Healthcare sector must be protected from cyberattacks as it deals with Covid-19

Over the past week, Covid-19 has upended our traditional assumptions about how we work and what services are critical, and has shone a spotlight on the importance of communication networks. Nationally, our concept of what is critical is continuously changing. Traditionally, Australian government efforts have focused on protecting the information contained on government and military networks, but largely left civilian networks to fend for themselves. We need to change our national cybersecurity priorities to match our new reality.

Cybersecurity in the healthcare sector is traditionally very poor and medical staff are rightly focused on saving lives rather than upgrading IT systems. The healthcare sector is an attractive target for ransomware attackers because it has an increasingly large attack surface. The sector has to deal with a multitude of different systems from different vendors and the proliferating use of internet-connected healthcare devices. All of that makes hospitals a difficult IT environment to manage.

Healthcare services are also made vulnerable by their need to use specialist medical equipment that is too expensive to replace regularly, but whose software isn’t updated for security, as well as the lack of adequate IT resources to keep abreast of threat trends. Due to the critical and time-sensitive nature of their work, hospitals make particularly appealing targets for ransomware operators, because they are likely to pay ransoms.

Worryingly, last year in the United States ransomware attacks made up more than 70% of cybersecurity incidents in the healthcare sector. Ransomware attacks lock up IT systems until a ransom is paid, and are extremely disruptive to hospitals at the best of times.

In the current environment, when hospitals worldwide are struggling to cope with critically ill Covid-19 patients, any disruption can be a matter of life and death. The virus has drastically altered the consequences from risks we were previously prepared to accept. The security of hospitals has always been seen as crucial, but just mere weeks ago we were content to (literally) live with the consequences of poor hospital cybersecurity.

Just weeks later and the consequences of disruption are unthinkable.

As Covid-19 exploits weaknesses in the immune system of its human hosts, malicious cyber actors take advantage of the fear associated with the pandemic to exploit weaknesses in our computer systems and networks.

Hacking groups are already taking advantage of the chaos caused by the global outbreak of the virus. Despite some hacking groups saying they won’t target healthcare, in recent weeks a Covid-19 testing hospital in the Czech Republic, hospitals in Spain and a public health agency in the US have all been hit with suspected ransomware attacks that have disrupted services including delaying surgeries. Although it’s not clear how these networks were penetrated, there have been reports of phishing emails targeting healthcare workers.

Hospitals are obviously critical infrastructure. But with state and federal governments closing borders and non-essential services, we’re one step closer to the lockdowns that are already occurring in the northern hemisphere.

In January this year, Toll Holdings, a provider of transport and logistics support to businesses like Coles, was a victim of a targeted ransomware attack that took its core services offline for six weeks. At the time, the event was of moderate interest to the media. Today, news of a logistics disruption would fuel further panic-buying of groceries and medicines and require a high-level government response. A similar ransomware attack today would be a problem for the nation, not just a problem for a single company like Toll.

Maintaining access to the internet is also a critical issue. With increasingly large numbers of people worldwide under lockdown and working from home, the provision of reliable internet access has become central to the economy and necessary for supplying telecommunications and even entertainment. Network operators are seeing large increases in internet traffic and some governments have responded by asking people to watch less TV. The European Union recently asked large streaming video companies like Netflix, Amazon (via Amazon Prime Video) and YouTube to reduce streaming volumes and ‘preserve the smooth functioning of the internet’.

Hospitals, transportation and governments influencing people’s behaviour to preserve connectivity—these are all examples of how priorities have been altered by the Covid-19 crisis.

Rather than carrying forward with bureaucratic inertia, our cybersecurity policies and investments should be changed to match these altered priorities. Looking at healthcare in particular, state, territory and federal governments should reallocate federal money to hospital IT defence for worthwhile short-, medium- and long-term initiatives.

Short-term efforts could include ongoing and reinforced education about phishing across frontline healthcare providers. Such programs could include phishing simulations and penetration testing. As cyber criminals and fraudsters seek to take advantage of people’s fears about Covid-19, some practical efforts to make staff more resilient would yield immediate benefits and reduce the risk of phishing attacks leading to catastrophic breaches.

In the medium term, governments could also assist by performing cybersecurity audits and providing (or funding) the expertise to develop remediation plans. This should initially focus on ensuring robust and effective data-backup strategies.

They could also assist in developing robust guidelines for how to either digitally quarantine or replace legacy systems that can no longer be updated or patched.

In the longer term, governments could encourage the development of interoperability standards that allow for a secure healthcare IT ecosystem. Part of the problem in healthcare is that solutions from different vendors often don’t integrate well, placing the onus on cash-strapped IT departments to meld diverse systems into efficient workflows. This is difficult to do well with limited resources, and as a result security is often jettisoned in favour of usability.