A recent cyberattack against U.S. Health and Human Services is a lesson to us all to better manage cyber risk in a healthcare environment. 

According to Bloomberg, the U.S. Health and Human Services (HHS) Department suffered a cyberattack on Sunday night. It appears to have been purposely intended to disrupt the HHS's computer systems, thereby seeming to undermine HHS’ response to the Coronavirus pandemic that is currently gripping the country. The attack, which occurred just before midnight, involved overloading HHS servers with millions of hits over several hours, an attempted distributed denial of service attack (DDOS). DDOS is a type of attack where by multiple compromised computer systems attack a target and causes a denial of service for users of the targeted resource. 

Initial investigations suggest that the attack may have been the work of a foreign actor. A number of news outlets are pointing the finger towards Russia, but it may take weeks or even months for a full forensic investigation before the cyberattack can be accurately attributed.

Ensuring Patient Care During the COVID Crisis

During a healthcare crisis and a huge influx of sick patients, the resiliency of hospital and clinic IT systems becomes even more important to ensure patient survivability. Recognizing this, and with an expected escalation of threats during a national crisis, HHS had recently implemented an expanded risk-based approach to cybersecurity assessment of threats, vulnerabilities, and controls.

“HHS has an IT infrastructure with risk-based security controls continuously monitored in order to detect and address cybersecurity threats and vulnerabilities," said Caitlin Oakley, a spokeswoman for HHS.

While this ‘risk-based’ approach to cybersecurity worked in HHS's favor to protect it from a cyberattack and to keep critical services up and running, most health systems are not so lucky. Many are still following a ‘controls-based’ approach to security, ignorant of the actual cyber-risks in their hospitals and clinics from devices they may think are safe from attack, but in fact have never been tested or even profiled—let alone risk-assessed.

Current Statistics

According to an investigation conducted by Cylera last year, more than 90% of US hospitals and clinics do not have a current and accurate inventory of all IT and IoT assets that connect to their networks. This includes not only workstations and servers, but also BYOD (bring your own device) devices like personal phones and tablets, network connected building management systems that control elevators and air conditioning, and a rapidly growing number of medical devices—many of which are managed by third-party vendors and have never been patched.

"When your patients are relying upon you to provide medical services and to possibly keep them alive through a pandemic, five, six, or seven nines availability* is an absolute must." said Richard Staynings, Chief Security Strategist with Cylera and former HIMSS and AEHIS cybersecurity expert. "The last thing you want is for one of your un-assessed healthcare IoT devices to take down an entire hospital building or even a floor of your clinic. The availability of health IT and IoT systems is critical to the way we treat patients in today’s digital healthcare service no matter where you live or where you go to seek treatment or to get help with breathing." he added.

Cylera's MedCommand 

Automated tools like Cylera MedCommand™ make extensive use of AI and ML to thoroughly risk-assess connected medical and other IoT devices so you can understand risks and implement compensating security controls before something bad happens.

MedCommand™ provides clinical engineering and information security teams with a unified solution to manage, secure, and optimize the entire connected HIoT environment including medical devices, enterprise IoT, and operational technology.

Cylera has partnered with leading healthcare providers, experts, and peers to develop one the most comprehensive and integrated HIoT security solutions available for healthcare. Learn more about Cylera's innovative AI based approach to medical device and other HIoT endpoint management or contact us to schedule a conversation.

* Five nines availability indicates the expected uptime of a system, or 99.999% availability (roughly 5 minutes downtime per year). Similarly, seven nines would be 99.99999% uptime equating to 3.16 seconds downtime per year.