How the war in Ukraine threatens hospital cybersecurity — and what to do about it

How the war in Ukraine threatens hospital cybersecurity — and what to do about it


On April 20, shortly after the United States imposed economic sanctions on Russia in response to Ukraine’s invasion of Ukraine, the US Department of Homeland Security issued a security warning: malicious actors, including the Russian government, they are exploring possible cyber attacks on targets in the United States.

The statement warned that the healthcare sector is high on the list of possible targets. Concerns include ransomware (the remote blocking of a network until a fee is paid), as well as malware that permanently deletes affected files, such as patient records.

“After an attack, it can take at least four weeks to get back online … I still haven’t found any organization that is fully prepared to be offline for so long.”

Teaching hospitals are prime targets for many reasons, including the sophisticated biomedical research they conduct and the life-or-death nature of their work, says John Riggi, a former senior executive in the FBI’s Cyber ​​Division who now supports hospital cybersecurity efforts as the American Hospital Association’s Cybersecurity and Risk Advisor. They also host valuable digital assets – personal health information, credit card numbers, and more.

“Health care has data that could be invaluable to adversaries seeking information about U.S. military and government leaders,” says Riggi, who spent nearly three decades with the FBI.

The health sector could also suffer collateral damage in a Russian cyber attack targeting Ukraine. “While war may seem far away, a computer virus can spread globally just like a biological virus,” Riggi warns. In fact, in 2017, a Russian cyberattack on Ukraine quickly shut down medical billing and transcription services used by thousands of U.S. providers.

Cyberattacks on medicine have been growing for years as electronic health records and other digital tools widened the vulnerability of systems, experts say. “It is often impossible for Russian criminals to steal a truck loaded with patient records, but with the Internet, they were able to access dozens of loaded trucks,” says Riggi.

And then COVID-19 affected, forcing staff, diverting resources and increasing vulnerabilities through teleworking and remote care.

“Opponents have not given us a humanitarian break during the pandemic,” says Riggi. “Instead, they saw it as an extended opportunity.” In 2021, the reported cyber theft of protected health information affected a record 43 million people in the United States, and from March 2022 to April, those attacks increased by 100%, he adds.

In addition, an attack may require diverting ambulances, postponing crucial attention, and investing months of significant work to restore damaged systems.

That’s why a strong arsenal of digital defenses is crucial to protecting patients, providers, and communities, cybersecurity experts say. Riggi then outlines five key steps he believes all college hospitals should take, and soon.

1. Set up some essential technologies.

No hospital should avoid the usual cyber defenses, such as firewalls or frequently updated antivirus software. But the less widespread multifactor authentication tool, often a password delivered to a cell phone before staff can access a computer system, is cost-effective and quite effective in reducing malicious attacks.

Of course, it is impossible to prevent all cyberattacks, says Riggi, so installing an intrusion detection system (IDS) is also essential. These artificial intelligence programs map the normal traffic of a system and then automatically sink to stop anomalous behavior and alert computer personnel of a possible intrusion.

2. Ignore patches at your own risk.

In the digital world, software changes (“patches”) are constantly needed to fix security holes. And cybercriminals are ready to attack software vulnerabilities that come from lack of patches.

“A hospital can use several medical devices, each with software from 40 different companies, as well as common software packages like Microsoft Office. All of these need patches,” says Riggi.

“From the moment a company releases a necessary patch, criminals only take about two weeks to develop related malware,” Riggi adds. Therefore, hospitals need to act quickly when a patch is released, ensuring rapid coordination between IT staff and biomedical engineering experts responsible for upgrading a wide range of devices.

3. Consider the human factor.

Hospital employees may be among your weakest links or strongest defenses. This means that staff need ongoing training on how to identify suspicious activities, such as fishing emails and malicious links.

But that’s not enough, says Riggi.

A crucial concern is that personal email and social media accounts are not as well protected as a hospital network. “I know of at least two high-impact ransomware attacks statewide in hospitals that started because of a fishing email in an employee’s personal email that was accessed from an organizational device.” , he says.

He offers strong advice: “Institutions should seriously consider banning employees from accessing personal email and social media accounts from organizational devices. Sites have begun to do so.”

4. Find out the infection control.

If a malicious virus manages to infect a system, it does not necessarily lose everything, says Riggi.

To make sure that locked or damaged files can be replaced, back up your systems and do it right. Multiple copies of files are required, and at least some must be hosted offline. “And a copy should be immutable: the data is basically engraved in digital stone, so it can never be changed. It’s a relatively new development and a little more expensive, but it’s a possible security,” Riggi adds.

Another crucial move is segmentation – splitting a network of computers into smaller sections. This way, security personnel can quarantine the infected part instead of shutting down the entire system.

5. Not planning, planning to fail.

Each hospital has an incident response plan to deal with crises such as active shooters, natural disasters and a pandemic such as COVID-19. A digital attack shouldn’t be any different, Riggi says.

“After an attack, it may take at least four weeks to get back online, only for mission-critical functions,” he said. “I still haven’t found any organization that is fully prepared to be offline for so long.”

In addition, all departments must be prepared for a cyberattack. “This is not just a computer issue,” he says.

The list of problems is long. Getting Started: How Will Staff Be Paid? How will appointments be scheduled? What about providing remote patient care and connecting with off-site employees? When malicious code is suspected, who can make a decision at midnight to shut down the system or disconnect an entire organization from the Internet? And what effect does it have on operations and patient care when making this high-impact decision?

A plan should include contacting federal officials (the FBI and the Department of Homeland Security’s Cyber ​​Security and Infrastructure Agency) to get the necessary support after the attack. And it must involve all local institutions that may be affected if a hospital is hit.

“When an academic medical center went dark a couple of years ago, all the smaller hospitals in the state got on their knees because they relied heavily on that hospital’s medical technology for the lab, the image, the treatment. cancer and other services, “he said. Riggi. “This is a very serious situation that has delayed patient care and could jeopardize patient safety.”



Source link

Related post

EDUCAUSE 2022: How Data Collection Can Improve Student and Faculty IT Support

EDUCAUSE 2022: How Data Collection Can Improve Student and…

At Indiana University, Gladdin said, to make life easier for students and faculty, they implemented a course template for the Canvas…
UGC, AICTE warn students against online PhD programmes offered by EdTech platforms | Latest News India

UGC, AICTE warn students against online PhD programmes offered…

The University Grants Commission (UGC) and the All India Council for Technical Education (AICTE) on Friday issued a joint advisory against…
UGC, AICTE warn students against online PhD programmes offered by EdTech platforms | Latest News India

UGC, AICTE warn students against online PhD programmes offered…

The University Grants Commission (UGC) and the All India Council for Technical Education (AICTE) on Friday issued a joint advisory against…

Leave a Reply

Your email address will not be published.