By Paul Prudhomme, Head of Threat Intelligence Advisory, IntSights, a Rapid7 company
In August 2021, as many citizens in Manila looked to get vaccinated against COVID-19, the city’s vaccination website was attacked by hackers 133 times. The city’s mayor later told news outlets that “troll farms” were possibly behind the hit on the vaccination registration site, seeking to deny real users from using it.
The attacks were not the only cyber threats facing the Philippines’ healthcare sector during the pandemic, as it tried to help citizens navigate the crisis.
Earlier, in November 2020, a software tool that healthcare workers in the Philippines used to share data about COVID-19 cases was found to contain multiple flaws that could potentially expose patient data.
Researchers at a laboratory at the University of Toronto discovered vulnerabilities in the COVID-Kaya platform’s Web and Android apps that allowed unauthorized users to access private data about the platform’s users, according to cybersecurity news website Threatpost.
These incidents are reminders of the need to manage cybersecurity risks as healthcare providers digitalize rapidly to improve patient care and meet the urgent demands of a pandemic.
The Philippines is certainly not alone here. In the Italian city of Lazio, cyber attackers managed to disable the COVID-19 vaccination booking system last year, preventing citizens from getting their vaccination appointments for days. Hackers likely believed this would pressure the Italian authorities to pay up the ransom to unlock the systems they had disrupted through a cyberattack.
Unsurprisingly, during the pandemic, cyber attackers have sought to exploit the confusion and fear of citizens and government agencies, hoping to cash in as victims often became desperate in life-and-death situations.
In 2020, more large healthcare data breaches were reported than in any other year, according to a recent report by IntSights, a Rapid7 company. In addition, 2021 saw five consecutive months (March through July) in which industry data breaches have been reported at a rate of two or more per day.
While cybersecurity is a threat to all organizations, healthcare providers face some unique challenges, particularly during the pandemic.
For starters, the personal details in protected health information (PHI) are useful for criminal groups that wish to commit identity and insurance fraud. Once data such as social security numbers of medical records are leaked on underground criminal forums on the Dark Web, they can be reused and exploited repeatedly.
While it is true that the healthcare sector is highly regulated in terms of security and data protection, this can sometimes work against organizations in the sector. For instance, cyber attackers may count on victims in the healthcare sector to pay up a ransom because they would otherwise incur a hefty fine from government regulators for losing patient data. This could give them additional leverage compared to, say, a victim in another sector that does not have the same stringent regulatory oversight.
Another unique feature of the healthcare sector is the medical devices that are connected to a network all the time.
IntSight’s study in the United States found that some healthcare providers had not been updating their devices with the latest firmware because they were worried this might void the approval already received from the Food and Drug Administration. Although the authorities only ask that significant modifications be sent for approval, some providers become “over compliant” and end up not updating the software on their devices. As a result, these devices could be left in a vulnerable state for years — many of them run for a decade or more — and act as a perpetually open door for cyber attackers to enter.
There is yet another worrying thing for the healthcare sector. Despite the value of highly personalized data that can be stolen here, the price of unauthorized access to a healthcare organization is relatively low among criminals. The lowest price in a data sample that IntSights obtained, from monitoring underground criminal networks, was just $240, for access to a Colombian healthcare organization. This could be because of a perception that it is relatively easy to steal data from a healthcare organization or simply that there is an oversupply of such information.
These findings from IntSights’ global study offer valuable lessons for Southeast Asian healthcare organizations, particularly on how to reduce their risk and improve their security posture.
Here are four important steps:
- Establish priorities: Find and address the most critical vulnerabilities first, then identify which assets are most likely to be targeted
- Integrate cyber threat intelligence: Discover threats before they arrive at your doorstep, then tailor defenses against them.
- Build robust ransomware defense: Use offline backups and strong encryption; avoid the temptation to pay off a ransomware gang.
- Balance usability and cybersecurity: Use multi-factor authentication on a mobile app and limit remote access to a bare minimum, for example, to reduce risk.
Increasingly, cyber criminals are seeking more effective ways to pressure their victims to cough up ransoms. Besides stealing and locking up precious data, they also extort victims by threatening to expose sensitive data.
For healthcare organizations, the key to overcoming such new cybersecurity challenges is first understanding the unique risks that the sector faces and trying to keep a step ahead. Constant vigilance has to be the norm.