Cybersecurity Risks Accelerate During COVID-19

By: Fran Kritz

November 25, 2020

Failing to install software patches or other cybersecurity-critical upgrades continues to make the healthcare system vulnerable to attack, according to at least two reports.

In late September, the blog Rapid7 reported that the majority of Microsoft Exchange servers still had not yet been updated with a patch for a critical memory corruption vulnerability that had been reported earlier this year, despite warnings from Microsoft and federal security agencies. A March alert from the U.S. Department of Homeland Security warned that hackers were “actively targeting unpatched systems.” By April, 82% of the servers were not yet patched, and one in five still lacked updates eight months later.

In September, CyergisTek, a hospital cybersecurity firm, issued their third annual report, finding fewer than half of healthcare providers conformed to protocols outlined by the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF).

For their report, analysts for CynergisTek conducted 300 assessments with providers (including hospitals and physician practices) and found that healthcare supply chain security is one of the lowest ranked areas for NIST CSF conformance. “This is a critical weakness, given that COVID-19 demonstrated just how broken the healthcare supply chain really is with providers buying PPE from unvetted suppliers,” the report said.

Reasons for noncompliance with the standards, and for failing to address other security vulnerabilities, according to the company, include poor security planning and lack of organizational focus, inadequate reporting structures and funding, confusion around priorities, lack of staff, and no clear plan.

David Finn, executive vice president of CyergisTek and a former healthcare CIO, said in an interview that healthcare security experts often understand the need for upgrades and patches, but the costs can be hard to communicate to financial administrators.

When it comes to technology, there is no ‘herd immunity,’ as any one unpatched can shut down operations depending on where it lives in the chain of communications. The problem escalated following the rise of telework and telehealth during the COVID-19 pandemic, as people were sent home to work “with devices that may not have security protection and are being used for personal needs like a child’s homework, as well,” expanding opportunities for attack.

“Everything healthcare related, especially the patient chart, lives virtually and digitally now, and administrators haven’t quite made the leap, and we know that the ‘bad guys’ know that.” Finn said. “I think the security and digital people have not done a good job explaining the need to the COOs and CFOs to tell the story from a business perspective. It needs to be explained in the terms they understand. It has to be personal to the business.”