Top 10 privacy and security stories of 2020
As we write this on Wednesday, the massive SolarWinds cyberattack, purportedly perpetrated by Russian intelligence and impacting some 18,000 government agencies and private sector businesses, is just starting to come into focus. So far, the healthcare dimensions of the hack include the apparent targeting of the National Institutes of Health.
It appears to be the kind of state-sponsored effort that Sen. Angus King, I-Maine, spoke about during the HIMSS Healthcare Security Forum just this past week – when he shared some of the health-sector implications of the recent bipartisan Cyberspace Solarium Commission, which seeks to shore up some of the shortcomings of America's cyber preparedness.
"Part of the failure of our strategy thus far has been a lack of a real deterrent, a lack of something that our adversaries feel is something they have to worry about," said King. "Historically, there hasn't been much of a cost paid by our adversaries."
Meanwhile, other senators briefed on the SolarWinds attack have said they're "deeply alarmed, in fact downright scared" by its implications. So it's a good bet we'll be talking more about this cyber incursion as we head into 2021.
In the meantime, here's a look back at some of the most-read HITN stories about the myriad privacy and security challenges of the past year.
WHO, coronavirus testing lab hit by hackers as opportunistic attacks ramp up. Anyone who might have been inclined to believe in a proposed hacker "ceasefire" as the pandemic gained ground was quickly disabused of that notion. Cyber crooks took aim at an array of key targets from the very early days of the COVID-19 crisis. One (unsuccessful) attack spoofed a webpage to resemble a login portal for World Health Organization employees.
HHS floats major changes to HIPAA Privacy Rule. This is a recent one – just this month, in fact – but it's a change that's been long discussed. The new proposed rule would expand individuals' rights to access their own digital health information, boost information-sharing and case management across the care continuum and enable greater family and caregiver involvement during public health emergencies, said HHS Office for Civil Rights.
FBI, HHS warn of 'increased and imminent' cyber threat to hospitals. In a rare evening-time joint alert this past October, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation and the U.S. Department of Health and Human Services said they had "credible information" that "malicious cyber actors" may soon be planning to "infect systems with Ryuk ransomware for financial gain" – perhaps targeting hundreds of hospitals and health systems.
Cyberattack on Czech hospital forces tech shutdown during coronavirus outbreak. Just weeks into the pandemic's spread, Brno University Hospital – home to one of the largest COVID-19 testing facilities in the Czech Republic – was hit with an attack that compelled it to use paper-based charts, cancel operations and re-route new patients to other hospitals. In this instance, that was about the extent of the disruption; after a separate European ransomware attack this year, this one in Germany, the tragic consequences were much more severe.
Cyberattacks continue to mount during COVID-19 pandemic. It quickly became apparent how the COVID-19 crisis was upending and reshuffling nearly so healthcare processes and workforce strategies across the industry – and how that was offering many new opportunities for cybercriminals.
"One of the reasons for this increased risk to the supply chain and the healthcare sector is a rise in the number of people who are now working from home because of the COVID-19 pandemic," said one researcher. "As a result, companies now face technology risks such as unmanaged devices, shadow IT and insecure access, along with human risks like increased phishing attempts."
FDA issues cybersecurity alert on GE Healthcare medical devices. This alert, from back in January – which spotlighted vulnerabilities in Clinical Information Central Stations and Telemetry Servers that could "allow an attack to happen undetected and without user interaction" – isn't to be confused with a more recent alert, this one from CISA, about newly-detected vulnerabilities in an array of radiology tools that could enable remote exploits on compromised connected devices.
Coronavirus outbreak used by hackers to spread malware. "Malicious actors are using the outbreak of the Wuhan novel coronavirus, or 2019-nCoV, as an opportunity to launch emailed-based cyberattacks," we wrote back in February, when the virus was still new and somewhat theoretical to many Americans. Proofpoint called attention to the phishing campaigns, which were themed around "conspiracy theory-based fears around 'unreleased cures'" and aimed to trick users into "accepting malware by abusing perceived legitimate sources of health information."
As COVID-19 cases increase, so do privacy concerns about EHR snooping. Insider staff snooping has long been a major concern for hospital security leaders, even in normal times. (When celebrity patients such as Kim Kardashian and George Clooney are involved, the privacy stakes are even higher.) A new and headline-grabbing phenomenon like the coronavirus offered ripe conditions for unauthorized electronic health record access, said CynergisTek – which launched in the spring to identify aberrant activity in EHRs.
Telehealth is biggest threat to healthcare cybersecurity, says report. It's become a truism by now, of course, that "the rapid pace at which telehealth applications were rolled out during the pandemic made them attractive targets for cybercriminals." But another report took a deeper look at 30,000-plus healthcare organizations to see how reliance on telehealth amplifies risk.
Across nearly 150 different platforms it found vulnerabilities across application security, endpoint security, IP reputation, patching cadence and network security. "Patients connect with telehealth providers using web-based applications that include structured and unstructured data," researchers said. "With the exponential increase in use of these applications, cybercriminals targeted them more purposefully."
Major security incidents are the new normal for hospitals and health systems. The telehealth boom may have subsided somewhat, but the risks are still there. (Indeed, some have predicted that the speedy rush to cloud hosting this spring and summer, often without proper due diligence, might set the stage for an even longer-lasting "cyberpandemic" in 2021.)
Meanwhile, the variety of threats continues to expand and the breaches get bigger. "Significant security incidents are the norm," was the sobering takeaway the 2020 HIMSS Cybersecurity Survey – which also found that cybersecurity budgets are still not close to where they should be at most healthcare organizations, with just 6% or less of information technology budgets typically allocated for cybersecurity.
Taking Stock of Progress and Looking Ahead
This December, we look back at a challenging year – and forward to what we hope is a better, stronger, more connected and resilient healthcare ecosystem.