Death by Ransomware: Poor Healthcare Cybersecurity

Death by Ransomware: Poor Healthcare Cybersecurity
Babur Khan, Technical Marketing Engineer at A10 Networks

If hackers attack your organization and you’re in an industry such as financial services, engineering, or manufacturing your risks are mostly monetary. But when it comes to healthcare cybersecurity, not only is there significant financial jeopardy, people’s health and wellbeing are also at risk so the stakes are much, much higher.

According to the Department of Health and Human Services, there has been an almost 50 percent increase in healthcare cybersecurity data breaches between February and May 2020 compared to 2019. This is thought to be a result of the COVID-19 pandemic distracting the industry due to the sweeping changes required, putting extra pressure on already inadequate healthcare cybersecurity measures. 

Why Are Hackers Attacking Healthcare?

If there’s one thing hackers like, it’s a target that’s “soft” and large, complex organizations in industries that have been slow to adopt and then secure digital technologies are precisely that, soft targets. These organizations usually have broad and mostly poorly defended “attack surfaces,” which provide hackers with many routes to enter and through which they can not only exfiltrate data but also compromise services and hardware.

Healthcare, in general, is one of the most visible and softest targets. Successful hospital cyber-attacks usually cause significant disruption of patient data and routine workflows such as scheduling patient medication, resources management, and other essential services. These hospital cyber-attacks can easily result in what is euphemistically called in healthcare “bad outcomes” … these “bad outcomes” include injury and death.

How Does Healthcare Think About Cyber Risks?

A study by the security consulting firm Independent Security Evaluators concluded:

One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective … In summary, we find that different adversaries will target or pursue the compromise of patient health records, while others will target or pursue the compromise of patient health itself.

The report argues that protecting patient records has been most of the focus of healthcare cybersecurity planning, and organizations often view threat actors as being “unsophisticated adversaries” such as individual hackers and small hacker collaborations. ISE argues that this framework ignores the potential of far more sophisticated hospital cyber-attacks from political hacktivist groups, organized crime, terrorists, and nation-states who are all highly motivated and well-funded and “As a result, a multitude of attack surfaces are left unprotected, and attack strategies that could result in harm to a patient are not considered.”

The Universal Health Service Hospital Cyber-attacks

In September 2020, Universal Health Services a hospital and health care network with more than 400 facilities across the United States, Puerto Rico, and the United Kingdom, found itself under attack by the Russian “Ryuk” ransomware. This wasn’t the first hospital cyber-attack on UHS. Security firm, Advance Intel’s Andariel intelligence platform, reported that trojan malware-infected Universal Health Services throughout 2020.

UHS has not officially confirmed the details of the attack but reports by UHS employees indicate the attack was the result of a successful phishing expedition. The attack disabled computers and phone systems and forced the hospitals to revert to using paper-based systems to continue operations. Affected network hospitals also had to redirect ambulances and move surgical patients to other unaffected facilities.

As is usually the case with large, complex organizations, cleaning up and restoring the system was neither simple nor quick and a UHS press release on October 12, 2020, announced: “… we have had no indication that any patient or employee data was accessed, copied or misused.” It also stated that operations were mostly back to normal after a total of 16 days. Given that downtime for enterprise security breaches cost upwards of $1,000,000 per day or more this attack will have dealt a serious blow to UHS’ bottom line. Whether UHS paid the ransom is not known.

Cyber Attacks and Murder

When a cyberattack happens to any organization, there are always consequences but when healthcare ransomware is involved there’s a real risk of loss of life. In the case of UHS, there were unconfirmed rumors of four patients dying because doctors had to wait for lab results delivered by couriers instead of by electronic delivery. While those, so far, appear to be just rumors, there is one known case of a patient dying directly due to a hospital ransomware attack.

The University Hospital Düsseldorf (UKD) in Germany suffered a ransomware attack on September 10, 2020. The attackers exploited a vulnerability in the Citrix ADC that had been known since January but the hospital, unfortunately, had not got around to implementing the fix.

