Michelle Drolet, CEO of Towerwall,
Healthcare organizations have faced continual stress from heavy COVID-19 caseloads in 2020. Cyberattacks on their information networks also loomed as a serious threat, and the pressure to protect data is expected to grow this year, as more criminals target healthcare providers.
Protecting patient data from unauthorized access has long been a regulatory prerequisite for healthcare organizations. But increasingly, cybercriminals see profit potential in attacking and crippling their networks, and restoring operations carry a high cost, both in the expense of repairing IT capabilities, as well as lost revenue, productivity hits, and erosion of community trust.
The rising pressure to protect data systems is prompting healthcare IT security executives to take a hard look at security procedures, and ways to identify and secure potential network weaknesses.
Attacks on the Rise
The need to batten down security hatches has grown in recent months, as COVID-strained healthcare has been hit with devastating cyberattacks, and government agencies warned that more could be coming.
In late October, the FBI and two federal agencies warned that they had credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. The potential attacks were attributed to a Russian-speaking criminal gang targeting providers with TrickBot and BazarLoader malware, leading to ransomware attacks, data theft, and service disruption. The agencies noted that the issues will be particularly challenging for organizations within the COVID-19 pandemic.
The federal warning came on the heels of several high-profile security breaches. In one attack, UVM Health Network had about 5,000 network computers rendered inoperable by a system outage that lasted 40 days; about 300 workers were furloughed because the outage prevented them from doing their jobs. The organization noted that its IT staff had to rebuild the entire infrastructure before re-populating it with backed up files and data, in addition to scanning and cleaning 5,000 computers and endpoints that had been infected. Hospital executives estimate the total cost of the attack at more than $63 million.
Another large cyberattack crippled Universal Health Services, a large hospital system that had a massive IT network outage in late September. The IT outage for the health system lasted eight days after a malware attack; it used downtime protocols and paper records during the outage.
Some reporting suggested that attackers are mounting ransomware attacks on healthcare system networks and charging higher-than-usual fees for its removal, suggesting that criminals may be targeting as many as 400 different facilities across the country.
More broadly, attacks are being aimed at the entire healthcare sector, according to reports from Microsoft. The technology company reported that it has detected cyberattacks from three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for COVID-19.
In addition, providers could face monetary fines from the Office of Civil Rights of the Department of Health and Human Services, which has the prerogative of assessing fines on healthcare organizations or business associates for lack of compliance with HIPAA and willful neglect of practices that protect patient information. As of November 2020, OCR has settled or imposed penalties in 92 cases, resulting in fines of almost $130 million.
Boosting Security Efforts
To counter these threats, healthcare organizations are taking a variety of steps to improve their security postures. Protecting healthcare information is increasingly becoming a challenge because of growing pressure for healthcare entities to distribute healthcare information to better coordinate care, engage with patients and comply with regulations forbidding information blocking. Also, the COVID-19 pandemic has fostered the use of remote patient monitoring and telehealth services, which increase the amount of patient information being exchanged on provider networks.
An important component of ensuring information security for provider organizations involves regularly testing the defenses that protect access to crucial networks. Penetration testing is one way to check for the effectiveness of cyber defenses before potential incidents, rather than afterward, when patient care can be disrupted and expensive to resolve.
Also known as a pen test, the exercise simulates a cyberattack against a healthcare organizations network to check for vulnerabilities that attackers could exploit. Pen testing can involve outside white hat hackers who attempt to breach application systems to find vulnerabilities, such as unprotected inputs that are susceptible to code injection attacks.
Pen testing can be complex, looking for weaknesses that can be exploited by insiders as well as outside attackers. It can involve significant preplanning in terms of reconnaissance, analysis of how systems and defenses respond to different forms of attack, and attempted exploits of weaknesses of systems such as cross-site scripting, SQL injection, and backdoor efforts as well as human engineering efforts, such as different forms of phishing attacks to see if system users need training so they dont give their network login codes to cybercriminals.
Analysis of such efforts also is complex, assessing which vulnerabilities were found and exploited, if any sensitive patient data or administrative systems could be accessed, or how long a pen tester could remain in the system undetected after gaining access.
Many organizations conduct annual penetration tests, subjecting defenses to internal, external and application attacks designed to emulate real attacks. In addition, healthcare organizations do such testing to meet compliance obligations for standards such as the NIST 800-35 CIS ISO 27001, the PCI DSS, and SOC2, which require businesses to conduct regular penetration tests and security reviews using skilled third-party testers.
