TRIMEDX Senior Vice President of Cybersecurity Scott Trevino recently contributed to TechNation’s March cover story examining the evolution of cybersecurity threats on healthcare organizations. Trevino provided perspective on the current cybersecurity landscape and ways health systems can protect themselves and patients.
In September of 2023, the hotel and casino operator MGM Resorts International came under cyberattack. Although the firm refused to pay the ransom demanded by the attackers, the disruption to business cost the organization more than $100 million. Days later, Ceasars Entertainment, another Las Vegas-based casino and hotel chain, revealed that its database had been compromised and the driver’s licenses and Social Security numbers of many of its members had been stolen.
According to Security Magazine, there are over 2,200 attacks each day which breaks down to nearly one cyberattack every 39 seconds. Despite the best efforts of an increasing cybersecurity workforce, the cyber threat landscape is worsening.
Data breaches, data extortion and ransomware attacks continued to increase in size and frequency during 2023. While few people have escaped catching COVID-19, the reality is that few people have escaped being victims of a data breach.
Trying to encapsulate the breadth and scope of cyber warfare in recent decades is nearly impossible. Hotel chain guests, financial service company customers and entertainment company members are just a small sampling of consumers impacted by these cyberattacks. Governments, both national and local, have also been the victims of attacks that have disrupted operations.
Financial institutions would seem to be a prime target; and they are. This has included banking, brokerage, consumer finance companies, credit card issuers and insurance companies. The attacks can target both the company’s databases as well as unsuspecting customers.
Non-public information was hacked into and stolen even before there was an Internet. Thieves stole financial market information from the French Telegraph System in 1834. With the advent of the Internet, and the vast universe of data connected to it, the opportunities were rife for cybercriminals to hack into secured databases and take what they want.
This hacking and use of computer viruses goes back to the 1960s when Allan Scherr, an MIT student, created a punch card that would cause the university’s mainframe computer to spit out all the passwords in the system.
The 1970s saw one of the first “viruses” as well as the first antivirus software program.
The 1980s and 1990s saw an increase in “black hat hackers,” who were able to access personal computers and steal data, financial records or blackmail businesses for money.
The year 2007 saw an attack on the government, businesses and media of Estonia; maybe the first attack on an individual country. In 2015, the fears of many cybersecurity experts were realized as Ukraine’s power grid was attacked.
With incursions that can be described as “significant” increasing in numbers every year, the need for shared best practices and immediate mitigation measures are critical.
While the federal government may provide a repository of best practices, there has been little action recently that actually acts to harden the threat surface against attack. This leaves the response up to the ideas and innovations of private and public companies and organizations in the cybersecurity space to mitigate current threats.
The costs of these cyberattacks only increase for companies as reputation is damaged, regulatory fines mount up and lawsuits are initiated.
Target: Health Care
One of the most vulnerable targets of cyber criminals is health care and the increasing number of connected devices. This is also the most lucrative segment for hackers and cybercrime. Not only are the hackers beginning to learn of the vulnerabilities of many connected devices, but they are fully aware of the vulnerability of sick patients dependent on technology and caregivers, who are easily manipulated when the health of patients is at stake.
“The global WannaCry ransomware cyberattack in 2017, which hit hundreds of thousands of computers in more than 150 countries, was a tipping point in the evolution of health care cybersecurity. The attack targeted health systems, among other organizations, and disrupted services at numerous health systems, resulting in thousands of canceled operations, appointments and generally significant delays in treatment. This was a wakeup call for the medical device industry,” says Scott Trevino, senior vice president of cybersecurity at TRIMEDX.
The earliest incursions into the networks of health care organizations were more fishing expeditions.
“Earlier the attacks on health care seemed to be inadvertent attacks i.e. attackers were looking for mis-configured devices on the Internet and attacking them. In addition, there was a lot of focus on accessing credit cards and health care wasn’t the big focus,” says Shankar Somasundaram, CEO and founder at Asimily in Sunnyvale, California.
He says that over the past few years, that has changed.
“Health care has become a big focus, as attackers seem to be targeting the devices used in the health care environment. The fact that health care records can fetch them 1,000 to 10,000X more than a credit card has also motivated attackers financially. And new ransomware attacks, to lock down health systems data and holding them to ransom, is not a technique we saw as much many years ago,” Somasundaram says.
This valuable information, paired with its accessibility, makes health care an inviting target.
Trevino says that measures to bolster medical device cybersecurity have developed rapidly in the years since the WannaCry attack, and at the same time, more medical devices have become network connected.
“While network-connected and more complex software-based devices have transformed patient care for the better, they also present more difficult cybersecurity challenges for both design and servicing. One such implication is that these devices have presented more vulnerabilities bad actors can exploit,” he says.
Trevino says that should a health system’s network be breached; vulnerable medical devices allow hackers the potential for easy laterals supporting the nefarious motives of the bad actors.
