The COVID-19 pandemic threatens the healthcare industry in multiple ways. Much has been written about the danger to nurses and doctors and the perilous economic realities providers face. Just as risky but less discussed are cyberattacks in the middle of an overwhelming cybersecurity emergency.
Hackers have increasingly targeted healthcare institutions in recent years, and the gravity of the present moment hasn’t slowed them down at all. The World Health Organization (WHO), the Department of Health and Human Services (HHS), and one of the largest coronavirus testing facilities in the Czech Republic have all been successfully attacked in recent weeks. Ever ruthless, hackers see right now as a golden opportunity to target vulnerable (and valuable) healthcare organizations.
That should alarm anyone handling healthcare cybersecurity because while there’s never a good time for an attack, there’s never been a worse time than the present. With clinics and hospitals facing an all-hands-on-deck scenario where resources are stretched incredibly thin, adding IT issues to the mix could make it much harder or even impossible to deliver care. For patients, providers, and administrators alike, healthcare cyberattacks put the whole system in jeopardy.
Acknowledging the size of the risk is the first priority. Breaking down the most likely attacks is the second. According to our own research, nearly a quarter of consumers believe their healthcare provider lacks adequate security against web browser attacks and healthcare phishing schemes. Unfortunately, they’re right – and hackers know it too.
Like all industries, healthcare must guard against a wide range of cyberattacks, but with limited resources to go around (in good times and in bad), they need to focus on the most common and consequential threats.
Browser-based attacks affect healthcare to a higher degree because the industry continues to rely on Internet Explorer as the default browser. But even Microsoft calls IE a “compatibility solution” rather than a browser, in large part because it doesn’t support new web standards for things like security. By choosing to use something woefully inadequate, healthcare organizations make strong browser security unattainable and expose themselves to attacks like drive by downloads and Adobe Flash exploits.
Healthcare phishing attacks are similarly frequent and frustrating. In the last 12 months, these constituted 30% of the cyber attacks directed at health institutions. Now, Google reports seeing 18 million additional phishing/malware emails daily trying to exploit COVID-19 in some way. Phishing schemes leverage fear, confusion, and panic to trick recipients (even tech-savvy ones), so they’re an especially potent strategy during a pandemic.
Browser-based and phishing attacks can both unleash the worst attacks in a hacker’s arsenal: trojans, downloaders, ransomware, and more. And when successful, those attacks can lead to severe data loss or critical applications going offline at a time when healthcare absolutely requires effective IT. Cybersecurity may not feel like the most urgent or immediate healthcare threat right now. But it’s one that no one can afford to ignore.
Hospitals need effective defenses against browser-based attacks and phishing schemes. But those cyber defenses must be easy-to-implement, automated, and largely hands-free to meet the needs of over-worked and under-resourced healthcare IT departments operating with the same urgency and sense of purpose as their colleagues on the front lines of the pandemic.
Moving target defense meets all those criteria. It morphs the application memory so that when hackers think they’re tapping into critical data or controls they’re actually targeting a trap that neutralizes the attack. It works like a second (or last) line of defense behind traditional antivirus monitors and spam email filters. Should one of those defenses fail – which becomes vastly more likely when, like now, hackers increase the frequency and sophistication of attacks on human targets who are too distracted to be alert – moving target defense essentially shuts down the attack before it has any negative consequences.
Paired with traditional antivirus software, which protects against file-based malware, moving target defense significantly reduces the likelihood of a successful attack. And, crucially, it does so without requiring extensive or ongoing input from the IT team, freeing them up to focus on whatever the pandemic response requires.
Though COVID-19 feels unprecedented in many ways, healthcare cybersecurity was a problem before the pandemic, and it will continue to be afterwards. Ransomware attacks on hospitals and healthcare companies rose by 60% between 2018 and 2019 – totals likely to be eclipsed by the end of 2020. Moving target defense may not be able to decrease the number of attacks, unfortunately, but it can make those attacks irrelevant. Implementing this technology now helps organizations persevere during the pandemic and come out even stronger on the other side.