Todd Shryock, contributing author
With institutions focused on COVID, hackers see the distraction as an opportunity
With much of the nation’s health care infrastructure focused on COVID, the world’s hackers sense an opportunity. Cyberattacks are increasing, forcing hospitals and health care providers to divert precious resources to boosting security.
Medical Economics spoke with Matt Gyde, CEO of NTT Ltd. Security Division, to discuss cybersecurity in healthcare, and how cybercriminals are using the pandemic to go after vulnerable facilities.
Editor’s note: The transcript has been edited for clarity and brevity.
Medical Economics: Why has there been a recent increase in the number of cyberattacks directed at health care institutions?
Gyde: Different parts of the world have reacted differently to COVID-19, but a lot of what we saw was people starting to work from home. Many organizations globally had work-from-home policies, but not for the whole organization. What we saw in the medical profession was an uptick in terms of the attacks that we were seeing against hospitals and facilities. And I think one of the main reasons for that, obviously, is COVID-19 has sort of brought a lot of pressure onto the health care infrastructure as a whole. When there's pressure and it is focused on other areas, it's generally an opportunity for the cyber bad people out there.
Now, more and more of the devices in our environment are connected to the internet. That also opened a huge opportunity for the cyber criminals. We published our global threat intelligence report in May, and one of the key points is that the Internet of Things is being weaponized. So we're really seeing that as we're making our lives easier by having everything connected. We're also opening up to the abilities of the cyber criminals.
Medical Economics: Is there a particular size or type of healthcare target that strong the most attention from these hackers?
Gyde: We've seen one of everything, essentially, if not more. It's a bit scary there. There is no, “you're a big facility, we’ll go after you,” or “you're a small one.” We operate on a global basis, so we're present in 58 countries and we've seen small hospitals with maybe 10 beds being attractive, right up to the top end the large healthcare facilities being under attack. So there's been no delineation, no focus on a particular segment. I think that's part of what we see with this cybercriminal community. There's obviously nation states, then it goes to the next level where people are looking to make money, right down to individuals who are just trying to test out their skill with [hacker] tool sets. There has been no specific focus, though, on large or small.
Medical Economics: It sounds like these hackers are anything from large organized crime down to just individuals. Who are they and what are they ultimately after?
Gyde: Each group is after something different. So, you know, from a lot of research going on at the moment around trying to find a solution to COVID—how do we immunize against it or is there a piece of medicine that can help solve the problem? So obviously, some groups are going after intellectual property, to see if they can get a step ahead without having to do the work. A lot of the cybercriminals are going after money right now. So if you've got a critical piece of infrastructure within your hospital, maybe it's an X-ray machine, maybe it's an MRI, that they can get ahold of and put some ransomware on it, the facility can't use it any longer, and potentially be in a position where they either scrap the machine or pay a ransom. Then you get down to the individuals who are just trying to test out their skills. What we've seen is a lot of variants in terms of the malware that have been used to attack at the moment. We've got a core group of malware that people are adding additional code onto, and so it's unfortunate.
Medical Economics: What about individual doctors’ offices? Are they at risk more now than they were before?
Gyde: I don't think so. I mean, they're always at risk, right? If you're holding any type of records on an individual, and part of the HIPAA framework is to provide protection for digital records of individuals, so no more than previously. But probably what they are seeing right now is an increased volume of those attacks that are coming. So more and more emails coming in to the organization or to the doctor, telling them about what a wonderful prize they've won. And there's a couple of million dollars sitting in a bank account, we just need you to give us $100,000 to release it. I mean, yeah, the age old statement, if it's too good to be true, that's not true. That's just the one thing to keep an eye on. And once again, that comes down to the doctors. I'm sure all of them are very busy and have the volume of business that has increased, and in terms of the volume of communication that has increased, so the more you are having to do and review, the more it is up to making human mistakes. I would say the threat is no more than it was previously, but that they have to be much more rigorous in terms of how they use information, email, and the various content pieces that they use.
Medical Economics: How are hackers getting into health care systems? What are their favorite tactics?
Gyde: It's still sending an email to an individual and that person clicks the link. Then [the hackers] put a piece of malware on the infrastructure. Now, the interesting thing about malware, and going back to that Global Threat Intelligence report, is we're actually seeing a lot more use of machine learning and artificial intelligence. So essentially, when you get a piece of malware on your infrastructure, it needs to call back to a central computer or some sort of infrastructure to get instructions in terms of, “what do you want me to do next?” We're seeing a lot more of that. So it used to be the human that would have to then say, OK, move this way, or do this or that, attack that machine. But now, what we're seeing is a lot of those decisions are being made by algorithms—so essentially machine learning. The sophistication behind it is incredible. If you look at a lot of this infrastructure that gets built, it's short term. So they'll spin things up and turn them off when they need to. But a lot of it's being done by machines. It's like having a corporate infrastructure only for the cybercriminals. Now they can go onto the dark web, acquire a piece of malware, and they can actually call a phone number in many cases and get technical support in terms of how to use that piece of malware. So it's a bit scary. They're running a business essentially.
