It’s Not Just Financial – It’s Also Life or Death

With the Delta variant testing hospital capacity, hospital again become high-value targets for cyber-attacks. Hospitals entice cyber criminals by offering a buffet of attack surfaces, each carrying a set of vulnerabilities that few entities can monitor and repair.

Think about it: each hospital bed is equipped with internet-connected devices such as portable monitors and infusion pumps, which give nursing staff access to live-action patient health data and allow the providers to monitor medication dispensation. On May 20, 2021, the FBI issued a flash advisory stating that criminals using Conti Ransomware actively targeted healthcare networks using traditional tools such as malicious email links, mimikatz, and Powershell scripts. On August 24, 2021, Cyberscoop reported that McAfee found multiple vulnerabilities in B. Braun’s infusion pump software that would allow a skilled hacker to manipulate medication levels. McAfee claimed that it accessed the infusion pump’s communication module, then injected code into key files used by the infusion pump to control activity. More alarmingly, the McAfee team claimed that a simple reboot of the pump destroyed evidence of their code injection.

While there is no reported event in which B.Braun software was criminally utilized to cause patient harm, this reported vulnerability provides a frightening example of how patients, pediatric to geriatric, can easily succumb to cybercrime in a hospital bed. Often, medical devices using software like B.Braun lack regular updates and patches. Indeed, McAfee’s research team triggered a response from the Food and Drug Administration to examine the reported vulnerabilities.

With additional pressure from the 21st Century Cures and Interoperability Act, which require providers and other covered entities to make electronic hospital records easily available to patients, insurers, and other providers, an “offline hospital” presents an unacceptable risk to patient care and a violation of federal regulations.

The Department of Health and Human Services recorded 82 reported ransomware incidents targeting healthcare entities in the United States between January 1, 2021 and May 25, 2021 (16 of which were Conti). The DHHS report does not include the August 15, 2021 ransomware attack on the Ohio and West Virginia based Memorial Health System, which suspended all urgent surgeries and only permitted the hospitals to accept patients suffering from heart attacks, strokes, and grave trauma.

Boards of directors and hospital administrators must recognize that cybercrime, which is a national security concern, cannot rest on HIPAA compliance and create a false belief in security. Although HIPAA privacy cannot exist with certain minimum-security mechanisms, HIPAA does not present a wholesale cybersecurity package.

Therefore, to prevent not just civil liability but also loss of life, healthcare networks are encouraged to start with a “red team” analysis, which is a contracted group of hackers who professionally test networks and identify vulnerabilities. Following the completion of the event, a report is provided that outlines the vulnerabilities and describes the impact of a simulated malicious cyber-attack. A “red team” is useful in demonstrating to senior management-levels the need to invest in stronger cybersecurity precautions and prioritizing areas of concern.

Regardless of whether an entity is willing to undertake a “red team” event, the following 10 security mechanisms remain highly effective against preventing the introduction and subsequent spread of malware:

1. Restricting network privileges – preventing any user (except the chief security engineer or chief information security officer) from downloading, installing, or altering applications on a network or device.

2. Strictly prohibit “bring your own device” policies – if your organization did not issue the device and cannot control application management, the device should not be used to access the network.

3. Create a zero-tolerance approach to employees who violate technical security policies and procedures to incentivize employees and contracted staff against violating the same.

4. Use a multi-factor VPN for teleworkers.

5. Airgap and/or encrypt all back-up data.

6. Maintain a recently updated network map with a network engineer that ensures certain network components are segregated to prevent a domino-effect in the event of a malware incident.

7. Install and regularly check firewall configurations to ensure malicious IP addresses are blocked (both in and out of the network).

8. Automate software updates, as overseen by a competent administrator, to prevent lapses and cure zero-day vulnerabilities.

9. Use strong anti-malspam filters to identify and automatically refuse emails from both virgin domains (unknown/new) and domains known as associated with cybercrime.

10. Install zero-trust configurations for any user, outside network, or device before allowing it to communicate with or enter a network’s perimeter.

DHHS also recommends the 3-2-1 Rule for back-up data to minimize the need to pay ransom demands and quickly regain operations: maintain 3 copies of back-up data; keep 2 copies in separate network locations; and keep 1 copy at an off-site location.