But the threat environment for healthcare organizations is always changing, and cybercriminals are constantly honing their skills to access networks and extract value from their attacks. To effectively protect critical systems and private health information, healthcare organizations need to develop customized approaches, utilizing the latest techniques, tools, and technical expertise from outside the organization to understand vulnerabilities and develop an actionable remediation plan.
About Michelle DroletMichelle Drolet is the CEO and co-founder of Towerwall a woman-owned cybersecurity company. She serves as chairperson of the Board of Directors. As one of Towerwalls resident cybersecurity experts, Ms. Drolet assists organizations through the risk mitigation process to help them protect critical data by the evaluation, establishment, education, and enforcement of sound cybersecurity, network security, and data security practices. Reach her at michelled@towerwall.com.
View original post here:
- How good is fish for your diet? - November 8th, 2009 [November 8th, 2009]
- What foods have both fiber and protein? - November 8th, 2009 [November 8th, 2009]
- Is There Evidence That Acupuncture Works? - November 8th, 2009 [November 8th, 2009]
- What are some good fiber foods? - November 8th, 2009 [November 8th, 2009]
- Can Green Tea fight HIV infection? - November 8th, 2009 [November 8th, 2009]
- Quality of GNC Supplements - November 8th, 2009 [November 8th, 2009]
- The Gene Smart Diet - November 8th, 2009 [November 8th, 2009]
- Tips for eating in a vegetarian lifestyle - November 8th, 2009 [November 8th, 2009]
- Regarding the Starting of a new diet regimen - November 8th, 2009 [November 8th, 2009]
- Thoughts on Dropping Weight - November 8th, 2009 [November 8th, 2009]
- What do doctors think about vitamin E supplements? - November 8th, 2009 [November 8th, 2009]
- What herbs or supplements are commonly used for depression? - November 8th, 2009 [November 8th, 2009]
- Is there a safe way to lose a lot of weight? - November 8th, 2009 [November 8th, 2009]
- Diets that promise you will lose weight - November 8th, 2009 [November 8th, 2009]
- Are Fish Toxins Linked to Diabetes? - November 8th, 2009 [November 8th, 2009]
- Can Plastic Surgery Help Migraines? - November 8th, 2009 [November 8th, 2009]
- Weight Loss Surgery Eradicates Diabetes Symptoms - November 8th, 2009 [November 8th, 2009]
- Found: A Gene That Controls Fat Cells - November 8th, 2009 [November 8th, 2009]
- Sugars and Starches, what's the difference? - November 8th, 2009 [November 8th, 2009]
- Improving your health with a serving of nuts? - November 8th, 2009 [November 8th, 2009]
- Is Your Diet Causing You To Be Depressed? - December 13th, 2009 [December 13th, 2009]
- Placebo Effect: Magnetic Bracelet Therapy - December 13th, 2009 [December 13th, 2009]
- Does serotonin promote sleep? - December 13th, 2009 [December 13th, 2009]
- Decreased energy levels - Overeating, Sleep, Nutrition - February 1st, 2010 [February 1st, 2010]
- When will the body begin to cannibalize muscle tissue? - February 7th, 2010 [February 7th, 2010]
- Foods that are high in antioxidants - February 7th, 2010 [February 7th, 2010]
- Editorial: Reduce health care costs by cutting administrative overhead - April 1st, 2012 [April 1st, 2012]
- Health Care Winners: Centene, Onyxx - April 25th, 2012 [April 25th, 2012]
- Dan Morain: Nurses union puts politics ahead of health - April 25th, 2012 [April 25th, 2012]
- What's next if Obamacare falls? - April 25th, 2012 [April 25th, 2012]
- Global Managed Health Care Services Industry - April 25th, 2012 [April 25th, 2012]
- Immigration Fight Echoes Health-Care Case at High Court - April 25th, 2012 [April 25th, 2012]
- Medical Centers Lead Workplace Wellness Effort - April 25th, 2012 [April 25th, 2012]
- The next health care overhaul? Look to employers - April 25th, 2012 [April 25th, 2012]
- Capital BlueCross Hosts Community Health Care Forums Focused on Managing Costs While Maintaining Quality - April 25th, 2012 [April 25th, 2012]