Medical Economics: What can be done to stop these attacks, especially if an organization lacks funding for extra IT help?
Gyde: You have people and process as the key things and technology is the third component of that. In terms of the people, it’s absolutely essential that you're continuously updating people, giving them information that they can consume. Now, that's up to the individual to read that information, but education about cyberspace is absolutely critical right now. And it's incumbent on every employee that they're aware of what they're doing and what they're clicking on. Just because you get a special email that's personalized doesn't mean that you're going to get [what it promises]. So education is number one. For me, process is probably the second most important. There's a whole bunch of different security frameworks. So depending on what environment you're operating in, how you want to align the framework so critical, This is how I'm going to secure it, and I'm aligning to whatever's best for my industry. Then the technology piece is ensuring that your technology is patched. We are 30 or 35 years into having technology and we've still got systems that are unpatched. The main reason patches get released is to upgrade the security and the performance of that particular device. So it’s absolutely essential that we keep what we've got patched.
And the other piece that I would add in there is an incident is going to happen. You can have the most expensive technology, processes, and people on the planet, but people are still going to find ways through as technology is complex. Be in a position that you've either partnered with someone or you've got the resources internally to respond to an incident. We have many healthcare facilities, for instance, that would run fire drills. This is how we evacuate everybody. This is where we expect you to go. The question I would ask back, do you do that with technology in that environment? And the majority of the answers to that would be, no, we don't, because we haven't been in a position to. But doing fire drills around your technology, gives people the understanding that if we are breached, this is the reaction we need to take. These are the authorities that we need to identify and here's the partner we're going to get to come and help us contain this.
Medical Economics: If an organization doesn't have a lot of sophistication or maybe doesn't have the professional help on staff suspects a breach, what should they do until they can get a professional in there to look?
Gyde: A lot of the times, this malware is so sophisticated that you don't know it until it actually reacts or does something. So, obviously, you're going to see a piece of ransomware that locks a machine out, you can no longer get access to it. My view is that you should immediately notify authorities. It's important that your local government bodies—the police, to the federal government type institutions— are notified because they have plans in place that more often than not have seen these things before and can give you short-term advice. It's a bit of an insurance model, in terms of having a retainer in place for a third party to come in and help you. There's many companies like NTT that do that, for instance. Generally, those sorts of contracts have a timeframe around them, whether it's minutes, hours, days, in terms of response time. A lot of the response to ransomware incidents right now can be done remotely. So my strong piece of advice is to have a third party that specializes in this area and can respond in a very short timeframe and help you through that process. Obviously, having done a fire drill, makes it easier, right? It's not panic. It's “OK, we knew this was going to happen. These are the three steps that we've got to have.” Having that documented would be absolutely critical as well.
Medical Economics: For ransomware, if hackers already have your files, should you pay the ransom?
Gyde: Ransomware is generally going to lock a device down so you can't access it. My view on it is, no, you shouldn't pay the ransom. I think that just encourages people to try again and potentially get some more money. But that's from me in a non-critical situation. We'll go back to that comment I made earlier about an MRI. If you've got a critical patient that needs to get an MRI and suddenly your MRI machine is locked down and you can't access it, and this person needs to have something done, you're going to be in a very different situation. I think what we are seeing is that many companies are putting policies in behind this, to say if this does happen, this will be our reaction to it, but secondly, how we'll approach it. My view is that you should inform the authorities immediately. It's very dependent on the situation. We are seeing more ransoms being paid in order to get control back of their machines that they previously had, but that doesn't necessarily mean that I agree with it. But I'm not in that situation where I’ve got a patient that I need to do something with and I can't use the machine.
Medical Economics: What do you see for the future of cybersecurity in health care? Will the number and sophistication of these attacks just continue to grow?
Gyde: I think so. The general trend that we've seen, not just in health care but across all the industries, is that attacks are increasing. The attackers are becoming more sophisticated. They're partnering much better than some of the technology players in cybersecurity. There's money there, right? So people are making large sums of money here and reinvesting it back into that infrastructure. So yes, the attacks I believe are going to increase, they are going to become more sophisticated. And you know, they're going to be going after the same things, so essentially intellectual properties, people's details, and money.