A security exec overseeing 15 hospitals with $14 billion in revenue breaks down how to stay ahead of hackers as healthcare ransomware attacks nearly doubled last quarter

  • Cybercriminals are striking hospitals across the US with growing frequency amid the COVID-19 pandemic, with the number of healthcare organizations targeted by ransomware nearly doubling between the second and third quarter of 2020.
  • The COVID-19 pandemic has made hospitals more vulnerable to hackers as they intake a flood of new patients and expand remote telemedicine offerings.
  • Jigar Kadakia, chief security officer at Mass General Brigham, told Business Insider about his strategy for defending the system's 15 hospitals and five community health centers that bring in over $14 billion in annual revenue.
  • Kadakia's approach includes educating staff about hackers' tactics, using new technical controls to filter out more links and files sent to employees via email, and hiring third party security firms to vet new software and internet-connected devices that hospitals adopt.
  • Visit Business Insider's homepage for more stories.

Ransomware is breaking records in 2020 — and hospitals are a top target for hackers.

Cybercriminals who use ransomware to shut down victims' networks in order to extort them have long steered clear of targeting healthcare institutions, where actual lives hang in the balance. But that norm has been shattered in 2020.

The COVID-19 pandemic has made hospitals more vulnerable to hackers as they intake a flood of new patients and expand remote telemedicine offerings. A wave of ransomware attacks has struck hospitals across the US and the globe, forcing them to temporarily turn away ambulances and revert to pen and paper records.

The rate of attacks has surged to new heights in recent months, prompting the FBI to issue an advisory in October about the rise in ransomware targeting hospitals. The percentage of healthcare institutions worldwide that fell victim to ransomware attacks rose from 2.3% to 4% between the second and third quarter of 2020, according to the cybersecurity firm Check Point.

Security executives at major hospitals are the front line of defense against the rise of healthcare cybercrime. Among them is Jigar Kadakia, chief security officer at Mass General Brigham, a not-for-profit healthcare system that runs 15 hospitals and five community health centers that take in over $14 billion in annual revenue.

In an interview with Business Insider, Kadakia broke down his strategy for securing Mass General Brigham's networks and protecting patient data, as well as the technical tools and enterprise software used by the hospital system to fend against cyberattacks.

In the fight against ransomware, individual employees are the "weakest links" that attackers will target

Most ransomware attacks start with phishing schemes in which hackers try to trick an employee into handing over their login credentials by posing as a trusted person or organization, like their bank. From there, hackers may log into that person's account and move laterally to trick higher-ups using the same scheme.

Constantly training and re-training staff about the prevalence and tactics of phishing is key, according to Kadakia.

"Individuals are the weakest links, and if they're not properly trained, they're going to be susceptible," Kadakia said.

Cybercriminals have adopted new messaging in their phishing attacks in the past year that capitalize on people's fear and uncertainty about COVID-19, Kadakia said. Hackers pose as authorities on the virus, or exploit new protocols used by employees working remotely.

In addition to training, Kadakia's team has rolled out a slate of technical tools that limit employees' email functionality as a security measure. All employees see a red warning banner at the top of emails from external senders, and the email system vets URLs for suspicious domains before they land in employees' inboxes. Emails with unusual file attachments are automatically filtered out.

"It's a layered approach," Kadakia said. "We've done what we can technically, and we've done as much as we can from an education standpoint."

Hospitals are turning to third-party firms to vet their IoT security

Hospitals are constantly installing new medical devices and software to manage patient data — both of which can be vectors for attacks.

As part of his process for ensuring new devices aren't vulnerable to hackers, Kadakia uses a third-party evaluation developed by Censinet, a risk intelligence firm that specializes in healthcare. Censinet evaluates the security of nearly 15,000 healthcare vendors and products on behalf of its healthcare institution clients, Censinet CEO Ed Gaudet told Business Insider.

"The reality is it is every single application that you buy can have a vulnerability that opens a door," Gaudet said. "If you're a hacker you're looking for any door in, and almost any application could potentially open that door."

Healthcare-focused security firms have been forced to re-figure their evaluation system in the past year to adapt to changes brought about by the COVID-19 pandemic, according to Adam Gale, president of KLAS Research. KLAS has partnered with Censinet to design a 10-day security evaluation for hospitals that launched in December.

"The attack surface is greater [now]," Gale told Business Insider. "The sophistication level of the tools that the attackers use is greater."

Hospitals are increasingly being targeted by cyberattacks that aim to leverage internet-connected hardware, also known as IoT devices, Gale said. He also warned that hackers have demonstrated increasing ruthlessness in attacks against hospitals, citing recent ransomware breaches that directly impacted patient care.

"It's not just about data anymore," Gale said. "It's about patients' lives."

Source: Read Full Article