As a result of the attack, the hospital immediately announced that “The UKD has deregistered from emergency care. Planned and outpatient treatments will also not take place and will be postponed. Patients are therefore asked not to visit the UKD – even if an appointment has been made” and patients were routed to alternative medical facilities.

The demand note delivered by the hospital ransomware showed that the intended target was not in fact the University Hospital Düsseldorf but rather Heinrich Heine University. The German police contacted the hackers via the instructions in the ransom note dropped by the malware and explained the mistake after which the hackers withdrew their demand and provided the decryption key.

Unfortunately, one patient with a life-threatening illness was diverted to a distant hospital after UKD was deregistered as an emergency care facility. The additional hour’s travel may have been the cause of the patient’s death. On September 18, 2020, German prosecutors launched an official negligent homicide investigation which, if confirmed, would make the patient’s death the first known case of death by hacking.

Protect Critical Systems from Malware

The key to defending your systems from malware and phishing is monitoring and examining all network communications. Now that encryption is becoming the norm for all internet communications, looking “inside” of message streams requires new approaches and technologies so that embedded threats are caught and handled before they can escalate into disasters.


About Babur Nawaz Khan
Babur Nawaz Khan is a Technical Marketing Engineer at A10 Networks, a leading provider of secure application services and solutions. He primarily focuses on A10’s Enterprise Security and DDoS Protection solutions and holds a master’s degree in Computer Science from the University of Maryland, Baltimore County.


Gaps in Clinical Communication, Document Exchange Lead to Gaps in Care

Gaps in Clinical Communication, Document Exchange Lead to Gaps in Care
John Harrison, Chief Commercial Officer of Concord Technologies

Communication problems and inadequate information flow are two of the most common root causes of medical errors. The potential for miscommunication and faulty exchange of information in healthcare is substantial. 

Consider: patient information is dispersed among multiple providers and payers along the continuum of care. Electronic Health Records (EHRs) and other clinical systems do not capture patient information or format medical documentation in a standardized manner. In an environment with incompatible systems, the easiest way for healthcare organizations to exchange records is to generate those records in a document format. It is not surprising then that many healthcare organizations are still heavily dependent on traditional, paper-based fax, which adds its own challenges to the process. Fax hardware and communication equipment are often unreliable, resulting in document delivery failures and delays. 

As a result, an inadequate information flow can cause problems that impact the availability of essential knowledge needed for prescribing decisions, timely and reliable delivery of test results, and coordination of medical orders. The ensuing administrative and medical errors raise healthcare costs and may lead to poor health outcomes, including patient harm and readmissions.

The reality of mundane, manual processes 

Document-based information exchange processes are highly inefficient. Staff often print and copy documents, creating a risk of accidental exposure of protected health information and resulting in needless costs. Moreover, documents – whether printed or stored on a workstation or server – still require manual data entry into EHRs and practice management systems. The tasks are tedious, prone to error, and negatively impact workflow, staff efficiency, physicians, and patients, and may lead to the following: 

– Patient record errors, including filing or documenting information in the wrong patient file, and data entry errors;

– Poorly documented or lost test results; and

– Gaps in communication during transitions of care from one healthcare provider or setting to another. 

In addition to these areas of concern that threaten patient safety, inbound documents often contain a lot of information on clinical, administrative, and financial matters that aren’t necessarily relevant to an intended recipient. That means a recipient must review all pages of the document and separate needed information from extraneous ones, which can further delay processing and patient transitions of care.

Smarter, faster document processing with AI

Healthcare providers need a document exchange and processing strategy that enables fully digital, secure, and efficient communication among numerous, highly customized EHRs, each with its own workflows and document processing preferences. 

