Temporary hospitals are rife with cybersecurity vulnerabilities

Ad hoc COVID-19 medical centers have a unique set of vulnerabilities: They're remote, they sit outside of a defense-in-depth architecture and the very nature of their purpose – care in a time of crisis – means security is a lower priority.
By Nathan Eddy
12:53 PM

(Photo: Getty Images-WPA Pool / Pool)

The COVID-19 outbreak has led to a series of rapidly established medical-treatment units the world over, which will be utilizing remote-care devices that lack proper protection. The situation gives hackers more opportunities to perpetrate attacks.

They could also infiltrate these devices to steal a patient's personal health information, causing complications for both the users of these devices and the healthcare providers themselves.

Temporary medical units carry a unique set of vulnerabilities due to the fact they are remote and sit outside of a defense-in-depth architecture. Because of the very nature of their purpose – to care for patients in a time of crisis – IT security is naturally lower on the priority list.

"They are being set up quite quickly with constrained budgets, and the budget for those is not on IT, it's on PPE, patient care, getting testing set up, everything a center should be focused on during this crisis," Tom Burt, corporate vice president of Microsoft Customer Security & Trust, told Healthcare IT News.

He explained that some immediate steps healthcare organizations can take include making sure software is updated and fully patched – what Burt calls the "number one hygiene" measure they can do to make sure they are resilient – as well as enabling two-factor authentication for every account that has access to the pop-up center's system.

Because ransomware and phishing attacks are the most common types of cyberattacks on healthcare systems, Burt also recommends ensuring the system is backed up offline, and going through practice exercises.

"If you are a victim of ransomware, you want to make sure you get your system back up and running as quickly as possible so you don't have to pay the criminals to get your data back," he said.

While he noted the transmission of the data from a temporary facility to a home facility like the CDC or WHO is not particularly vulnerable, what he has seen is state actors looking for the most vulnerable point in a communications network.

Those state actors may focus on those temporary facilities as vulnerable points, and if they can successfully infect that facility, they can use that control over a device to further communicate with another organization.

"That communication would then appear to be legitimately coming from the pop-up facility, and it's easier to get the recipient to click on the link and get themselves infected," he said.

To that end, Microsoft recently expanded the availability of its AccountGuard security service program to help healthcare organizations defend themselves against cyberattacks from nation states.

The company has also rolled out a series of services to help bolster security during the outbreak, including advisories on protection from COVID-19-related phishing attacks.

Administrators already fight on a daily basis to patch, upgrade and maintain physical systems within predefined facilities, and these systems are available 24/7, 365 days a year, which means there is a constant routine to maintain security hygiene.

"On the other hand, temporary medical units are impossible to maintain for the reason they are not often employed," Travis Volk, technical vice president at Radware, explained. "Because these weaker networks are also connected to broader medical organizations, it increases the potential entry points for hackers seeking to infiltrate a hospital."

He noted it's also true that using wireless connectivity opens a localized opportunity for hackers to monitor traffic over air and increase the odds of identifying legitimate credentials to simplify their access.

Natali Tshuva, CEO and cofounder of IoT cybersecurity company Sternum, said it's the rapid deployment of these temporary medical units that concerns her the most.

"Because we are establishing these units so quickly, there simply is not enough time to build the proper IT infrastructure to protect the overall network, either via an effective firewall or through other cybersecurity measures," she said.

Furthermore, the vast majority of these temporary medical units will be highly dependent on connected medical devices due to the demands of remote care, monitoring devices and infrastructure like smart beds.

These medical IoT devices rarely have any embedded security and remain particularly vulnerable, Tshuva noted, and pointed out healthcare organizations came into this pandemic facing an uphill struggle.

Now, as they must establish these temporary medical centers to battle the consequences of the pandemic, the cybersecurity risks are further heightened.

"If we were not in the midst of a pandemic, defense measures established by broader medical organizations would have more of a fighting chance to stop malicious parties from being able to initiate attacks against medical devices within hospitals, as these devices would be in a controlled environment," she explained. "But these temporary medical units leave the connected medical environment more exposed than ever before."

Caleb Barlow, CEO of cybersecurity firm CynergisTek, pointed out that in addition to temporary facilities, there are now hundreds of thousands of remote-healthcare workers who are not working directly with patients but have access to providers, patient data, and financial data, and are on the same email system.

"Gaining access to the remote worker is one thing, but now using that access to get into the hospital's resources creates a situation that, frankly, no provider was prepared for," he said.

"Added to the quick deployment in less than ideal circumstances, you now have users who have most likely not been fully trained on new devices, new networks and a new set of login credentials in many cases."

Barlow explained that in a remote medical facility, when a physician is accessing the electronic healthcare records, the endpoint and the network are totally unknown.

In many cases, these remote facilities are in stadiums or convention centers running on the network in that location, which likely lacks the network-security provisions that one would normally expect.

"The endpoint is also unknown, and might be a shared computer, personal workstation or a rented laptop," he said. "The only layer of security left are the access credentials and, simply put, if the bad guy has those, then they are likely inside the EHR."

Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: nathaneddy@gmail.com
Twitter: @dropdeaded209