing down a health system in the middle of a pandemic.

“The fact that they could be disrupted by these operations is certainly something that is concerning,” McNamara says.

In 2020, in addition to installing ransomware on PCs, threat actors exfiltrated data and publicly posted it online, which caused privacy and regulatory issues. To avoid losing data during an attack, healthcare organizations should secure and back up data off the network, McNamara advises.

In October, the FBI, Cybersecurity and Infrastructure Security Agency, and the Department of Health and Human Services alerted Texas Children’s about cyberthreats related to ransomware targeting providers, Tonthat says.

Among other threats, she points to the danger of financially motivated, nation-sponsored hacking. “You steal the data to sell it on the dark web and disrupt operations because you believe you will be able to get a ransom by the victim organization,” she says.

Luke McNamara
Security training and promoting good security hygiene, as simple as it sounds, can bear a lot of fruit in terms of increasing the overall security of the organization.

Luke McNamara principal analyst at FireEye

Identify Security Risks Related to Connected Medical Devices

Texas Children’s performs an inventory on its 7,000 devices that are network-connected (out of a total of 45,000 medical devices). It installs sensors to monitor the medical devices and uses behavioral analytics to detect anomalies. For example, the security operations center will receive an alert if a pump communicates with the electronic health record system in an unusual way.

Hospitals must exercise caution when placing security agents on medical devices because they can become inoperable and the warranty can be broken, Tonthat notes. She recommends that organizations consider segmentation when connecting medical devices from the patient to a corporate network.

Plan for the Next Wave of Security Vulnerabilities

McNamara expects ransomware to continue to be a problem, so educating all parts of the organization on how to prevent and respond to ransomware will be key.

“Security training and promoting good security hygiene, as simple as it sounds, can bear a lot of fruit in terms of increasing the overall security of the organization,” he says.

Security threats will continue to evolve after the pandemic, just as they have during it, and that will require an ongoing investment in people, processes and technology. Automation, artificial intelligence and machine learning are all important technology components that enable organizations to combat threat actors’ level of sophistication, says Tonthat.

“It’s not a one-time investment, and then you stabilize it,” she says. “It’s ongoing because the threat actors are not taking breaks or time off, so why should we?”

Morsa Images/Getty Images