Such a strategy needs to include moving away from paper to fully digital documents. Healthcare organizations can accomplish this easily and without the need to overhaul the entire existing health IT infrastructure. The two main ways of transitioning from paper to digital are using digital fax instead of traditional fax and document imaging when documents are simply scanned into the system. In many cases, the resulting document format will be a TIFF image; and while it is not machine-readable, it enables paperless filing of clinical documents to the EHR

Alternatively, converting the document into a readable format, such as a searchable PDF, will allow the healthcare organization to add value in document processing at every subsequent step. Making the document readable enables automatic identification of the type of document, data extraction, including patient name, medical record, date of birth, and physician name, as well as more effective management of the overall lifecycle of the document.

This step requires the utilization of AI and natural language processing techniques. Automatic extraction of data replaces the human labor required to manually index the information, which streamlines the triaging of documents to correct systems, teams, or recipients. 

For example, if a digital document is clearly labeled as a discharge summary for John Harrison, a staff member can process it much easier and faster than when she has to open and read it to understand the type of the document and the identity of the patient. By mostly automating the receiving, reading, classifying, and triaging of medical documentation, providers are able to save time and ensure information is received and processed quickly by the right person, which typically means that the patient can be better served.

The COVID-19 pandemic has only driven home the need for seamless, 100%-digital exchange of patient information. If healthcare administrators depend on the physical fax machine to do their jobs, they won’t be able to work remotely. Most people don’t have fax machines at home, and especially fax machines routed to the hospital’s number, to be able to print information and then manually scan and enter that information into the patient’s health record. A fully digital document processing approach enables agility and flexibility necessary in the modern healthcare environment. 

Moreover, recent ransomware attacks in the form of malware embedded into email attachments sent to users in hospitals lead to providers blocking inbound email attachments altogether. That means providers could not access their own patient data, let alone data from other institutions. As a result, emergency patients may have to be taken to other hospitals, and surgeries and other procedures delayed. Cloud-based platforms enable users to securely access patient information outside of the hospital’s network.

Small steps lead to big results 

It’s essential from both a patient safety perspective and provider efficiency perspective that the exchange and processing of medical documentation be digitized. The benefits of digital document processing are significant, enabling fluid information exchange among all stakeholders.  

By transitioning to fully digital document exchange, providers can significantly streamline administrative and clinical processes. The key to realizing the benefits of this approach is to take the first step by moving away from paper and then build on that by harnessing the power of AI to fully support the daily work of clinicians and administrators. Outbound and inbound documents can be prioritized, addressed, processed, and delivered appropriately, facilitating timely information exchange for processing prescriptions, medical orders, billing, reporting, analytics, research, and much more. 


About John Harrison

As Chief Commercial Officer at Concord Technologies, John is responsible for the company’s revenue growth and brand development, ensuring Concord continues to create the right products to meet the needs of its customers. John brings more than 25 years of document communication and automation experience to the team. Prior to joining Concord, John held executive management positions at OpenText, Captaris, and Goaldata, overseeing business operations across multiple continents.


COVID-19 Exposed The True Vulnerability of Healthcare Infrastructure

How COVID-19 Exposed The True Vulnerability of Healthcare Infrastructure
Martyn Crew, Director of Solutions Marketing at Gigamon

In 2019, 41 million patient records breached in 572 reported incidents at an average cost of $1.8 million per breach. These statistics are far from surprising with healthcare records selling for a reported average of $45 on the dark web. Unfortunately, the year 2020 aggravated these issues as COVID-19 exposed the true vulnerability of the healthcare infrastructure. Organizations not only had to manage the medical and financial impacts of the pandemic but also the security risks inherent in the work-from-home (WFH) model and the increasingly sophisticated attacks of cybercriminals intent on exploiting these vulnerabilities. In this article, we’ll dive into some of these growing threats.

The Bare Minimum of EDR

Although most organizations have now provided WFH employees with secure computers using endpoint detection and response (EDR) solutions or mandated the use of virtual private networks (VPNs), this does not fully solve the security problem.

These solutions may protect the user and network from future attacks, but if network infiltration has already occurred, threats in the form of advanced persistent threats (APTs) may be lying dormant for weeks, months, or maybe even years, on an apparently secure network. To respond to these threats, a network detection and response (NDR) capability is required. This capability looks for activity or patterns of behavior from users or network servers that indicate attacks may be in progress may have taken place or may be developing.

