InsideSources

Cyber attacks on hospitals and healthcare providers have become a regular occurrence.  On Feb. 1, it was Easton Hospital in Easton, Pennsylvania. On Feb. 4, it was the Catawba Valley Medical Center in Hickory, North Carolina. On Feb. 20, it was the Calbrini Hospital in Melbourne, Australia.

As more and more hospitals suffer ransomware attacks, cybersecurity experts say the healthcare industry must up its cyber game before their patients suffer the consequences. Stuart Madnick, a professor of information technology and engineering systems at MIT’s Sloan School of Management, told InsideSources that hospitals are experiencing up to 70 percent of all ransomware attacks.

They’re an easy target, he said, because when hackers hold health records and sensitive patient data hostage, hospitals have no choice but to pay the ransom. Refusing to pay means patients could lose control over their personal health information (PHI), or worse, have life-saving surgeries postponed.

In 2017, North Korean hackers used a “WannaCry” ransomware attack on Great Britain’s National Health Service, which resulted in canceled operations and delayed medical appointments.

According to a July 2018 Maturitas study, electronic health records (EHR) and individual medical devices (like pacermakerss) are highly vulnerable to cybercrime. The study concludes that “cybersecurity is critical to patient safety, yet has historically been lax,” and the industry may need regulation to make cybersecurity “an integral part of patient safety.”

Digitized medical devices for patients, in particular, can pose a serious cyber risk to patients’ health.

“One of my nephews has diabetes and he has Wi-Fi connected insulin pumps and can control it from his phone, and when he goes to the doctor, the doctor can download the data,” Madnick told InsideSources.

Part of the problem lies in the healthcare supply chain. Hospitals almost never focus on cybersecurity as a top priority, so when they order new equipment — which is increasingly digitized and connected to the cloud — they don’t necessarily ensure the equipment hasn’t been tampered with or ensure it isn’t susceptible to malware.

“When it comes to buying a new MRI machine or a new firewall, it’s easy to understand where the emotions lie. They’re not thinking about putting their patients at risk,” Madnick said.

Suppliers are to blame as well, he said. As technology advances rapidly, the priority for a healthcare supplier is to develop new, affordable equipment and get it to market as quickly as possible and thus solidify its place as the primary supplier.

But another major contributor to cyber vulnerability is the decentralized nature of the healthcare system. The industry is increasingly specialized, so there’s not always an incentive for cardiologists to talk to a neurologist about cyber concerns with regard to medical equipment and computers. Because many departments may not talk to each other, developing a bird’s eye view of the cyber ecosystem within any particular hospital is difficult.

“A lot of the clout rides in the practices, so there isn’t a good way to rally people together,” Madnick said. “You go to the head of cardiology and say, we want to take some of your budget and invest in cybersecurity instead of a new MRI machine, and that’s not an easy sell.”

A February 2017 Technology and Health Care study pointed out that hospitals are notoriously slow to update their technology, and as a result, do not “keep up with the [cyber] threats.” As hospitals race to modernize with new equipment and devices from healthcare startups, many don’t even realize the risks they’re taking.

To meet the need, more and more cybersecurity startups specialize in the healthcare industry. For example, ClearDATA provides information security for healthcare providers, ID Experts helps the industry combat fraud, Protenus monitors a patient’s EHR for suspicious activity and issues alerts, and Senrio offers cybersecurity services for medical devices.

As of 2018, there are more than 125 startups specializing in healthcare cybersecurity across the U.S. and Canada. But changes won’t happen overnight for an industry not known for its tech-savvy.

“Hospitals are beginning to respond,” Madnick said. “Two to three years ago, this wasn’t on their radar.”

Follow Kate on Twitter

As e-commerce sales continue to skyrocket, more and more consumers are turning to the internet to get through the bulk of their Christmas shopping.

But the more popular e-commerce has become, the more susceptible online shoppers are to cyberattacks, fakes and frauds.

In fact, according to the 2018 Holiday Threat Report from Carbon Black, a cybersecurity company, cyberattacks are expected to spike 60 percent through the holiday shopping season this year.

“During the holiday season, there is often a ton of noise in the online world and attackers do everything they can to take advantage of that,” said Tom Kellermann, Carbon Black’s Chief Cybersecurity Officer, according to the report.