- County committee to look at area health care - April 25th, 2012 [April 25th, 2012]
- President Obama Calls on Students to Tell Congress: #DontDoubleMyRate - Video - April 25th, 2012 [April 25th, 2012]
- Sen. Coburn: Competition in Health Care to Allocate Resources - Video - April 25th, 2012 [April 25th, 2012]
- Jesse Kelly health care - Video - April 25th, 2012 [April 25th, 2012]
- PHC Vision Statement (short version) - Video - April 30th, 2012 [April 30th, 2012]
- The Bioeconomy Blueprint Panel - Video - April 30th, 2012 [April 30th, 2012]
- Providence Health Care's Vision Statement - Video - April 30th, 2012 [April 30th, 2012]
- Department of Health and Human Services: Minority Health Blogger Townhall - Video - April 30th, 2012 [April 30th, 2012]
- Health care worker accused of stealing identities of brain i - Video - April 30th, 2012 [April 30th, 2012]
- Health Care Reform, Part 1 of 3 | KYVE Insiders Roundtable - Video - April 30th, 2012 [April 30th, 2012]
- Health Care Reform: The ACA and Beyond - Video - April 30th, 2012 [April 30th, 2012]
- Is Broccoli Like Health Insurance? - Video - April 30th, 2012 [April 30th, 2012]
- Did Obama make a mistake on health care? - Video - April 30th, 2012 [April 30th, 2012]
- How Democrats Lie About Health Care - Video - April 30th, 2012 [April 30th, 2012]
- Toobin on Health Care: This was a "judicial hissy-fit" - Video - April 30th, 2012 [April 30th, 2012]
- President Obama says health care law will stand - Video - April 30th, 2012 [April 30th, 2012]
- Obama Defends Health Care Law From 'Judicial Activism' - Video - April 30th, 2012 [April 30th, 2012]
- Obama Healthcare Individual Mandate - Video - April 30th, 2012 [April 30th, 2012]
- President Obama attacks Supreme Court on health care - Video - April 30th, 2012 [April 30th, 2012]
- Raw Audio: High Court Dissects Health Care Act - Video - April 30th, 2012 [April 30th, 2012]
- Health care on trial - Video - April 30th, 2012 [April 30th, 2012]
- Final Day of Health Care Law Arguments Before Supreme Court - Video - April 30th, 2012 [April 30th, 2012]
- Feds to put up $1.9B for Oregon health overhaul - May 4th, 2012 [May 4th, 2012]
- Scuttling health care act will freeze Medicare, White House warns - May 4th, 2012 [May 4th, 2012]
- U.S. Health Care Spending High, But Quality Lags: Report - May 4th, 2012 [May 4th, 2012]
- Yes, the Health-Care Mandate Is About Liberty - May 4th, 2012 [May 4th, 2012]
- Health center gets $1M federal grant - May 4th, 2012 [May 4th, 2012]
- Health-care reform panel considers exchange options for Va. - May 4th, 2012 [May 4th, 2012]
- Hmong health care gap focus of Healthy House dinner - May 4th, 2012 [May 4th, 2012]
- Walsh-led health bill to be unveiled - May 4th, 2012 [May 4th, 2012]
- Ontario health system confusing for ailing seniors, study finds - May 4th, 2012 [May 4th, 2012]
- 'Health Care Deserts' More Common in Black Neighborhoods - May 5th, 2012 [May 5th, 2012]
- With federal money, Oregon kicks health care reform into high gear - May 5th, 2012 [May 5th, 2012]
- Nurse practitioners tackling more 'doctor' tasks - May 5th, 2012 [May 5th, 2012]
- Konza Prairie Health Center Receives $4.5 Million Grant - May 5th, 2012 [May 5th, 2012]
- Alberta wages hurting Sask. health care - May 5th, 2012 [May 5th, 2012]
- House releases plan to cut growth of Massachusetts health spending in half - May 5th, 2012 [May 5th, 2012]
- Mass. House Will Unveil Bill Seeking To Rein In Health Costs - May 5th, 2012 [May 5th, 2012]
- President Obama Welcomes the Kentucky Wildcats - Video - May 5th, 2012 [May 5th, 2012]
- President Obama Speaks on College Affordability - Video - May 5th, 2012 [May 5th, 2012]
- My First Job: Gene Sperling - Video - May 5th, 2012 [May 5th, 2012]
- Health-care costs worry near-retirees - May 7th, 2012 [May 7th, 2012]
- Massachusetts Institutes Health-Care Price Controls. Is America Next? - May 7th, 2012 [May 7th, 2012]
- Massachusetts Moves Toward Health-Care Price Controls. Is America Next? - May 7th, 2012 [May 7th, 2012]
- GOP plan boosts Pentagon, cuts social programs - May 7th, 2012 [May 7th, 2012]