Ideally, EDR and NDR need to be integrated and used together to provide end-to-end network visibility and security.

Exploited Fears

Cybercriminals and other bad actors were quick to exploit the COVID-19 pandemic with, for example, phishing attacks. These exploited the fears of healthcare consumers and healthcare workers who, in the early days of WFH, were often accessing corporate networks on secured mobile phones and personal computers from their home networks.

This led to a variety of security issues; for example, Mirai botnet–type attacks that exploited WFH practices to infect healthcare organizations’ networks or dropper-based attacks that loaded malware to steal users’ credentials and ultimately lead to ransomware attacks. While these attacks still continue, most healthcare organizations have taken the measures necessary to secure their networks and their patient and organizations’ data.

A Spike in State-Sponsored Attacks

Beyond threats from financially motivated cybercriminals looms the threat from highly sophisticated and well-resourced state-sponsored attackers. As widely reported in the media, there has been a spike in state-sponsored security attacks on lab and research facilities working on COVID-19 treatments. For example, the Wall Street Journal cited U.S. officials as suggesting that Chinese and Iranian hackers are targeting universities and pharmaceutical and other healthcare firms that are working to find a vaccine for COVID-19, in an attempt to disrupt this research and slow its development.

In addition to direct attacks on research institutions, software vendors that develop the tools used by these institutions are also at risk. Security is becoming a “supply chain” issue that touches not only all of the network users and assets but also all the precursors to these assets, including the network carriers and software vendors on which network users rely.

Lack of Trust

Who can you trust in this expanded threat environment? To take proper precautions, nobody. As healthcare consumers and the workforce want or need to operate on an “access anywhere, anytime” model, adopting what’s called a Zero Trust security architecture not only makes sense, it is close to an imperative for healthcare organizations.

Zero Trust means that, because the network is under constant attack from a huge array of external and internal threats, all users, devices, applications, and resources on the network must be treated as being hostile. These users and devices need to be rigorously and continuously authenticated, while patient, research, and other data and network assets need to be protected at a much granular level than traditional perimeter-based security models allow.

The Rise of IoMT Devices

Healthcare organizations must also find new, more cost-effective ways to deliver high-quality healthcare to their increasingly tech-savvy consumers – and the use of Internet of Medical Things (IoMT) devices is critical to this process. IoMT devices, ranging from simple telehealth and remote patient monitoring to surgical robots and augmented reality technologies, can reduce operating costs and increase the quality of patient care.

COVID-19 has accelerated the adoption of IoMT technology, a process that will further accelerate with the availability of 5G networks over the coming one to three years. Many of the simpler IoMT devices don’t support traditional security models, so their adoption poses significant new threats unless healthcare institutions act to enhance security by, for example, ensuring that their network detection and response tools are ready for this challenge.

Looking ahead, it’s clear that the world is evolving towards a new normal, which will pose more threats and concerns for the healthcare industry. Recognizing this and preparing for the threats discussed, will create a better game plan for what’s to come and allow for necessary growth within healthcare infrastructure. 


About Matyn Crew
Martyn Crew is Director of Solutions Marketing at Gigamon. He brings a 30-year background in all aspects of enterprise IT to his role where he focuses on a number of initiatives and products including Gigamon’s Application Visibility and Intelligence solutions.


3 Telemedicine Security and Compliance Best Practices

3 Telemedicine Security and Compliance Best Practices
Gerry Miller, Founder & CEO at Cloudticity

The coronavirus pandemic accelerated telemedicine exponentially as patients and doctors switched from in-person visits to remote consultations. Health providers rapidly scaled virtual offerings in March and April and traffic volumes soared to unprecedented levels, with practices “seeing 50 to 175 times the number of patients by telehealth than before the outbreak,” according to McKinsey. By early August, the U.S. Department of Health and Human Services expanded the list of allowable telehealth services in Medicare and there was an executive order supporting permanent telehealth provisions for rural areas.