Based on past data, online shoppers should be on guard until New Year’s. There are two big spikes in online shopping around the holidays: the first starts on Black Friday and continues until Christmas Day, and the second begins shortly after Christmas Day until right before New Year’s Day as online shoppers race to nab the post-Christmas sale deals.

Cybersecurity experts say to expect a spike in cybercrime at the same time.

Furthermore, fakes and frauds are infiltrating e-commerce sites like Amazon and eBay at an alarmingly rapid rate, and no one wants to buy Dad fake leather gloves advertised as “real leather Made in Italy” for Christmas.

So how to stay safe? Here’s a few reliable tips and tricks recommended by cybersecurity companies and blogs:

1. Be wary of seemingly amazing email deals — and don’t click on the links.

According to Carbon Black and Sothis, an information technology (IT) and research company, the holiday shopping season is primetime for phishing campaigns. That eBay item you’re thinking of buying for your mom? The seller probably didn’t just drop the price by 50 percent — so double check who the sender is, and check the listing before you click the email link.

Bottom line: if the “sale” or “bargain” seems too good to be true, then it probably is.

2. Speaking of email links, be careful with tracking updates.

With so much online shopping, you’re probably trying to make sure all your packages arrive safely and on time. You’ve probably signed up for email alerts with tracking information — and maybe text messages too, if you’re really paranoid. But hackers know you’re paranoid, too, and they might send you fake emails with false tracking info and steal your personal data.

Again, double check the sender, and if you see any weird typos in the email address, subject line, etc., then just don’t open the email or click on any links in the email.

3. Shop from tried-and-true sellers.

If you like to hunt for deals on Amazon, eBay or Etsy, make sure you’re buying from a real seller. Christmas is when hackers pose as sellers to steal your data and banking or credit card info or send you fakes, so check and double check who you’re buying from.

Does the seller have good reviews? Is it the right brand? Check the comments too — usually other scammed shoppers will alert future shoppers from buying from a certain seller.

6. Prioritize shopping from websites with “https” in the domain.

Believe it or not, “https” is more secure than “http.” That doesn’t mean you’re guaranteed to be scammed at a website with an “http” domain, but it does mean it’s more likely.

4. Check your bank account periodically.

If you’re buying a lot of items online, it’s wise to check your bank account periodically just to make sure you’re being charged the right amounts for items and haven’t opened the door to a cyber thief.

5. Don’t shop over public Wi-Fi networks.

For many, this is already a no-brainer, but many people use public Wi-Fi networks, so it’s worth a warning. Your computer isn’t secure when it is logged onto a public Wi-Fi network with a WPA2 encryption standard, so completing financial transactions on such a public network is extremely unsafe.

This is because, as CSO Online explains, hackers are able to intercept you and your connection point — in this case, an e-commerce website — and so instead of sending your credit card info to a perfectly reputable Amazon seller, you’re actually sending it straight to the hacker.

So, don’t do it. Shop at home.

Follow Kate on Twitter

The Federal Communications Commission’s (FCC) recent “cyberattack” fiasco doesn’t surprise experts, given how terribly prepared they think smaller federal agencies are for most cyberattacks.

Large private sector companies routinely grapple with cybersecurity and fending off cybercrime, so for smaller federal agencies that may not have the resources to outsource cybersecurity to federal contractors — especially independent agencies like the FCC, the Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC), the Federal Election Commission (FEC), the Social Security Administration (SSA) and the Environmental Protection Agency (EPA) — cybersecurity is a major, constant struggle.

A recent Tenable survey of 2,100 organizations found that only 48 percent have semi-adequate to adequate cybersecurity measures in place, while 33 percent do the bare minimum.

On Tuesday, the House passed bipartisan legislation that would establish the Continuous Diagnostics Mitigation division within the Department of Homeland Security, which would endeavor to protect federal agencies from cyberattacks.

Part of the problem according to Stuart Madnick, a professor of information technology and engineering systems at MIT’s Sloan School of Management, is that organizations tend to have the wrong focus in cybersecurity.

“Most organizations are focused on trying to prevent cybercrime, but resistance is futile,” he told InsideSources. “You can try to prevent as hard as you can, and that will make you less of a low-hanging fruit, but anyone who is diligently trying will find a way to work around. Most organizations private or public are pouring 90 percent of their energy into the prevention side.”

Trying to prevent cyberattacks, Madnick says, is a waste of time, because you’ll be attacked regardless.

