In 2019, 41 million patient records breached in 572 reported incidents at an average cost of $1.8 million per breach. These statistics are far from surprising with healthcare records selling for a reported average of $45 on the dark web. Unfortunately, the year 2020 aggravated these issues as COVID-19 exposed the true vulnerability of the healthcare infrastructure. Organizations not only had to manage the medical and financial impacts of the pandemic but also the security risks inherent in the work-from-home (WFH) model and the increasingly sophisticated attacks of cybercriminals intent on exploiting these vulnerabilities. In this article, we’ll dive into some of these growing threats.
The Bare Minimum of EDR
Although most organizations have now provided WFH employees with secure computers using endpoint detection and response (EDR) solutions or mandated the use of virtual private networks (VPNs), this does not fully solve the security problem.
These solutions may protect the user and network from future attacks, but if network infiltration has already occurred, threats in the form of advanced persistent threats (APTs) may be lying dormant for weeks, months, or maybe even years, on an apparently secure network. To respond to these threats, a network detection and response (NDR) capability is required. This capability looks for activity or patterns of behavior from users or network servers that indicate attacks may be in progress may have taken place or may be developing.
Ideally, EDR and NDR need to be integrated and used together to provide end-to-end network visibility and security.
Cybercriminals and other bad actors were quick to exploit the COVID-19 pandemic with, for example, phishing attacks. These exploited the fears of healthcare consumers and healthcare workers who, in the early days of WFH, were often accessing corporate networks on secured mobile phones and personal computers from their home networks.
This led to a variety of security issues; for example, Mirai botnet–type attacks that exploited WFH practices to infect healthcare organizations’ networks or dropper-based attacks that loaded malware to steal users’ credentials and ultimately lead to ransomware attacks. While these attacks still continue, most healthcare organizations have taken the measures necessary to secure their networks and their patient and organizations’ data.
A Spike in State-Sponsored Attacks
Beyond threats from financially motivated cybercriminals looms the threat from highly sophisticated and well-resourced state-sponsored attackers. As widely reported in the media, there has been a spike in state-sponsored security attacks on lab and research facilities working on COVID-19 treatments. For example, the Wall Street Journal cited U.S. officials as suggesting that Chinese and Iranian hackers are targeting universities and pharmaceutical and other healthcare firms that are working to find a vaccine for COVID-19, in an attempt to disrupt this research and slow its development.
In addition to direct attacks on research institutions, software vendors that develop the tools used by these institutions are also at risk. Security is becoming a “supply chain” issue that touches not only all of the network users and assets but also all the precursors to these assets, including the network carriers and software vendors on which network users rely.
Lack of Trust
Who can you trust in this expanded threat environment? To take proper precautions, nobody. As healthcare consumers and the workforce want or need to operate on an “access anywhere, anytime” model, adopting what’s called a Zero Trust security architecture not only makes sense, it is close to an imperative for healthcare organizations.
Zero Trust means that, because the network is under constant attack from a huge array of external and internal threats, all users, devices, applications, and resources on the network must be treated as being hostile. These users and devices need to be rigorously and continuously authenticated, while patient, research, and other data and network assets need to be protected at a much granular level than traditional perimeter-based security models allow.
The Rise of IoMT Devices
Healthcare organizations must also find new, more cost-effective ways to deliver high-quality healthcare to their increasingly tech-savvy consumers – and the use of Internet of Medical Things (IoMT) devices is critical to this process. IoMT devices, ranging from simple telehealth and remote patient monitoring to surgical robots and augmented reality technologies, can reduce operating costs and increase the quality of patient care.
COVID-19 has accelerated the adoption of IoMT technology, a process that will further accelerate with the availability of 5G networks over the coming one to three years. Many of the simpler IoMT devices don’t support traditional security models, so their adoption poses significant new threats unless healthcare institutions act to enhance security by, for example, ensuring that their network detection and response tools are ready for this challenge.
Looking ahead, it’s clear that the world is evolving towards a new normal, which will pose more threats and concerns for the healthcare industry. Recognizing this and preparing for the threats discussed, will create a better game plan for what’s to come and allow for necessary growth within healthcare infrastructure.