But the surge in telemedicine adoption comes with a host of cybersecurity risks and regulatory compliance requirements unique to the healthcare sector.

As telemedicine traffic increases, so does the volume of hacking attempts. Recent cybersecurity news indicates healthcare organizations are top targets for cyberattacks and “providers remain the most compromised segment of the healthcare sector, accounting for nearly 75 percent of reported breaches.” The consequences are chilling: “The average cost of a healthcare data breach is $7.13 million globally and $8.6 million in the United States.

Further, whenever patient information is involved, HIPAA compliance is required. While HHS temporarily suspended pursuing HIPAA penalties on providers for “good faith provision of telehealth during the COVID-19 nationwide public health emergency,” such permissiveness will not last.

Luckily, most telemedicine providers can utilize managed services and cloud infrastructure to keep pace. Here are some best practices to meet IT compliance and cybersecurity demands for telemedicine.

Telemedicine Compliance Best Practices

Compliance should be viewed as a real-time process that drives security. Telemedicine tools and technology should therefore reflect significant expertise with all healthcare regulations (HIPAA, HITRUST, HITECH), with compliance functions permeating processes. Recommended compliance best practices include:

1. Automate Remediation

Healthcare applications cannot offer high reliability if every potential compliance problem is remediated manually; there’s just too much that can go wrong and never enough staff to address it when needed. The solution is to automate everything that can be automated, and rely on people to handle exceptions or potential violations that don’t impact reliability. Cloud-based services can integrate AI and operational intelligence to automatically remediate anomalies when possible, present recommendations to operations staff for cases that cannot be resolved automatically, and present clear choices such as:

·         Do Nothing: Take no action, delete ticket after [x number of days]

·         Fix Now: Implement the recommended actions immediately

·         Schedule: Perform the recommended actions during the next maintenance window

This approach speeds resolution and decreases service disruptions, and improves the reliability of telemedicine delivery. The automated response also plays a critical role in security (which will be discussed shortly).

2. Perform Formal Risk Assessments

Understanding the risk level and specific risk issues are critical components for an effective compliance plan. Many providers of healthcare services underestimate their level of risk, in part because it is difficult to quantify. The HHS has published guidance in its Quantitative Risk Management for Healthcare Cybersecurity, which offers insight. There are also cloud solutions that can aid the process. Cloud services providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud offer automated security assessment services that help improve the security and compliance of applications deployed on their cloud hosting platforms. They can generally assess applications for exposure, vulnerabilities, and deviations from best practices. A good inspection service should highlight network configurations that allow for potentially malicious access, and produces a detailed list of findings prioritized by level of severity.

3. Reduce Attack Surface

To provide secure access to sensitive information, hybrid architectures supporting telemedicine applications need a virtual private network (VPN) gateway between on-premises and cloud resources. However, developers, test engineers, remote employees, and others who need access to cloud-based protected health information (PHI) may bypass a VPN gateway by either cracking open the cloud firewall to allow direct unencrypted internet traffic or using peering connections. To prevent such potential exposures, secure desktop-as-a-service (DaaS) solutions provide an elegant way to allow cloud-based access to PHI without exposing connections or records. A DaaS is generally deployed within a VPC providing each user with access to persistent, encrypted cloud storage volumes using an encryption key management service. No user data is stored on the local device, which reduces overall risk surface area without impeding development capability.

Telemedicine Security Best Practices

While the full scope of cybersecurity strategies is beyond the scope of this article, here are three best practices that telemedicine providers can use bolster their security profile:

1. Deploy Proactive Network Security

Modern cyber threats have become steadily more sophisticated in evading traditional security measures and more devastating once they penetrate network perimeters. For that reason, telemedicine providers need a highly proactive, multilayered approach to prevent malware-based outages, theft of intellectual property, and exfiltration of protected health information (PHI).

