Persistent threats come from ransomware gangs, financial scammers and hackers backed by nation-states, current and former hospital security chiefs say.
“The logs and the graphs show, oh, man, these have ramped up, it’s hard to deny that,” said Christopher Stroud, technology manager at Great Plains Health, a hospital based in North Platte, Neb., that serves around 183,000 patients a month.
Great Plains Health normally blocks around 10,000 attempts to access its servers daily, Mr. Stroud said. After it began its first coronavirus antibody drug trials in November, it saw that number triple on average, he said. Some days, attempts have reached 70,000.
Intelligence agencies in the U.S., Canada and Europe have warned repeatedly that nation-state-backed hackers and cybercriminals are attempting to break into health-care systems to steal vaccine-related research and other data.
A former cybersecurity specialist in the U.S. Navy, Mr. Stroud sees the hallmarks of nation-state actors in some of the attacks against his hospital.
The hacking blitz comes as the health-care industry reported a bruising year of data breaches in 2020, particularly as the effects of the pandemic began to set in. Security and technology staff at hospitals suddenly had to deal with an expanded remote workforce, Covid-19 patients swamping wards and the setting up of makeshift sites for virus testing.
“It was a terrible second half of the year. It’s been some rough, rough going for health-care organizations,” said Drex DeFord, a health-care consultant for Critical Informatics Inc., a cybersecurity firm also known as CI Security. He also previously served as a chief information officer at San Diego’s Scripps Health and at the Seattle Children’s Healthcare System.
Data reported to the U.S. Department of Health and Human Services shows that almost every month last year more than 1 million people were affected by data breaches at health-care organizations.
Under the Health Insurance Portability and Accountability Act, organizations that handle patient data must report breaches involving 500 people or more to HHS within 60 days.
Hospitals and clinics cite a variety of reasons for the breaches, including improper records disposal, device theft and natural disasters. Hacking or compromised technology, however, are the primary culprits.
As the coronavirus pandemic spread last spring, health-care providers were placed in a difficult position.
Adding to the need to care for large numbers of Covid-19 patients, hospitals experienced a revenue crunch through the canceling of elective procedures because of the virus and the reallocation of resources to response efforts. The American Hospital Association estimates that between March and June, this resulted in more than $200 billion in Covid-19-related expenses and lost revenue, before accounting for government financial relief.
Hospitals were unable, or unwilling, to finance significant security projects at precisely the time they needed to, said Jared Phipps, senior vice president of world-wide sales engineering at cybersecurity vendor Sentinel Labs Inc.
Ransomware attacks, which lock up vital systems or data, are a particular scourge as downtime can threaten lives. Prosecutors in Germany, for instance, recently investigated whether a September ransomware attack on a hospital in Düsseldorf contributed to a woman’s death, after she had to be diverted to another facility for emergency care because of the incident.
The Justice Department on Jan. 27 said that it had coordinated with international law-enforcement agencies to disrupt a group responsible for ransomware known as NetWalker that had targeted hospitals.
Health-care providers often use a patchwork of systems from third parties rather than their own technology, which exposes them to supply-chain risks, said Terry Ray, senior vice president and fellow at cybersecurity firm Imperva Inc.
A ransomware attack early last year at Blackbaud Inc., which provides cloud services to hospitals, schools and other nonprofits, compromised the data of hundreds of customers. In September, medical facilities reported to HHS that nearly 10 million individuals had their information breached. At least 46 have cited the Blackbaud episode in letters to state regulators.
“When that happens, unfortunately, the health-care organization winds up on the wall of shame, not the vendor,” said Mr. DeFord of Critical Informatics.
A spokesperson for Blackbaud said the company regrets the incident. “We have already implemented changes to prevent this specific issue from happening again,” the representative said.
Some hospitals have tolerated lax security measures for too long, said Austin Berglas, global head of professional services at cybersecurity business BlueVoyant LLC and a former cybersecurity specialist with the Federal Bureau of Investigation.
Health-care organizations often neglect cybersecurity basics, such as using two-factor authentication and running the latest operating systems, he said. He has seen some hospitals leave sensitive information on unprotected servers, as cybersecurity isn’t seen as a priority and doesn’t always receive enough funding.
Internet-connected devices at hospitals also bring risks because they sometimes aren’t designed with security in mind, he said. “We’re not even asking the adversary to bring their A-game to break in there,” he said.
For Mr. Stroud of Great Plains Health, the risks aren’t theoretical, but personal. The hospital was the victim of a ransomware attack in November 2019, and while he said it didn’t have to turn patients away and managed to recover quickly, the experience showed him that a lack of investment in cybersecurity in the health-care sector can lead to disaster.
“I work for the hospital that I go to, that my parents go to, and that my kids go to. And so you really want best-of-breed [technology] everywhere you go because at the end of the day,” he said, “it could be you in that bed.”