When Jeremy Hoffman’s wife began working from home in spring 2020, the pair went to work upgrading the home office to ensure her workspace would be in compliance with confidentiality regulations. As a psychologist, she needed strict security for her records. 

They installed a safe and new locks on the doors of her home office, which no one else in the household works from. Hoffman segmented the household’s internet network so none of her work devices connect to the household’s Wi-Fi, and she connects through a VPN. 

“That maintains that confidentiality that she needs,” said Hoffman, cybersecurity program chair at Des Moines Community College. “None of our traffic that we use normally for our household stuff can ever be seen on that, and we have no Wi-Fi for her network area. You can’t even see the traffic going through. … But not everybody can separate networks. It’s a new challenge to ensure that confidentiality and that confidence is maintained.” 

Most professionals don’t have a full-time cybersecurity professional living in their home to create a secure system to work remotely, Hoffman acknowledged. 

“You might have confidential business materials sitting on your kitchen table now, versus in your office,” Hoffman said. 

Yet cybersecurity is not just a concern to health care professionals working at home. In the middle of the COVID-19 pandemic, public health departments, hospital systems and other established health care providers are being targeted by cyberattacks leveraging the distraction to access sensitive data files. 

Before the general election this year, the New York Times reported on a list of more than 400 U.S. hospitals reportedly being traded by Russian hackers as potential targets. Hackers claimed to have infected more than 30 hospitals by Oct. 28. 

That same day, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the Department of Health and Human Services released a national cybersecurity warning of “an increased and imminent cybercrime threat to U.S. hospitals and health care providers.” 

The risk seems to weigh heavily in Iowa: “We have seen that organizations who speak publicly about the risks become the organizations that are targeted,” one health care services spokesperson told the Business Record in early November.

To understand how cybersecurity attacks operate, Armolon Corp. managing partner Manoj Tomar likens a security event to a train station. 

“There are a couple of security guards who are watching the foot traffic coming by. During the day there are maybe 20 people walking in every hour, so these guards have a really good handle on watching everyone who’s coming in. … [But] think of rush hours when all of a sudden you have 300, 400, 500 people walking through the door,” Tomar said. 

That is what has happened to health care organizations, he added: Hospitals and public health departments are at their capacity to manage a crisis, and that leaves them vulnerable to cyber threats. 

“It should always be their focus to save lives, and they are doing everything they can … but that makes them more vulnerable to things that are not on top of their pile at this point,” Tomar said.

Access to attack

At the start of 2020 businesses were not set up for work from home, and that applies to health care services.

As they face an ongoing public health emergency, health organizations may be left with impossible choices. Some organizations might choose to reallocate parts of operating budgets from IT or cybersecurity and direct that money to the pressing shortage of personal protective equipment for staff members treating COVID-19 patients; needed updates on software and equipment could be pushed back by organizational leadership. 

Health care organizations tend to use multiple software vendors and old hardware to stand up daily operations, Tomar said. 

“They’re more open to attacks because they are running systems that just should not have been up, that should have been gone years ago,” Tomar said. “On top of that, the amount of information flowing has exponentially gone up. … If you were getting 50 emails a day, now you’re getting 200 emails, so you have less time to process each one of them.” 

That gives employees much less time to process basic cybersecurity practices such as evaluating the source sender before clicking on links. A potential breach can start with one employee’s email account. 

The data of more than 60,000 patients seen by Mercy Iowa City may have been exposed between May 15 and June 24 this year after an employee’s email account was accessed by an unauthorized user, according to a letter sent by Mercy lawyers to Attorney General Tom Miller on Nov. 13. 

Cyberattacks against health care facilities and public health organizations do more than hold company property for ransom: At Sky Lakes Medical Center in Oregon, a ransomware attack froze electronic medical records and delayed surgeries, the New York Times reported. Even before the pandemic hit, 36% of health institutions that experienced cyberattacks reported being unable to provide care for at least five hours, a 2019 survey by the American Medical Association found. 

“They can encrypt different things and then require money for the keys to unlock it. That’s extremely detrimental to hospitals because they damage a system that’s connected to, say, life support. Now you’re talking about taking peoples’ lives if that crashes or the system fails because you’re locked out of the server,” Hoffman said.  

Well-coordinated cyberattacks can be planned months ahead of time before organizations ever learn their data storage was accessed, Tomar said. Once an attacker accesses a database, they will most likely spend time learning to navigate the system and identify where valuable data is being stored before launching a cyberattack. 

Most ransomware attacks are not designed to target particular institutions, Tomar said. 

“They are very generic attacks, and they are casting this wider net. They just hope somebody’s going to get caught,” he added. “You might have several hospitals or several health care entities dealing with it.” 

Prevention and response

When a security event happens, time matters. Without a cybersecurity department or partnership already established, organizations will lose time as an expert team has to identify the status of server backups — sometimes as long as several days when Armolon is gathering information from an organization. 

Armolon will bring in other cybersecurity agencies when responding to attacks against organizations as complicated as a hospital system, which may comprise electronic health records or equipment like MRI machines that have been connected to a network. 

“It’s kind of a case-by-case basis, there is no playbook for this,” Tomar said. 

The weakest point for new health care systems is whenever a transition period is in place, especially when new systems are being established, Hoffman said. Those instances do not always lead to malicious access, but errors can be just as serious. 

As the Iowa Department of Public Health established a statewide database to track confirmed COVID-19 cases, a reporting error in July and early August recorded positive COVID-19 cases as having been diagnosed in March through June, inadvertently lowering the amount of new infections reported by the state at the same time school districts relied on the data to make plans for in-person classes. 

Armolon is helping clients host small-group social engineering training online, adapted from the annual in-person training clients have held for their employees in years past. Remote-work employees who are given training and have ownership in their organization’s protection will be most successful in staying alert when they receive a suspicious email. 

Health care and public health departments will benefit from the same types of cybersecurity practices other businesses put into place, including three basic tenets: 

– Phishing training, which teaches staff members to identify suspicious emails that may deliver malware.
– Establishing VPNs for a remote workforce to ensure server protection.
– Two-factor authentication and good password “hygiene,” i.e., using secure passwords and never reusing a password between platforms.

“At the end of the day, on-site and online training both have their values, but you have to adapt if you can’t do the on-site training. You have to tweak your online training in a way that it still provides value to folks regardless of where they’re working from,” Tomar said. 

Even private health care practitioners who can transition to telehealth services have to assess their home office’s security. At a home office, risks could include a shared family network, passwords repeated for multiple websites or internet-of-things devices like doorbells connected to the same network as work devices — all factors common in employee homes, Hoffman said. 

More organizations see value in keeping employees working remotely, and cybersecurity needs to be part of that conversation, he said. 

“You have a huge attack surface when it comes to threat modeling, from little kids clicking on links when they’re on the internet, to adults clicking on links when they’re on the internet,” Hoffman said. “That threat scape is pretty much the same regardless of if it’s health care or banking.”