A combination of network anti-malware, application control, and intrusion prevention systems (IPS) is recommended. Such proactive solutions are generally bundled in managed cloud services that should automatically detect suspicious system changes in real-time, isolate and quarantine affected resources, and prevent the spread of exploits by locking down any server whose configuration differs from the installed settings.

2. Encrypt Data Storage

Data encryption is the last line of cyber-defense for PHI and other critical information. Even if an attacker can penetrate the perimeter and proactive network security and exfiltrate data from the provider, those data are useless to the hacker if encrypted. It’s good practice to encrypt all web and application servers running on cloud instances using a unique master key from a key management service when creating volumes.

Encryption operations generally occur on the servers that host cloud database (DB) instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its block storage. For additional protection, you can also opt to encrypt DB instances at rest, underlying storage for DB instances, its automated backups, and read replicas.

3. Harden Operating Systems

Both Microsoft Windows Server and Linux are ubiquitous operating systems in telemedicine. They are also both attractive targets for cybercriminals because they provide complex capabilities, frequently remediate vulnerabilities, and are so common (increasing attackers’ chances of finding an unpatched system). Hackers use OS-based techniques such as remote code execution and elevation of privilege to take advantage of unpatched operating system vulnerabilities. Hardened images of Windows Server and Linux virtual machines (VMs) should be used, employing default configurations recommended by the Center for Internet Security (CIS). Such hardened images make gaining OS administrative extremely difficult, and coordinate well with proactive security bundles described earlier.

Additional resources for telemedicine compliance and security are available from the American Medical Association (AMA), the US Department of Homeland Security, the U.S. Department of Health and Human Services, and HITRUST.

 While these best practices are targeted primarily at telemedicine companies, they can also be applied to a wide range of healthcare providers and organizations delivering vital services in the face of 2020’s dramatic swings in demand.


About Gerry Miller

Gerry Miller is the founder and chief executive officer at Cloudticity. He is a successful serial entrepreneur and healthcare fanatic. From starting his first company in elementary school to selling his successful technology consulting firm in 1998, Gerry has always marched to his own drummer, producing a series of successes. Gerry’s first major company was The Clarity Group, a Boston-based Internet technology firm he founded in 1992. Gerry presided over seven years of 100% aggregate annual growth and sold the company in 1998 when it had reached $10MM in revenue.

He was recruited by Microsoft to become their Central US Chief Technology Officer, eventually taking over a global business unit and growing its revenue from $20MM to over $100MM in less than three years. Gerry then joined ePrize as Chief Operating Officer, where he grew sales 38% to nearly $70MM while improving operating efficiency, quality, and both client and employee satisfaction. Gerry founded Cloudticity in 2011 with a passion for helping healthcare organizations radically reshape the industry by unlocking the full potential of the cloud.

Cybersecurity: Managing Risk in the COVID-19 Era

Cybersecurity: Managing Risk in the COVID-19 Era

Healthcare IT consultants’ work involving health records may expose them – and their provider and payer clients – to regulatory, legal, financial, and reputational risk. These risks are potentially higher in the COVID-19 era, with many of their employees working from home and accessing sensitive records and networks from remote locations. According to the US Department of Homeland Security (DHS), there is a heightened risk of phishing, SMS phishing and other attacks using COVID-19 themes, and increased attacks on newly deployed remote access and teleworking infrastructure. Managing these risks requires a clear understanding of what a consultant’s potential exposures are, adopting best practices for mitigating risk, and considering appropriate insurance coverage to cover potential liabilities. 

How big is your risk?

Too often, cyber risk analysis is conducted with simplistic estimation methods based on broad assumptions. These methods may not tell the full story and may leave an organization uninformed about its true exposure. In my practice, we can use sophisticated scenario analysis to estimate cyber exposure – efficiently defining cyber event scenarios and estimate resulting losses using cost models tailored to specific impacts. Calculating the risk environment related to COVID-19 is part of this analysis.

Consultants and other vendors who have access to personal health information are organizations typically considered “covered entities” under HIPAA. As such, the consultants are “business associates” under HIPAA and subject to HIPAA requirements and penalties. These consultants may also be subject to claims and legal actions by affected patients who believe their personal health information privacy has been violated.

