It is time to protect our frontline institutions from cyber attacks

As the world’s healthcare professionals and volunteers continue to engage with the unrelenting toll of COVID-19, their efforts are being impaired by another unseen foe: malicious hackers. The bad guys online are not just surviving in the chaos and confusion caused by COVID-19, they are thriving. Government agencies, multinational organizations and private security companies around the world are noting the serious uptick in malicious cyber activity exploiting the pandemic, and the healthcare sector is not being spared. It is time to take action to help medical facilities secure their networks as we provide relief to state and local government.

What is most concerning is that not all malicious cyber-attacks against the healthcare sector appear to be cyber criminals looking for a quick ransomware payday. Beginning in March, the Czech Republic has faced a series of serious attacks against its healthcare sector, at least some of them with indications they could be perpetrated by a state-sponsored adversary. This threat is so severe that the U.S. State Department felt it necessary to issue a terse warning to the unnamed threat actor responsible for the attacks. Australia has also condemned those actions with their Ambassador for Cyber Affairs stating “We call on all countries to cease immediately any cyber activity inconsistent with their international commitments.”

This is not an isolated incident. As early  as mid-March, Canada’s Centre for Cybersecurity issued an alert that sophisticated threat actors may target various sections of their healthcare sector to gain unauthorized access to intellectual property and research and development related to COVID-19. Since then, numerous state government agencies and international organizations have posted advisories related to advanced persistent threat (APT) groups targeting various types of healthcare organizations globally.

Around the world, overburdened healthcare sectors whose resources are stretched to the limit have found themselves targeted by increasingly sophisticated phishing, password spraying and ransomware attacks piggybacking off of COVID-19. These cyber-attacks are degrading critical healthcare services at a moment when such disruptions are not only intolerable but could directly contribute to patient harm. 

Malicious cyber actors are often opportunists, and the healthcare sector has been ripe for attack even prior to COVID-19. In particular, hospitals and other front-line medical organizations are among the most at risk. These organizations often have more open networks by their nature, cannot afford delays to service, often lack the resources to invest in and maintain excellent cybersecurity programs and solutions, and as a general rule will prioritize the health outcomes of patients. COVID-19 has not only exacerbated these vulnerabilities, but also added new ones such as telehealth exposure.

The sudden surge of telework and telehealth solutions are rightly lauded for their ability to deliver critical services to those in need, but it comes with a cost. The rapid unplanned implementation of these untested technologies at scale has introduced both known and unknown security and privacy vulnerabilities into a sector that is historically highly regulated and risk averse. When all these factors are combined, hospital IT and cybersecurity teams face an unprecedented challenge under extreme circumstances.

Nowhere is this more apparent than among state and locally owned and operated public hospitals. Healthcare facilities like these, which make up nearly 20 percent of the United States’ community hospitals, are among those being targeted by cyber-attacks. These healthcare facilities have long lacked the resources to adequately secure and maintain their digital infrastructure, even as attacks against state and local governments have trended upwards.

As state and local governments struggle to provide the critical and essential services their communities rely upon, most are simply unequipped to also provide the resources and expertise needed to secure their healthcare facilities. They are in dire need of help. In its next round of funding, Congress and the administration have the ability to help them by making sure that resources aimed at medical facilities and state, local, tribal and territorial governments can be used for cybersecurity funding or by providing direct funding for cybersecurity.

In the months to come, hospital IT and cybersecurity teams will continue to work through stress, exhaustion and health issues all while feeling the intense pressure to secure their networks and ensure that critical life saving devices and healthcare systems operate as intended. It is imperative that the United States government do more to support them, especially in response to well-resourced state-sponsored cyber threats that no State and local entity can be expected to defend against.

Ari Schwartz is a former Special Assistant to President Obama for Cybersecurity Policy on the National Security Council and is currently Managing Director for Cybersecurity Services at Venable LLP and Director of the Cybersecurity Coalition.