First and foremost, I would like to express my thanks and gratitude to all healthcare staff on the frontlines, be it the physicians and nurses caring for patients or technical staff maintaining equipment1 and information technology (IT) infrastructure. This has been a challenge very few of us have experienced in our lifetime. As I am writing this column in early April, I am very well aware that by the time it will get published, we will have been through much worse.
But this being a cybersecurity column, I wanted to specifically look at how COVID-19 has affected and, in the future, will affect cybersecurity.
For one, our crisis is the attackers' opportunity—be it from political or financial motivation. Some are specific attacks exploiting the current situation; others are general trends that get exasperated by it.
We have seen an onslaught of social engineering attacks via fake websites, malicious apps, phishing emails, and text messages preying at users' desire to stay informed, as well as exploiting their lowered guard in a time of crisis. Both the Federal Bureau of Investigation2 and Cybersecurity and Infrastructure Security Agency (Department of Homeland Security)3 issued detailed warnings about these types of attacks.
Even though some hackers have pledged not to attack healthcare organizations during the crisis,4,5 direct attacks, targeted or opportunistic, on biotech firms6 and healthcare delivery organizations have continued, thereby hampering health professionals' ability to advance research,7 conduct testing,8 or simply care for patients.9
We have seen a number of, presumably, politically motivated cyberattacks on public health organizations such as the World Health Organization10 and the Department of Health & Human Services,11 as well as hospitals.
Shifting large parts of our workforce to a work-from-home model, including healthcare administrative staff, exposes the vulnerabilities of the underlying public IT infrastructure and tools used,12 as well as creates a huge attack surface of devices that were hastily deployed and are opening the door to security compromises.13
Specifically, as healthcare providers try to comply with social-distancing guidelines, everybody from mental health counselors to primary care physicians is offering telehealth services, taking advantage of the fact that the Office for Civil Rights will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under Health Insurance Portability and Accountability Act rules.14
Last, we are deploying desperately needed new healthcare infrastructure, be it in temporary structures or converted public buildings. As this infrastructure, including IT and connectivity, is deployed, we may not be able to maintain the required security standards, therefore increasing the risk of cyber compromise. Or, in cases of “bare bones” care facilities without IT connectivity, temporary testing sites, and the like, care providers will rely on mobile devices and public networks to access patient information and to communicate.
In a sense, the situation we find ourselves in is a cumulation of many complex risk tradeoffs. We need to rapidly expand our care delivery capacity and shift to new models of care to reduce infection risk to providers and patients. Clearly, this is the single most important objective right now, and we need to accept the fact that as we do so, we are increasing our cyber risks. Right now, we really don't have a choice; it is as simple as that.
We have the option to maximize our defenses or even go on the offensive,15 but considering the circumstances, our ability to focus on cybersecurity is limited. As the saying goes, you go to war with the cybersecurity you got—the war has begun, and it is exposing systemic weaknesses that we don't have time to address right now.
Rapid development and deployment of sorely needed medical devices invites vulnerabilities, though many of these crisis-targeted devices are much simpler than their traditional brethren16 and may not even be network connected or software based.
The general heightened level of activity and focus on the medical crisis will lead to lower defenses. For example, simply from being distracted, human error is more likely (e.g., falling for a phishing email, not properly putting up a network firewall). New and more complex information-sharing requirements will require an improvised approach and we may use means of electronic communication that we otherwise would prefer not to—and as a result, mistakes will happen.17 And if you feel you need to post a photo of your crazy busy hospital on social media, or if the local television station shows up, please remove those password stickers from your monitors.
Furthermore, now more than ever, we are living amidst the convergence of physical security and cybersecurity. Devices are more exposed, devices get handled by many more people, networks get deployed hastily, telehealth and work-from-home infrastructures get deployed rapidly. In short, traditional boundaries and controls are no longer present, thereby creating opportunities for adversaries to take advantage.
The need for information, both among health professionals and the general public, is an opportunity for disinformation, misinformation, and traps (e.g., fake websites). That is the human side of the attack surface, and we already are seeing it being exploited as well (e.g., by a malicious website mimicking John's Hopkins disease tracker18).
We live in scary times, indeed. Healthcare workers have been carrying the brunt of this crisis. Yet, we need to admit that we have let them down and that our lack of preparedness, proper crisis management, and availability of emergency equipment (from personal protective equipment to ventilators) has made the situation worse than it needed to be. Let's make sure that history does not repeat itself and that we learn from this experience—certainly from an infectious disease and public health perspective, but also from a cybersecurity perspective.
“We are empowering medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”
—Roger Severino, director of the Office for Civil Rights of the Department of Health & Human Services in Washington, DC
In my opinion, here the key changes we need to make once we are past this crisis (again, from a cybersecurity perspective—certainly, we will need to learn much more from this):
Surge preparedness. We need a better stockpile of emergency medical equipment, including software-based medical devices. These devices need to be proactively secured. It is not very practical or feasible to maintain the cybersecurity posture of warehoused devices, and we won't have the time to patch them when we need to deploy them in the next crisis.
Equipment management and tracking. This follows the previous point: Once warehoused equipment is deployed, it is essential to track it and monitor its state from both a maintenance and a cybersecurity perspective. Where are the devices, how are they being networked, are they secure, and are they being attacked or compromised? This should be provided via out-of-the-box functionality and not something we can build in hindsight once we start deploying.
New use cases. Any future surge will include a significant telehealth and home care component. Under COVID-19, we have already seen an increase in telehealth offering,19,20 but that mostly relied on standard systems, such as laptops, tablets, and smartphones, rather than actual home-based medical devices. The move toward home and telehealth started a few years ago, and I believe the experience of the current pandemic will significantly accelerate the trend. We will place more devices and, more importantly, more care-critical devices, into patients' homes. These devices, as they are running on the home and over the public network, need to be much better secured and monitored than today's hospital-based devices. We need to ensure data confidentiality, integrity, and proper device and user authentication for this new type of devices, as they are not easily accessible for security-related configuration changes and patch deployment.
Industry evolution. We will evolve from this crisis as a changed industry. Financial and staffing challenges will continue to drive hospital and service consolidation and the need for efficiency improvements, which will include further digitalization, including the integration of medical devices. This will require that these devices meet the security requirements of this new target environment.
Economic recovery. Last, and admittedly somewhat speculatively, there is a good chance that to address the financial and infrastructure challenges of the healthcare industry, as discussed above, and to help with economic recovery and job growth, governments will release stimulus packages akin to the American Recovery and Reinvestment Act of 2009 (ARRA). And similar to ARRA, expecting that these funds would be tied to requirements related to cybersecurity would be reasonable.
COVID-19 has exposed the financial, care delivery, capacity, logistical, planning, and preparedness shortcomings of our healthcare and public health system. I believe we will emerge from this crisis bruised but with the opportunity to improve. We have the opportunity to learn from this, and this learning should, among many things, also lead to a better and proactive approach to cybersecurity.
“The end of the COVID-19 coronavirus crisis will mark the beginning of a new day in healthcare.”
—Jonathan Manis, senior vice president and chief information officer of CHRISTUS Health in Irving, Texas