Because of the value of health records and the size of many of the clients, the average claim for a security or privacy breach can average $3.4 million for larger healthcare organizations, according to NetDiligence.  Consultants are also subject to the risk of claims and legal actions from their provider or payor clients for damages arising from data breaches and other cybersecurity incidents, interruption of service, and other problems. And whatever the merits of these claims, the cost of defending can be very high. 

Best practices for risk management

Best practices for risk management in the COVID-19 era start with employee education and ongoing communication. Focus on safeguarding personal health information, following your organization’s data security policies, proper management of emails that may include malware/ransomware, protecting mobile devices and sensitive paper documents in transit, and other measures. In an era of mass telecommuting, it means enhancing security controls around Security Application Gateway or VPN to access corporate systems and ensure multifactor authentication, where applicable. It also includes following best practices for virtual meetings, including the National Institute of Standards and Technology (NIST) Virtual Meetings Best Practices.  

An updated, regularly tested and reviewed, business continuity and incident response plan is essential – with copies of the plan available offline and off-site. This plan should include the contact information for incident response vendors who have been approved by your cyber insurance carrier(s). The incidence response plan should, at a minimum, follow HHS guidance.

How much insurance do you need?

It’s a good idea to evaluate your insurance needs at least once a year, and perhaps more often if your business is rapidly changing. Some organizations acquire insurance early on in their company history, just enough to meet the requirements of clients, lenders, investors, and other interested parties. As time goes on, there may be inefficiencies where you’re paying too much for some coverages, or not scaling up coverage for the current size of your business and the potential exposures. Also, coverage should specifically meet the nature and size of current threats. For example, ransomware demands have increased 33% on average to $111,605 from Q4 2019 to Q1 2020 according to a recent Coveware report.  A regular review, coupled with accurate risk assessment, will help you determine appropriate coverages.

Review your cyber liability insurance policy to ensure how it will respond to security/privacy infiltrations within a remote desktop employee environment. Most updated policy forms affirmatively cover unauthorized access into the organization’s network/system/environment when the software is managed by the insured organization, such as via a mobile device manager (MDM). However, each policy differs in coverage. Remind employees to report suspected activity or infiltrations of their home network to their IT/information security team in accordance with your incident response plan and cyber liability policy. 

Conclusion

With the expanded use of technology, such as cloud utilization and EMRs, the healthcare industry is more interconnected and dependent on service providers more than ever before.  The impact of the pandemic further stresses this reality and can cause implications that can pose numerous liabilities around the confidentiality, integrity, and accessibility of the data within your organization. Reviewing your vendor contracts and audit procedures of such critical vendors can be valuable in maintaining supply chain resiliency and limiting legal and incident response costs when security or privacy incidents occur. Cyber insurance may be an afterthought within some organizations. However, it is a crucial response mechanism that should be known and tested with various simulations to understand the adequacy of coverage and limits.  


Mario Paez, RPLU, CIPP/US is Director, Cyber & Technology E&O, with the Minneapolis office of Marsh & McLennan Agency LLC. He can be reached at [email protected]


Disclosure: This article is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Marsh & McLennan Agency LLC shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax accounting or legal matters are based solely on our experience as consultants and are not to be relied upon as actuarial, accounting, tax or legal advice, for which you should consult your own professional advisers.

Telehealth and Cybersecurity: What You Should Know

New Telehealth Tablet Provides Clinical Collaboration Within Hospitals

Healthcare providers are seeing between 50 and 175 times (1) more patients via telehealth than before. Telehealth platforms* offer solutions for a wide array of different healthcare issues. An estimated 20 percent of all emergency room visits and 24 percent of routine office visits and outpatient volume could be delivered virtually via telehealth.

Telehealth is a win-win for providers and patients. It both increases the availability of care while also reducing costs. However, telemedicine does have intrinsic privacy and security risks that all providers must minimize to protect sensitive patient data.

