Health care organizations are coming under increased pressure from COVID-19. At the same time, they’re trying to expand digital services to patients and fend off more cyber threats.
In order to gain insight into what health care organizations can do, I interview Dr. Saif Abed with The AbedGraham Group and Dan Taylor, associate partner for health care and life sciences in Europe at IBM.
At the height of coronavirus-era spam activity, IBM X-Force observed a 6,000% increase in these attacks from March 11, 2020 to April 2020. While activity capitalizing on the COVID-19 pandemic has impacted numerous industries, notable campaigns target the healthcare sector in particular.
In March and April, IBM X-Force uncovered phishing attacks delivering Agent Tesla — malware designed to steal information. The emails were spoofed to appear to originate from the World Health Organization (WHO) and promised information on a COVID-19 vaccine.
In April, reports in the United Kingdom surfaced warning of fake National Health Service (NHS) web pages and thieves using the guise of COVID-19 health checks to enter victims’ homes. In May, IBM X-Force observed a malspam campaign delivering TrickBot in a Word attachment. Phishing emails were crafted to appear to originate from the German Health Ministry and targeted German citizens.
At the same time, the pandemic has magnified the impact of cyber threats such as ransomware. Such was the case for Brno University Hospital in the Czech Republic, which was forced to shut down its entire IT network and cancel urgent surgeries due to a ransomware attack in March.
During these unprecedented times, we are seeing changes in working lives across all industries. Health care is one of the most affected industries. This industry significantly relies on mobile working and digital services. Meanwhile, there is also an exponential increase in patient care, putting extra strain on the availability of digital services.
A Deeper Look at Risks to Health Care Organizations
Question: What do you see as the biggest risk to healthcare organizations during this time?
Abed: As someone who was an NHS doctor, my biggest concern would be any vulnerabilities being exploited that lead to the loss of access to critical clinical systems such as electronic health record platforms, lab systems and diagnostic imaging. These are critical applications and devices that would create massive disruption and clinical risk issues if, for example, they were attacked by ransomware.
Taylor: The big thing for me is focus. Rightly, we’re all working to provision and maintain huge volumes of remote access, ensure the availability of digitally enabled services and ensure we can maintain patient care in a way we have never done before. Yet, at a time where our vital information and communications technology and security teams are delivering this, does this mean we have enough focus on emerging security threats, which could pose a threat to vital patient diagnostic services?
What are the increased threat vectors in the recent pandemic?
Abed: Phishing emails that are preying on fears over coronavirus have exploded in recent weeks. That type of social engineering is powerful and will likely be the key to both opportunistic and more sophisticated attacks against the NHS and global health systems.
Taylor: Looking at this another way, I keep thinking about what they will try to exploit. Unfortunately, it’s our people. We have over 1.7 million people working at NHS. We have disruptive working practices fighting an invisible enemy we do not yet fully understand. All of this means there is a higher likelihood our attention won’t be on security. Are we therefore more prone to being socially engineered?
How can organizations take simple steps to best protect patient data?
Abed: From a clinical perspective, access to patient data is an absolute priority for clinical workflows to function. So it’s really important that NHS trusts have a clear view of the endpoints on their network, their vulnerabilities and which ones actually could be exploited to create risks that will lead to loss of access to patient data or the systems that manage them.
Taylor: Perfect should not and will not be the enemy of the good. Or, to put it another way, it should never be a case of security says, “No.” It should be, “How do we do this safely?”
So we need to help organizations understand their risks and their vulnerabilities. We can take a risk-based approach to enable digital care in new and innovative ways. In this time, the big win is prioritizing vulnerabilities so the limited capacity we have across the NHS can focus on the areas of most need and value.
Why should health care organizations focus on vulnerabilities and prioritization?
Taylor: We simply don’t have the time to look at everything at the moment. We are living in a new normal, potentially fewer resources managing more systems and services than ever before. We are provisioning home working on a scale never seen while having to ensure our digital systems are available in ever-expanding ways. This is a perfect storm: more systems, exposed more widely, to more people, increasing the attack surface. We need to help manage this new attack surface by identifying and prioritizing exploits and vulnerabilities — ranking them so we can mitigate vulnerabilities, protect patient services and thus maintain patient care.
Abed: I completely agree. In health care, we don’t have time to review every vulnerability and threat; so effective prioritization is key. The way we can do that is to make sure we are reviewing and ranking priorities based on analytics that capture both technical and clinical risk factors. This means we can help healthcare organizations get the biggest bang for their buck in terms of risk reduction when they tackle the vulnerabilities that are flagged.
Where should health care organizations be looking for help from the vendor community?
Taylor: I think this is the time where trust should be placed in suppliers. Having domain knowledge is key because this enables suppliers to hit the ground running and speak in a language we understand across health care. By that I mean they understand the relationship between cybersecurity risk and patient safety. This investment in healthcare security is one of the reasons I joined IBM from the NHS. I think suppliers partnering with specialist organizations is also key, marrying skillsets to deliver more for clients, like our partnership with the clinical cybersecurity specialists at The AbedGraham Group.
Abed: Large, global organizations have tremendous access to experts who have been leaders in challenging sectors covering everything from national security to health care. Health care organizations should leverage this, as well as specialized partnerships they might have cultivated like the great relationship IBM has with our security-focused medical doctors at The AbedGraham Group.
How do we enable continued patient safety through the proliferation of digital services?
Abed: It’s important that whenever a new service is adopted or an audit is conducted of existing solutions that we consider risks both from technical and clinical perspectives. A vulnerability might score high technically but not be concerning clinically, and vice versa, so it’s important that healthcare organizations include both technical and clinical leaders like chief clinical informatics officers in their risk discussions. It’s even better if these leaders can be supported by solutions that cover both technical and clinical perspectives.
Taylor: At the risk of aping the great political adviser James Carville, “It’s about risk, stupid.”
Everything we do in health care is about risk. The use of anesthetic has risk, but we manage it and use it for the benefit of patients via life-saving procedures. It is no different in digital medicine; there are some fantastic digital innovations that will improve patient outcomes. There will be security risk — we just have to understand it and put in place mitigations and actions to manage and limit it.
How can suppliers best support NHS organizations during this pandemic?
Taylor: Listen. Listen and listen again. Provide services that they need when they ask for them — not the big sell. At the same time, be clear on what security risks they are facing and help them understand what risks they face. From there, we can provide the NHS with thought leadership on how they can face these challenges and provide answers that work for healthcare.
Abed: Listen and focus on what matters most — patient safety and care.
To help health care institutions and other organizations, the IBM X-Force Red team offers a vulnerability management service (VMS) that includes scan management, automated ranking, and remediation facilitation. X-Force Red VMS can be integrated with The AbedGraham Group’s clinical security analytics platform, which translates the vulnerability data into patient safety and clinical workflow disruption metrics so that the most serious risks for hospital workflows can be prioritized for remediation.
This unique integration means X-Force Red can enable organizations to cut through the million-plus vulnerabilities that come from a scan and focus limited time and resources only on the vulnerabilities that pose higher risks of compromise both in terms of exploitability and risk relevance to health care services.
To help combat these ever-evolving cyberattacks and address challenges associated with the current pandemic, health care organizations should work with industry partners like X-Force Red to better protect patient data and the availability of digital services.