A recent attack against U.S. Health and Human Services is a lesson to us all to better manage cyber risk in a healthcare environment
According to Bloomberg, the U.S. Health and Human Services (HHS) Department suffered a cyberattack on Sunday night that appears to have been purposely intended to disrupt its computer systems, and thus an attempt to undermine HHS’ response to the coronavirus pandemic gripping the country. The attack, which occurred just before midnight, involved overloading HHS servers with millions of hits over several hours and may have been an attempted distributed denial of service attack (DDOS). Initial investigations appear to suggest that the attack may have been the work of a foreign actor. A number of news outlets are pointing the finger towards Russia, but it may take weeks or even months for a full forensic investigation before the cyberattack can be accurately attributed.
During a healthcare crisis and a huge influx of sick patients, the resiliency of hospital and clinic IT systems becomes even more important to ensure patient survivability. Recognizing this, and with an expected escalation of threats during a national crisis, HHS had recently implemented an expanded risk-based approach to cybersecurity assessment of threats, vulnerabilities, and controls.
“HHS has an IT infrastructure with risk-based security controls continuously monitored in order to detect and address cybersecurity threats and vulnerabilities," said Caitlin Oakley, a spokeswoman for HHS.
While this ‘risk-based’ approach to cybersecurity worked in HHS' favor to protect it from a cyberattack and to keep critical services up and running, most health systems are not so lucky. Many are still following a ‘controls-based’ approach to security, ignorant of the actual cyber-risks in their hospitals and clinics from devices they may think are safe from attack, but in fact have never been tested or even profiled—let alone risk-assessed.
According to an investigation conducted by Cylera last year, more than 90% of US hospitals and clinics do not have a current and accurate inventory of all IT and IoT assets that connect to their networks. This includes not only workstations and servers, but also BYOD devices like personal phones and tablets, network connected building management systems that control elevators and air conditioning, and a rapidly growing number of medical devices—many of which are managed by third-party vendors and have never been patched.
"When your patients are relying upon you to provide medical services and to possibly keep them alive through a pandemic, five, six, or seven nines availability* is an absolute must." said Richard Staynings, Chief Security Strategist with Cylera and former HIMSS and AEHIS cybersecurity expert. "The last thing you want is for one of your un-assessed healthcare IoT devices to take down an entire hospital building or even a floor of your clinic. The availability of health IT and IoT systems is critical to the way we treat patients in today’s digital healthcare service no matter where you live or where you go to seek treatment or to get help with breathing." he added.
Automated tools like Cylera MedCommand™ make extensive use of AI and ML to thoroughly risk-assess connected medical and other IoT devices so you can understand risks and implement compensating security controls before something bad happens.
MedCommand™ provides clinical engineering and information security teams with a unified solution to manage, secure, and optimize the entire connected HIoT environment including medical devices, enterprise IoT, and operational technology.
Cylera has partnered with leading healthcare providers, experts, and peers to develop one the most comprehensive and integrated HIoT security solutions available for healthcare.
* Five nines availability indicates the expected uptime of a system, or 99.999% availability (roughly 5 minutes downtime per year). Similarly, seven nines would be 99.99999% uptime equating to 3.16 seconds downtime per year.