The Inherent Vulnerability of Connectivity

Providers have been eager to adapt to this care delivery method, but many platforms do not meet HIPAA requirements and lack adequate data safeguards. The same connectivity that makes telehealth possible also creates threats to patients. Protecting patient health information (PHI) and providing remote services doesn’t fit together easily.

Any data transferred over the internet runs the risk of interception by threat actors, and healthcare has long been a preferred target for cybercriminals. In 2019, healthcare data breaches cost the industry over $4 billion (2). 

This year is no exception with a further increase in ransomware (3) and other attacks that put millions of patients’ records in danger of exposure. These types of events have all happened within typically well-fortified hospital networks.

Connecting with patients via telehealth and transmitting biometric data via remote care devices only furthers these dangers. The biggest risk is that patients lack control of the collection, usage and sharing of their PHI.

For instance, remote monitoring devices built with sensors to detect falls may collect information on other activities patients wish to be kept private—including that their home is unoccupied at certain times and the types of activity they participate in. Even with security measures, any transfer does have a potential for a breach.

How to Prevent Security Risks in Telehealth

More secure telehealth begins by establishing best practices. Because of the sensitive information healthcare organizations possess, providers and the vendors they choose to work with must focus on core elements of data security through related tools and strategies such as:

1. Identity Authentication

Continuous identity authentication ensures authorized individuals have access to data. Identity authentication can be accomplished through a variety of approaches.

Multi-factor authentication, or the requirement of utilizing two pieces of evidence to sign in, is among the most common and has been proven effective in blocking 99.9 percent of all automated cyber-attacks.

Beyond this, users need to develop strong, unique passwords for, not just their telehealth platform accounts, but across their entire online logins and accounts.

2. Improve Telehealth Platform Safety

HIPAA requires that providers integrate encryption and other safeguards into their interactions with patients. However, patients’ devices on the receiving end of care often don’t have these safeguards while some medical devices have been shown to be vulnerable to hackers.

Ensuring the safety of all patient devices in the short term will be impossible. Thus, telehealth platforms must be as secure in themselves as possible. The software needs to be designed in a secure environment and contain numerous ways of establishing secure channels between patients and providers.

3. Investing in Patient Education

Outside of telehealth, cybersecurity ultimately relies on the end-user. As hackers continuously exploit new vulnerabilities, developers are in a constant race to keep up with new threats. Cybersecurity is only as strong as its weakest link. Secure telehealth apps must be complemented by other measures.

For this reason, healthcare providers should educate patients about cybersecurity and the steps they should take to improve the overall safety of their interactions online by:

●  Educating patients about the telehealth security threats;

●  Using a VPN both during telehealth services and for general device usage;

●  Frequently updating all apps and operating systems, not just telehealth platforms;

●  Enabling anti-malware and virus scans to run at all times;

●  Restricting app permissions to what’s necessary for app functionality only; and

●  Recognizing social engineering and other types of cyber-attacks.

How to Minimize Telehealth Security Risks

The one word providers must focus on when implementing telehealth is encryption. It needs to be everywhere. Since data is vulnerable in all stages of its life cycle, including during storage, transmission and access, encryption must be built into every step of this process.

Concerns about the privacy and security of these systems should not adversely affect people’s trust in telehealth. The benefits outweigh the risks. But providers must embrace more rigorous standards and minimize threats to ensure telehealth can deliver on its promises and live up to its potential.

Sources:

  1. https://www.mckinsey.com/industries/healthcare-systems-and-services/our-insights/telehealth-a-quarter-trillion-dollar-post-covid-19-reality
  2. https://healthitsecurity.com/news/data-breaches-will-cost-healthcare-4b-in-2019-threats-outpace-tech#:~:text=November%2005%2C%202019%20%2D%20Healthcare%20data,per%20each%20breach%20patient%20record.
  3. https://www.securitymagazine.com/articles/92575-increase-in-reports-of-ransomware-attacks-on-health-care-entities
  4. https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/