“My sense is people are not very well prepared for a variety of reasons, because people think of being prepared in terms of what they’ve experienced in the past,” he said. “The problem with cyberattacks is they’re always something you’ve never seen before. Both private and public tend to be very poorly prepared. Most people, when a problem occurs, they kind of scurry to try to deal with it.”

The deck is stacked against most organizations: according to an August Malwarebytes study, 10 percent of cybersecurity professionals are engaged in “Black Hat” activity and 50 percent know or have known someone engaged in “Black Hat” activity.

This is especially alarming for federal agencies handling sensitive information. Because cybercrime is such a lucrative business for many cybersecurity professionals, it is now harder to trust whoever is handling your cybersecurity.

Furthermore, Madnick said 50 percent of organizations who have experienced a cyberattack don’t know they’ve been attacked, which adds to the confusion and explains why some — like the FCC and DNC — jumped to conclusions as soon as they noticed anything remotely off.

Madnick has experience with state government and local government information technology (IT) systems, and said most government entities’ resources and funding for cybersecurity is “relatively minimal,” which is especially concerning ahead of midterms.

Despite the mad dash to improve elections security this year, Madnick doubts federal, state and local governments have done enough, based on how outdated their IT systems are.

“That’s a very scary system because it involves local authorities, state authorities, federal authorities, and I suspect none of them have put in the time and energy needed,” he said, despite the news coverage.

Large federal agencies suffer cyberattacks but have more resources and better cybersecurity measures in place to handle them. Smaller federal agencies, on the other hand, are “ripe to be pilfered with.” Some may regularly experience attacks without even realizing it.

“There was a report that the Department of Energy had been attacked 20-some times in the past year,” Madnick said. “Not all the attacks were successful, but they were information-gathering attacks, a lot of their internal documents were being stolen.”

The Center for Strategic and International Studies’ (CSIS) Vice President James Lewis — an expert in cybersecurity who previously worked for the Commerce and State Departments — said cybersecurity has “been a struggle since the first computer was installed” in federal agencies.

“The intelligence agencies and the military do an 80 percent job, anybody else is catch as catch can,” he told InsideSources. “Agencies don’t want to give up their independence, so we have a lot of agencies that just don’t have the resources or the people, and that’s a guaranteed vulnerability. Bigger agencies do better, like the Treasury, Department of Justice (DOJ, Department of Defense (DOD, but not all of them.”

Lewis thinks the biggest problem for the smaller, independent agencies is their size and the fact that they tend to handle cybersecurity in-house.

“They really need to outsource a lot of these functions either to another agency or the private sector,” he said. “That’s kind of a budget thing but also a strategy thing.”

Some agencies may need bigger budgets, but Lewis also said some agencies may not be able to outsource simply because of the nature of their authorization. Many agencies aren’t permitted to outsource much of their data simply because it is so sensitive.

“The ways the laws were written 30 years ago require an agency to maintain some control of data storage,” Lewis said. “The federal government’s guidelines for agencies to move data into the clou is 1400 pages long, and that’s a problem right there, you have a rulebook that’s so complicated no one can figure it out.”

FedRAMP, which helps an agency transfer its data to the cloud, requires a lengthy authorization process that may be burdensome for small, independent agencies.

For some agencies, then, amending existing regulations regarding how they handle their data could allow them to pursue better cybersecurity measures.

“If you’re posed to safeguard people’s data, you have to think about when you move it to a cloud service provider. It’s not impossible, but it does take money and thought,” Lewis said. “You have to have someone to manage these contracts. You have privacy concerns. The old thing was, I’m an agency, I have data, I put it in a file and it’s safe. When they moved that over to the digital mindset, it becomes, do I want to move that outside of my own agency boundaries.”

In the meantime, Madnick said all organizations need to rethink cybersecurity and be more proactive about regular screenings, because getting attacked is inevitable. The severity of an attack, however, can be mitigated.

“You need to start backwards, and say what it is that you don’t want to go wrong,” Madnick said. “And what mechanism can you put in place to make sure that doesn’t happen or minimize how much damage it can do. I don’t think most organizations are doing that, because it’s not normal. I think we have this naive assumption that if we prevent enough we won’t have to prepare. I do think we can do a heck of a lot better job in preparations.”

Follow Kate on Twitter