About Matyn Crew
Martyn Crew is Director of Solutions Marketing at Gigamon. He brings a 30-year background in all aspects of enterprise IT to his role where he focuses on a number of initiatives and products including Gigamon’s Application Visibility and Intelligence solutions.
What You Should Know:
– FDA awards AppliedVR Breakthrough Device designation for
treating treatment-resistant fibromyalgia and chronic intractable lower back
– AppliedVR’s EaseVRx program helps patients learn self-management skills grounded in evidence-based cognitive-behavioral therapy (CBT) principles and other behavioral methods.
a pioneer advancing the next generation of digital medicine, today announced
its EaseVRx product received Breakthrough Device designation from the U.S. Food
and Drug Administration (FDA) for treating treatment-resistant fibromyalgia and
chronic intractable lower back pain. EaseVRx is now one of the first virtual
reality (VR) digital therapeutics to get breakthrough designation to treat
conditions related to chronic pain.
What is the FDA Breakthrough Device Program?
The FDA Breakthrough Device Program helps patients receive more timely access to breakthrough technologies that could provide more effective treatment or diagnosis for life-threatening or irreversibly debilitating diseases or conditions.
Clinical Trial Results/Outcomes
AppliedVR achieved this milestone after successfully
completing the first randomized controlled trial (RCT), evaluating VR-based
therapy for self-management of chronic pain at home. The RCT, which was
published in JMIR-FR,
found that a self-administered, skills-based VR treatment program for treating
chronic pain was feasible, scalable and was effective at improving on multiple
chronic pain outcomes – each of which met or exceeded the 30-percent threshold
to be clinically meaningful. On average, participants noted:
– Pain intensity reduced 30 percent;
– Pain-related activity interference reduced 37 percent;
– Pain-related mood interference reduced 50 percent;
– Pain-related sleep interference reduced 40 percent; and
– Pain-related stress interference reduced 49 percent.
EaseVRX Program Background
AppliedVR’s EaseVRx program helps patients learn self-management skills grounded in evidence-based cognitive-behavioral therapy (CBT) principles and other behavioral methods. The program was designed by AppliedVR, in partnership with the top pain experts and researchers, to improve self-regulation of cognitive, emotional, and physiological responses to stress and pain. AppliedVR has already been shown to be an effective treatment for acute pain in hospital settings.
Why Virtual Reality Is An Effective Approach for Pain
Lower back pain is one of the most common
chronic conditions that people face worldwide and represents one of the top
reasons why people miss work. Additionally, it’s an extremely
costly problem for insurers, especially as they look to cut costs related to back surgery. Recent research indicated that, when combined with neck pain,
lower back pain costs nearly $77 billion to private insurance, $45 billion to
public insurance, and $12 billion in out-of-pocket costs for patients.
Chronic pain more broadly also is a difficult and costly
problem that has contributed to many other major health problems in the U.S.,
including the opioid epidemic. A previous Johns Hopkins study in the Journal of
Pain found that chronic pain can cumulatively cost as high as $635 billion a year — more than the annual costs of
cancer, heart disease and diabetes — and lower back pain has been one of the most common reasons for prescribing opioids.
Cognitive behavioral therapies like VR are now seen by many providers as an
effective alternative or complement to pharmacological interventions that can
support their larger treatment tool belts.
“Since 1980, the American Chronic Pain Association has advocated a multidisciplinary approach to pain management—using a combination of medical and behavioral techniques to address pain,” said Penny Cowan, founder and CEO of the American Chronic Pain Association. “Virtual reality has the potential to be an important resource in this approach, helping people with pain to think differently about their conditions and learn strategies to reduce suffering and improve quality of life.”
Future Clinical Trials
AppliedVR is currently engaged in many other trials,
including feasibility studies with multiple well-known payers and with the
University of California at San Francisco (UCSF) to study how digital therapeutic platforms, including
virtual and augmented reality, can be used to improve care access for
underserved populations. AppliedVR also is advancing two clinical trials with
Geisinger and Cleveland Clinic to study VR as an opioid-sparing tool for acute
and chronic pain – specifically the company’s RelieVRx and EaseVRx platforms.
The National Institute on Drug Abuse (NIDA), part of the National Institutes of
Health (NIH), recently awarded $2.9 million grants to fund the trials.