Cyberattacks on Hospitals: Top Lessons from Critical Infrastructure Breaches

The lessons learned from analyzing breaches in 2020 has underlined the need for healthcare providers to double-down on security. The recent Colonial Pipeline attack has, once again, demonstrated the vulnerability of US corporations to ransomware attacks and the significant impact to patients, businesses and our communities.

In a recent Briefings from HIPAA article, I was asked to weigh in on the 2021 Breach Barometer from Protenus. There certainly is progress being made, there are a few key takeaways from this and the latest attack for healthcare IT leaders to be aware of:

• Fewer patients were impacted from a higher number of overall breaches according to the Protenus report. This is evidence that progress is being made in cybersecurity programs.
• Work from home has opened new security gaps. In the rush to implement and expand capabilities in response to the COVID-19 crisis, shortcuts were possibly taken that violated security best practices. Examples include:
  • Using older laptops with unsupported operating systems
  • Permitting use of personal devices to access the corporate network
  • Loosening security posture requirements for remote connections
• Hospitals and healthcare often lack enough qualified security professionals to perform all that is needed for a strong security posture, including patching, periodic and consistent vulnerability and penetration testing, monitoring of networks and systems, investigation of security events, and incident response. (See the NIST Cybersecurity Framework for a more complete list of essential security functions.

The recent Colonial Pipeline attack has elevated national impact due to the role of Colonial in the US critical infrastructure. Likewise, the over 400 hospitals and thousands of healthcare sites where CereCore provides IT services are also a component of the US critical infrastructure.

Cybersecurity Guides and Resources:

In support of our customer’s security efforts and all US health systems, I’ve compiled a list of helpful cybersecurity guides and resources.

• Institute for Security and Technology (IST) Ransomware Task Force Report on Combatting Ransomware. This includes key recommendations and a framework for action. For background on the severe impact of ransomware attacks note the following statistics for 2020:
  
• Released this week, the US Cybersecurity and Infrastructure Security Agency (CISA) along with the FBI updated their guide on ransomware, specifically related to the DarkSide attack on Colonial Pipeline.
• The updated CISA guide is a supplement to their previously released ransomware guide.
• Briefings from HIPAA: Top lessons learned from 2020 breach analysis. If you aren’t a subscriber to this newsletter, download the pdf.

I hope you find these resources helpful to protect your own organization from cybersecurity risk. If we can be of any assistance in helping your health system inventory and analyze your IT infrastructure or supplement your security efforts, our teams are available for a conversation.