Cyberattacks against health care apps spike alongside vaccine interest

Thank you for subscribing to the free edition of the twice-weekly Parallax View newsletter. All issues are free through March 22. After that, you’ll receive one issue per week. If you’d like to support our independent journalism on the intersection of health care and cybersecurity with a paid subscription, you can do so here. If you'd like a subscription option not available, please email seth@the-parallax.com.

As if health care organizations didn’t have enough to deal with amid the pandemic, they are now experiencing a massive spike in cyberattacks against their Web apps that appears timed to the distribution of Covid-19 vaccines.

Cyberattacks against health care Web apps—including patient-facing telehealth apps and those used internally by employees—shot up by 51 percent between November and December, just as public vaccine distribution was beginning, according to a January report by researchers at cybersecurity company Imperva. Excepting a dip around the holidays (perhaps even malicious hackers take time off to relax?), that trend continued into January, said Nadav Avital, head of threat research at Imperva Research Labs.

“The trend of data leakage continues to grow. During the final week of January, we saw data leakage incidents in health care spike by 67 percent,” he wrote in an email to The Parallax. “These are incidents where data was transmitted from an organization’s corporate network to an external destination, whether accidentally or deliberately, without authorization.”

Imperva reports that globally, health care organizations each were hit with on average 498 cyberattacks—187 million in total—per month, a 10 percent year-over-year increase. Imperva’s experts aren’t the only ones tracking the worrisome trend. Check Point’s cybersecurity researchers found that cyberattacks against health care organizations rose 45 percent between the end of October and the end of December, and that 79 percent of all data breaches in the first 10 months of 2020 targeted health care.

"More humans on keyboards is not the answer... You need a comprehensive security program, but most products protect only the perimeter. And if you don’t patch immediately, the bad guys have a critical pathway to attack." —John Adams, CEO, Waratek.

The sharp rise in cyberattacks against health care comes as health care organizations rapidly adopt remote-access technologies for telehealth and internal systems. Technological transitions generally make networks and systems more vulnerable to attacks, says Terry Ray, an Imperva senior vice president and research fellow.

“Many health care organizations assume their traditional defenses will be able to detect and stop all cyberattacks, but that isn’t that case,” Ray wrote in an email. “Organizations are vulnerable in a new, complex way that extends beyond the perimeter, and outside of their traditional security defenses, and including end-point security.”

Health care organizations remain attractive targets for cyberattacks because they’re more likely to pay ransoms to regain access to patient data, especially when system failures put patients’ lives on the line. While some trends point toward stolen patient data used in identity theft or for sale on the Dark Web, most indicators show that encrypting stolen data, then demanding payment to unlock it, is still considered a highly lucrative practice among malicious hackers.

Part of the challenge in securing the computer systems and networks of health care organizations is that they are often significantly more complex than other sectors, with a spider’s web of doctors, nurses, patients, administrators, and insurers accessing patient data from an equally long list of remote and in-person computer networks and computing devices.

Health care organizations face three significant challenges in improving their IT security, says John Adams, the CEO of application security management platform Waratek. Hospital systems are generally not designed with security in mind; their components must manage different and complicated tasks, including patient charting, pharmaceutical delivery, patient and supplier billing, patient scheduling, and operating-room scheduling.

To comply with social-distancing guidelines amid the pandemic, hospitals are now layering on remote access for tasks that, for security reasons, previously had to be done in person.

“More humans on keyboards is not the answer,” says Adams, who worked in health care for more than a decade before jumping to IT security. “You need a comprehensive security program, but most products protect only the perimeter. And if you don’t patch immediately, the bad guys have a critical pathway to attack.”

A further complication health care organizations face is a U.S. law passed in 2016 that may force them to step up their cybersecurity game. The final rule of the 21st century Cures Act, which comes into effect on April 5,  will force organizations that collect and use patient data to better protect it. Organizations that rely on health information technology are compelled by the law to make patient health information more interoperable, more accessible, and more secure, even though making data more interoperable and more accessible means that there is more for health care IT departments to secure. It also gives patients the right to access their personal health information without being charged a fee for the privilege.

"This is new territory for a lot of organizations. Everyone is facing this challenge." —Mitch Parker, CISO, Indiana University Health.

One of the most important aspects about the Cures Act’s final rule is that it forces health care organizations to apply modern data security standards, says Mitch Parker, the chief information security officer at the nonprofit Indiana University Health. Patient data will be required to be accessible via application programming interfaces, or APIs, and conform to Fast Health Interoperability Resources v4.0.1 with OAuth 2 as the authentication standard, using TLS 1.2 or greater.

“Organizations haven’t done that much with application-level security. They have patient portals, but they have exposure. This is new territory for a lot of organizations. Everyone is facing this challenge,” says Parker. “This is one of the first times I’ve seen that level of detail in legislation.”

But the Cures Act is no panacea, and it “exacerbates” institutional differences, he says. Some health care organizations, including electronic medical-record providers, “get it” when it comes to security, Parker warns. Others don’t.

Parker has several recommendations for health care organizations struggling with IT security, as they attempt to comply with the Cures Act. For smaller organizations or nonprofits, he advises checking out the services available from NGO tech marketplace TechSoup. He also recommends reaching out to the FBI, the department of Health and Human Services, and the Cybersecurity and Infrastructure Security Agency at the DHS.

“The risk is similar for Web apps and mobile apps,” Parker says. “Lots of organizations are going to have to make big changes over the next year.”

Correction to Tuesday's story

We have updated Tuesday's interview with Josh Corman to correct that he initiated communication with Chris Krebs regarding ransomware following the RSA Conference in 2020. We regret the error.

A Tweet to live by:

What do you know that we don't?

Got a tip? Know somebody who does? You can reach us by email, Twitter DM, or Signal secure text: 415-730-3194.

Coming next on Tuesday:

Two studies this year show that health care suffered a deluge of cyberattacks in 2020, a continuing trend in 2021 that could get even worse. We look at what makes health care organizations hard for cybersecurity experts to protect, even with lives on the line.

Thank you for subscribing to the free edition of The Parallax View! Learn more about our paid subscription options here.