Why a data security sting lurks in COVID-19’s long tail
The word ‘unprecedented’ seems to have been used on a daily basis during the COVID-19 pandemic, particularly when it comes to the impact of the virus on patients, clinicians, resources and care delivery. But it has resonated equally strongly with hospital chief information security officers (CISOs), with its power to either stiffen resolve or ratchet up already stretched nervous tension as data security faces a whole new scale and level of cyber threats.
Far from arriving alone, the virus was accompanied by a host of cyber aggressors with an eye on the vulnerabilities that would almost certainly be exposed in the armour of healthcare institutions while attention and energy were diverted to the frontline of patient care.
Threats descended from all directions as organized cyber-crime breached hospital defenses to launch ransomware attacks. Some agencies even identified the hacking of coronavirus research lab systems by rival states as a real and growing threat. At the same time, the rapid rollout of new telehealth systems to reduce physical contact by enabling virtual patient communications and consultations was opening up a whole new front in the health data security war.
Cyber-attacks on the rise
Within weeks of the WHO declaring a pandemic on 11 March, the organization itself was reporting a five-fold increase in cyber-attacks on its own systems. In the UK, the C5 Capital alliance of cybersecurity businesses had already noted a 150% increase in attacks on healthcare systems between mid-January and March.
A series of high-profile incidents also made headlines. Access to systems across Brno University Hospital in the Czech Republic was disrupted and coronavirus test results delayed by a ransomware attack on the hospital’s research lab. In London, Hammersmith Medicines Research fell victim to a similar attack. And in the United States, the US Health and Human Services Department was hit by a DDoS assault.
By May, agencies including the National Cyber Security Centre (NCSC) in the UK and the Cyber Security and Infrastructure Security Agency (CISA) in the US were advising healthcare staff to change passwords and implement two-factor authentication in the face of a rising tide of password spraying attacks.
Given the scale of this onslaught – and the potential value of a rapidly accumulating and immensely valuable volume of patient data – it would not have been surprising for any institution to find itself caught on the back foot.
“Hospital CIOs are pulled between two worlds – security on the one hand and accessibility on the other,” says Matt Lock, technical director UK at data security expert Varonis. “Medical staff and other personnel require access to patient records for care and book-keeping, but this exposure comes with added risk. Secure networks, long passwords, and employees following IT and security best practices are good in theory. Still, they are often far from reality when unpatched and outdated systems, shared logins, and even passwords scribbled on sticky notes leave information exposed and vulnerable.
Just one mistake
“The NHS, or any organisation, could have strict security processes in place. But it only takes one employee and just one click to open the door to a cyber-attack. Cloud collaboration platforms have introduced additional risk by giving employees a variety of new ways to copy, save, and share data with just about anyone. Many organisations are behind on their cybersecurity checklists on a good day when it’s business as usual. Add a global pandemic to the mix, and it’s a recipe for disaster.”
In the stretched, stressed and distracted environment of a hospital at the height of the pandemic, the possibility of even one individual taking their eye off the data security ball and using a short-cut to access information could be just the weakest link the cyber aggressor is looking for. And the more sophisticated threats don’t announce themselves with a grand-standing ransom demand. They sneak in, establish themselves and quietly work their way around hospital systems, applications and devices, exploiting weaknesses and gathering information until they are in a position to cause maximum damage.
“With telehealth, we have many more devices and connections now involved with healthcare – every one is a new way in,” says Patricia Carreiro, a data privacy and cybersecurity litigation attorney at Carlton Fields, a national law firm in the US, where the Office for Civil Rights (OCR) has temporarily relaxed some security requirements. She says this means that valuable healthcare data is now being transferred over less secure technology.
“Healthcare data carries an extraordinarily high value on the black market, typically worth 10 to 40 times more than a credit card number,” she adds. “Transferring such valuable information over unencrypted technologies, as now temporarily permitted, creates a situation ripe for hacking. Hackers can simply insert themselves in the unsecured communication, take the information they desire, and proceed to sell the information to perform various types of healthcare fraud or identity theft.”
More broadly, says Carreiro, hackers are increasingly targeting healthcare providers, looking to take advantage of any unpatched systems or similar vulnerabilities.
“Perhaps one of the largest vulnerabilities caused by COVID is a particularly distracted/stressed workforce, who may be increasingly likely to fall for phishing emails,” she continues. “One wrong click, and an entire hospital system could come screeching to a stop. And the increasing need for technology and medical services only gives hackers more leverage to extract hefty ransoms from hospitals looking to regain access to their data and systems.”
At Varonis, Matt Lock says the range of data contained in hospital systems makes them prime targets for an equally wide range of threats, from well-funded attackers looking for medical data to steal, to hackers demanding ransom payments to decrypt patient data.
The nature of new applications – tracing systems, for example – that might link into healthcare systems is also adding to the value of the data, inevitably raising privacy issues.
“COVID-19 related information is typically personal health information,” says Mike O’Malley, VP carrier services at security and network specialist Radware. “Daily temperature, flu symptoms, underlying health conditions (heart disease or diabetes for example), insurance provider if applicable, as well as GPS and daily movement data about the subjects and where they are tested each day, who they interact with, who those people interact with and so on. Personal data such as this is very valuable on the dark web both for identity theft as well as mass illegal surveillance.”
According to Lock, for the hospital CISO tasked with keeping on top of all this, fire-fighting means that proactive management tends to take a back seat – as do security audits. In the UK, NHSX has even pushed back the deadline for NHS organisations to complete their Data Security & Protection Toolkit (DSPT) submissions until the end of September.
While this keeps CISOs free to focus on the wider COVID-19 response, delayed updates could open up new vulnerabilities in hospital defences – and store up legal problems for the not-too-distant future. Patricia Carreiro says the implications of this fall into two types: those related to litigation and those that are more operational.
Operational implications relate to policies, notices, consents and contracts. Carreiro says that healthcare providers should verify that the changes they quickly made to meet the demands of COVID are reflected in their privacy policies and notices, that they are providing all required disclosures, and that they are securing all necessary consents.
“In addition, they should verify that any new contracts they quickly entered meet their legal obligations and plan for how these contracts may need to be amended after COVID,” she says.
These will vary in different countries but in the US, while healthcare providers may not currently need a business associate agreement with their telehealth service provider, they almost certainly will once COVID passes. Given the increasing number of attacks on healthcare providers, an immediate update and rehearsal of the organisation’s incident response plan is also recommended.
There is also the danger of litigation following a breach. Globally, healthcare data breaches cost the industry billions each year. Again in the US, Carreiro explains, even beyond reputational harm and lost business following a breach, hospitals and healthcare providers face reporting obligations under state and federal law and expensive litigation from regulators, contractual relations, and impacted individuals.
“While some falsely take comfort in HIPAA not having a private right of action, patients whose information is compromised can sue providers under a number of theories, most notably, negligence, unfair trade practices, and, in some instances, fraud,” she warns. “While OCR may not prosecute healthcare providers for using some less secure technologies, [it] has not given providers a pass on all HIPAA obligations, and nothing stops others (like consumers) from suing if their information is compromized.”
In other words, for hospital CISOs everywhere, data security could yet prove a sharp sting in the very long tail of the COVID-19 pandemic once the reckoning begins.