“To this point, most health care cyberattacks are not focusing on using connected devices to directly alter treatments and harm the patient. However, vulnerable devices provide openings to exploit within the hospital’s cybersecurity ecosystem – and once compromised, health systems are often forced to shut down operations, divert patients, and delay life-saving care, which can have devastating consequences,” Trevino adds.
The potential for these types of consequences just increases with the pace of exploits.
“We need to acknowledge that health care cybersecurity practices are steadily improving. However, looking at the increasingly sophistication and growing volume of attacks, we do need to wonder if our defenses are keeping up,” says Axel Wirth, CPHIMS, CISSP, HCISPP, AAMIF, FHIMSS, chief security strategist at MedCrypt.
Wirth says that the number of ransomware attacks on health care organizations is skyrocketing and cyber adversaries are steadily improving their methods with the objective to increase the price they can command, as well as make sure that victims pay up.
“For that purpose, they have developed various strategies, including timing of the attack (before weekend or holidays), making restoration difficult (e.g., by damaging Windows boot sectors or destroying backups), as well as looking at double extortion where they not only hold data for ransom but also threaten release of sensitive data or go after patients for additional payment,” Wirth says.
Compromised Care
Is there still a risk of medical devices being controlled by bad actors?
“More so today than ever before. There are still a lot of legacy medical devices, many health systems are constrained by budget and resources which has only gotten harder in the last year and attackers have ramped up their efforts to attack health care. In fact, medical devices have been attacked in many of the ransomware attacks that have happened over the last couple of years,” Somasundaram says.
These attacks can impact the ability for clinicians to render care, including emergent care.
“With medical devices there is, of course, always the concern about patient harm, e.g., as a result of device malfunction (whether the attack was targeted or not). However, what we see today is mainly an impact on a hospital’s ability to deliver care; e.g., if my emergency room CT scanner is taken down then I am not able to correctly diagnose patients with suspected stroke. Recent research did demonstrate that a cyber attack on a hospital has measurable impact on patient outcomes,” Wirth says.
This threat to patient care has caught the attention of lawmakers along with federal agencies.
“As cyberattacks on health care organizations increase, there is a renewed legislative focus on medical device cybersecurity. Four new U.S. cyber laws have passed since 2021 – most recently in the Consolidated Appropriations Act. This issued new medical device cybersecurity requirements and empowered the FDA to ensure devices are secure,” Trevino says.
He says that as 2024 approached, the industry was closely monitoring how the FDA will enforce its new cyber mandates for medical devices and if Congress will advance additional cybersecurity legislation.
“As the FDA has indicated to Congress, cybersecurity collaboration between groups that service medical equipment, original equipment manufacturers (OEMs), independent service organizations (ISOs) and others that own and service equipment are highly encouraged in order to achieve the shared goal of improved patient care and patient safety,” Trevino says.
He says that could mean additional patches, more hardened medical devices and more comprehensive medical device cybersecurity programs within health systems.
Security Measures and Segmentation
The threat landscape is ever-changing. Cyber criminals engineer new malware or concoct new social engineering schemes. Cybersecurity must also evolve to respond to the newest threat, weed out the newest worm or malware or harden the surface against threats with new protective measures.
Somasundaram says that the way to protect against the newest targeted attacks comes through understanding vulnerabilities and potential paths attackers can use to take advantage of the vulnerability, understanding potential threats and have the ability to capture data at the time of the incident to help with forensic analysis.
“In addition, segmentation, including targeted segmentation which is the most resource and cost effective, macro segmentation, micro-segmentation are all practices that have evolved to help react to a cyber-security event. Finally, new techniques and technologies are coming in, so the practices continue to evolve,” he says.
One component of health care cybersecurity starts at the point of sale.
Good security practices require a well-segregated network with layered defenses as well as additional security monitoring tools that protect systems (like medical devices) that lack security defenses and need that complementary layer of protection via the network. In the long run, we need to improve the security posture of our medical device ecosystem and it all starts with purchasing,” Wirth says.
All measures taken to protect information and patients and others should be transparent and disclosed.
“Cybersecurity leaders must ensure rigorous cybersecurity practices are in place and provide evidence that they are being followed and that actions have been, and are being taken, where necessary. Recently, the SEC charged SolarWinds and its chief information security officer (CISO) with fraud for misleading investors about the company’s cybersecurity practices and failing to disclose known risks during the time it was the target of a massive cyberattack. This could set a new a precedent for the accountability expected and potential consequences for security professionals,” Trevino says.
The cybersecurity landscape for this year will see even more ransomware attacks, discoveries of new vulnerabilities in IoT, and the continued emergence of AI-enabled attacks. In other words, both health care enterprises and all other repositories of non-public information will remain at risk. IS/IT and biomed must remain vigilant and informed. It is incumbent upon those trusted with non-public information to have an awareness of emerging threats as well as to engage in constant education of mitigation methods.