Cybersecurity Compromises, Courtesy of COVID-19

The beginning of the end is near. Hopefully.

With a handful of COVID-19 vaccines authorized for use, humankind may finally have gained the upper hand in its 14-month fight against the deadly coronavirus.

The world’s long, dark nightmare may almost be over. Really.

Yet the battle continues with a far more dangerous enemy.

As the healthcare industry focused its energies last year on battling SARS-CoV-2, cybercriminals used the distraction to their advantage, stepping up efforts to compromise hospital computer networks and connected medical devices. Disconcertingly, there was ample opportunity for such iniquity: When the virus launched its U.S. assault in March 2021, roughly 83 percent of the nation’s medical imaging systems were running on outdated software, with more than half using Microsoft’s Windows 7 and 27 percent relying on Windows XP or decommissioned Linux OS versions, a Palo Alto Networks report concluded.

Additionally, most IoT device traffic was unencrypted at that point, leaving personal and confidential data vulnerable to hackers for exploitation, the company’s research found.

“Due to the COVID-19 outbreak, hospitals are using patient monitoring devices more than ever,” Atlas VPN chief operating officer Rachel Welch noted in a March 17, 2020, statement. “Research shows that one in four such devices have security issues. Based on these numbers, Atlas VPN estimates that cybercriminals will be focusing on the healthcare sector in 2020.”

More like hounded: Coronavirus-themed cyberattacks jumped 11-fold within a week of COVID-19’s official designation in mid-February, and by the end of March, every country on the planet had experienced at least one pandemic-related security breach, a Microsoft security blog revealed last summer.

Attacks reached a fever pitch around that time in the United States, where virus-themed infiltrations surpassed 70,000, Microsoft’s blog indicated. Cyberattacks against hospital and healthcare provider networks began surging then, too, eventually peaking in late spring with 132 breaches—a 50 percent increase compared to the same period in 2019, U.S. Department of Health and Human Services (HHS) statistics show. The department investigated 379 hospital/healthcare provider network breaches between mid-February and Dec. 31, 2020, HHS data show.

“The healthcare industry has, in the past few years, been one of the most targeted industries for cybercriminals,” Natali Tshuva, CEO and co-founder of IoT cybersecurity firm Sternum, told Healthcare Finance last June. “So it’s only natural that at a time of crisis, we are seeing more and more attacks on the healthcare industry.”

Those assaults disabled an Illinois health agency website and forced a German hospital to divert its emergency cases, leading to one patient death. The attacks also shut down United Health Services’ IT system, and incapacitated 5,000 University of Vermont Medical Center computers, disrupting the hospital’s financial operations, radiology services, and sleep studies.

Alarmingly, cybercriminals have kept pace with various waves of the disease, carefully timing their attacks to coincide with case-load surges. As U.S. infections rose last fall, hackers unleashed major ransomware assaults against hospitals and healthcare providers in an effort to incite panic within overcrowded, overwhelmed institutions. Fresenius SE & Co. was among the numerous victims, but the breach did not impact any patient care services.

The U.S. government warned last October of an impending ransomware assault against healthcare providers, advising hospitals to be vigilant of “Ryuk” ransomware infiltrating (and locking up) their IT systems. Cybersecurity experts traced some of the Ryuk ransomware to a Russian-speaking group called Wizard Spider, or UNC 1878. “We are experiencing the most significant cybersecurity threat we’ve ever seen in the United States,” Charles Carmakal, senior vice president for Mandiant, told the press.

That threat is impacting all healthcare sectors, too: Hackers targeted pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea, and the United States last year, with the perpetrators gaining access to Pfizer-BioNTech COVID-19 vaccine specifics from the European Medicines Agency in December. Cyberattacks also forced Dr. Reddy’s Laboratories (the contractor for Russia’s “Sputnik V” COVID-19 vaccine) to shut down its plants in Brazil, India, Russia, the United Kingdom, and United States.

Such closures and data breaches could become more widespread as cybercriminals determinedly work to bypass hospital and medical equipment security measures. To address these expected threats, BD—which has wrestled with its own cybersecurity challenges over the last year—is urging the healthcare industry to adopt “Zero Trust” principles, new laws, and better collaboration to protect patients and stakeholders.

“Improving the resilience of healthcare will need to include an important paradigm shift: adopting Zero Trust principles,” BD noted in an inaugural cybersecurity annual report, released in mid-December. “Instead of trusting devices inside the network, this approach means trusting no one by default and operating as though the network has already been compromised. Instead of relying primarily on strong passwords and virtual private networks, we need to incorporate additional criteria to authenticate and authorize access—such as location, user behaviors, and device health—to strengthen our approach and take cybersecurity to the next level. As we look to the future, we can anticipate even more sophisticated social engineering attempts as cybercriminals track what works and find new ways to gain the trust of unsuspecting victims.”

Trust no one.