Increased Cyber Threats: Why Now and What to Do About It

Cybersecurity was already one of the top concerns among healthcare organizations at the beginning of 2022, after a record year of healthcare data breaches in 2021.

“The combination of poor cybersecurity practices, sensitive data storage, and a desperation to preserve business continuity at all costs, makes the healthcare industry a prime target for cybercriminals – an inevitability that was further exacerbated by the pandemic,” writes Edward Kost for the cybersecurity risk management company Upguard.

And now, with the ongoing war in Ukraine and the increased international risk of a cyberattack from Russia, its allies, or other bad actors, experts are urging extreme caution and immediate action.

“We are seeing more and more nation-state activity due to the conflict in the Ukraine,” says Ryan Wright, a professor specializing in cybersecurity at the University of Virginia, in an interview with USA Today. “With U.S. sanctions setting in, it is only a matter of time until the U.S. is targeted more directly. This may mean attacks on your personal device through ransomware but also attacks on the infrastructure such as your internet access or even the power grid.”

Acts of War Exclusions

In time of war, one issue healthcare organizations may face is the potential for a cyberattack to be excluded from their usual cybersecurity insurance coverage because of “acts of war” exclusions.

According to Alex Clark, CPLP, cyRM, Vice President, Cyber Risk Practice Leader at Hylant, while every cyber policy includes some type of war exclusion, they aren’t “a one size fits all decision and many carriers have different exclusion language.”

“Any stance that is taken on a systemic cyber event would depend on the facts and circumstances applied to the policy language and the event itself,” Clark said in a recent email communication to clients.

Back in January, the Lloyd’s Market Association (LMA) released four “model clauses,” along with expanded definitions for coverage exclusions for “war” in all of their cyber insurance policies.

The concern about these and other such exclusions is that they “suggest that insurers are — for now — taking a very cautious approach,” according to The National Law Review. “Consequently — and as premiums for cyber insurance continue to rise — insureds should carefully determine whether their operations are sufficiently insured from foreseeable risks.”

Ransomware

Ransomware also continues to threaten the healthcare industry, as the need to maintain patient safety and well-being makes healthcare providers especially vulnerable to such attacks.

Ransomware is essentially malware that’s loaded onto a network to infect and encrypt sensitive data. The data is then held hostage until the victim pays the ransom and receives an encryption key. According to Kost, this malicious software usually gets into a system when an unsuspecting employee clicks on a link through an email phishing attack.

The Cybersecurity and Infrastructure Security Agency (CISA) launched a new website – StopRansomware.gov – to help public and private organizations defend against the rise in ransomware cases. StopRansomware.gov is an interagency resource that provides partners and stakeholders with ransomware protection, detection, and response guidance that they can use on a single website. This includes ransomware alerts, reports, and resources from CISA, the FBI, and other federal partners.

Beyond the EHR

Another issue related to cybersecurity in healthcare is acknowledging the breadth of risk throughout the organization beyond the obvious electronic health record.

“All too often, we see that risk analyses only cover the electronic health record,” writes Lisa Pino, Director for Office for Civil Rights (OCR), in a recent blog post. “I cannot underscore enough the importance of enterprise-wide risk analysis. Risk management strategies need to be comprehensive in scope. You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.”

What to Do

Director Pino recommends that all healthcare organizations, from physician practices to hospital systems, regularly review their risk management policies and procedures, and if they haven’t done so recently, to conduct a review now in light of the increasing threat of a cyberattack. The OCR suggests the following best practices should be included:

Maintain offline, encrypted backups of data and regularly test your backups.
Conduct regular scans to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface.
Run regular patches and updates to your software and Operating Systems.
Train your employees regarding phishing and other common IT attacks.

Other best practices recommended by Kost, include:

Increase visibility. “An attack surface monitoring solution will instantly display all vulnerabilities associated with cloud solutions within a private network.”
Improve third-party security. “Almost 60% of data breaches occur via a compromised third-party vendor.”

And Jessica Guynn offered these additional tips in a recent USA Today article:

Think before you click. “Most cyberattacks start with a phishing email, which looks legitimate but isn’t and can be used to steal your passwords, Social Security number, credit card numbers and other sensitive information or to run malicious software known as malware.”
Use strong, unique passwords. “Use strong passwords and don’t reuse them. Your best bet is to subscribe to a password manager to generate and store unique passwords.”
Back up important files.
Use a VPN on public Internet.

Finally, most security experts agree that one of the most effective ways to avoid a cyberattack is to implement Multi-Factor Authentication. In fact, Kost estimates that “up to 90% of cyber attacks could be prevented with MFA enabled on endpoints and mobile devices.”

MFA is an electronic authentication method in which a user is granted access to a website or application when they offer two or more pieces of evidence, or “factors,” related to their identity. Factors are drawn from four categories:

knowledge (something only the user knows, like a password, PIN, or security question),
possession (something only the user has, like a security token, a fob, or QR-code displayed),
inherence (something only the user is, typically a biometric method like scanning a fingerprint or iris, or a behavioral biometric like a keystroke dynamic), and
location (somewhere the user is, like a connection to a specific network or a GPS signal to identify the location).