As the coronavirus outbreak escalates, hospitals across the U.S. are bracing for a surge in sick patients. So, too, are the cybersecurity workers at these organizations, who are preparing to fend off ransomware attacks and other threats that could disrupt patient treatment.
Get what matters in tech, in your inbox every morning. Sign up for Source Code.
One organization that will play a crucial role in that effort is the Health Information Sharing and Analysis Center, an industry consortium that provides health care organizations of all kinds — including hospitals, insurance providers, medical device manufacturers, pharmaceutical companies and laboratories — with information on the latest threats and vulnerabilities targeting the industry. If one health care organization sees indications of a new attack, H-ISAC gives them a confidential way to share that information with peers.
Errol Weiss, the organization's chief security officer, said the next few weeks will be especially difficult for health care cybersecurity workers, as many of them shift to working remotely and take care of kids — and potentially become sick. The challenges will be especially hard for small hospitals, which lack the budget and staff to stay on top of cybersecurity issues.
Weiss, who held top cybersecurity roles at Bank of America and Citigroup prior to joining H-ISAC about a year ago, talked to Protocol about ransomware attacks on hospitals, hackers pledging to not target health care organizations during the coronavirus outbreak, and what the government's role is in fending off attackers.
This interview has been edited and condensed for clarity.
Smaller health care organizations may not have the resources necessary to protect their computer systems, says Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center.Photo: Courtesy of Health Information Sharing and Analysis Center
What emerging cybersecurity threats have health care organizations been dealing with in recent weeks?
We've been pushing out quite a number of threat intelligence and vulnerability reports over the past few weeks — there have been a lot of COVID-19 issues that have come up. A lot of phishing emails that are taking advantage of the situation, stealing username and password credentials, placing ransomware on victim computers.
There's been talk about vulnerable VPNs for the past several months that we've been notifying our members about, and that concerns me now that so many people are working from home. Malicious actors can take advantage of the VPN vulnerabilities to bypass authentication and essentially log into an enterprise infrastructure as a legitimate user. Some cybersecurity companies are sharing the IP addresses with us that tie back to health care companies, so we've been notifying those organizations that they have a vulnerable Pulse or Citrix VPN server or whatever else it may be, and provide them all of the updated information we have on that. We provide that information whether they're a member or not because one of our basic tenants is that the security of all health care organizations impacts the security of the entire system, so we're trying to raise the bar.
One of the evil ones we've seen is there have been a bunch of fake coronavirus-tracking maps and websites, using data from organizations like Johns Hopkins University to lure people into clicking on malicious attachments. We're sharing indicators about those things with our members and have gotten updates from Johns Hopkins directly and are working with them to find ways to help slow down the fakes.
How can you slow that down?
When I was doing threat intelligence for banks, we would actively monitor the internet for brand infringement; we would find websites and social media posts that used the brand name to try to dupe people into downloading something or going to a fake site. Johns Hopkins could actively monitor for those kinds of things — that may be one of the things that the government could help out with.
Over the last year, hospital systems in Alabama, New Jersey and many other states were hit by ransomware attacks. Are you concerned that these types of attacks could disrupt hospitals while they're dealing with the coronavirus response?
Ransomware attacks are happening all over and way too often. The key to this is going to be about raising awareness of the threat and making sure hospitals are taking the minimum steps to avoid it or recover quickly from it if it does happen. That's a lot of the guidance we've been putting out recently. Some security researchers have found default keys to unlock computers if organizations do get infected. But some of the attacks are using very good encryption, so they're getting harder to beat. So the real answer is avoiding the attack in the first place and being better prepared.
If a hospital does suffer a ransomware attack in the coming weeks, do you think the U.S. government should pay the ransom so it doesn't disrupt treatment?
Before I got to the health care sector, my stance was we shouldn't pay ransoms because we would be encouraging more of these attacks. But here we're talking potentially about patient lives. It's a tough question. I can't answer it. I'd much rather be advocating for organizations to spend the money on better preparedness and recovery.
What ways do you think the government can help?
I'd like to see the U.S. work on a policy to ensure foreign nations are actively prosecuting and punishing cybercriminals when they're caught, and that would be a better deterrent than what we have today. We don't have a great policy in place that's being taken seriously. A lot of countries who are trade partners of ours are ignoring cybercriminals and allowing them to operate in their country as long as they know what they're up to.
Are there signs that hackers are targeting hospitals more now that they're dealing with coronavirus?
I saw a hospital in the Czech Republic was recently hit by a cyberattack. But I also saw a report that ransomware gangs are saying they would stop their attacks against health care organizations. Supposedly the operators of Maze, DoppelPaymer, Ryuk [and other ransomware strains] put out an edict to their subscribers saying don't go after hospitals at this time. We'll see if they live up to their promise or not.
Besides cyberattacks, what has been top-of-mind for health care tech leaders?
We have a large amount of information sharing and collaboration in online chat channels. One of those channels that has been very active is about telework issues: providing equipment, ergonomic tools, reimbursement policies for internet service, how that works. There have been a ton of posts in there about how health care organizations are handling it, and you can imagine how complex and quick things are moving there. One post was from a company that had employees in 160 countries globally that they were quickly moving out of offices.
Are health care IT staff able to work from home?
The big challenge we have from a brick-and-mortar standpoint is we have sick patients coming into our facilities that could affect staff trying to keep the facilities running. I've been seeing a large number of hospital infosec staff working from home, but there are some core groups that have to show up on site. I hope their offices are located elsewhere, that there's separation or isolation, but the smaller hospitals probably don't have that.
Are health care organizations prepared for cyberthreats?
One challenge is that some of the smaller health care organizations may not have the resources that are needed to properly secure their environment. Their budgets are tight, and it's a complex and very difficult job. When I was in finance, we had an army of people working on cybersecurity for the banks, and from my experience I haven't seen the number of people in hospitals properly needed to secure those environments. There's a lot of talented people in the infosec departments in these health care orgs, but we need more help.
Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.
Are any cybersecurity organizations offering free help to health providers?
I've been really busy over the last couple days talking to the leading threat intelligence providers and popular third-party risk-scoring tools — we've been talking with them about offering some level of free service for health organizations. With the risk-scoring tools, members can look at their own score to understand their own posture and then look at their main third parties to understand their top risks. Some smaller hospitals could find tremendous use from this, because they've had limited resources to focus on cyber and can get a free and useful snapshot of what their strengths and weaknesses are.