Health workers collect saliva samples from Arizona agency workers to test for COVID-19 in 2020. Wireless data from health care sites can be attractive targets for cybercriminals.
Photo courtesy Arizona Department of Transportation, via Flickr Creative Commons
As public health agencies worked tirelessly to control the COVID-19 pandemic over the past year and a half, they have been faced with another increasing threat: cyberattacks.
In October 2020, the FBI and U.S. Department of Health and Human Services warned that the U.S. public health and health care sector were at high risk from cyberattacks from malicious actors. In a joint alert with the U.S. Cybersecurity and Infrastructure Security Agency, the agencies said they had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and health care providers” and warned officials to take timely and reasonable precautions to protect their networks.
Unfortunately, that warning has proved accurate, with attacks snarling public health work and taxing an already-strained workforce.
“The added burden of a cyberattack is an unneeded stressor on an already stressed system,” Laura Biesiadecki, MSPH, senior preparedness director for the National Association of County and City Health Officials, told The Nation’s Health.
In the past year, high-profile cyberattacks in the U.S. have derailed critical systems ranging from gasoline pipelines to relatively small county government phone systems. In February, hackers compromised systems at a Florida drinking water treatment facility, increasing the amount of a caustic chemical used in the water treatment process. While the change was quickly noticed and no one was harmed, the incident alarmed the public health community.
In Alaska, a May attack on the state’s Department of Health and Social Services resulted in services being either completely unavailable or impaired for weeks. As of mid-August, the full Alaska DHSS web-site was still unavailable, backlogs remained for managing vital records and background checks were still being processed manually. An Aug. 4 update said the attack has cost the department around $460,000 to date with an unknown amount of staff time and labor spent on the attack.
“This was not a ‘one-and-done’ situation, but rather a sophisticated attack intended to be carried out undetected over a prolonged period,” Scott McCutcheon, the department’s technology officer, said in a news release. “The attackers took steps to maintain that long-term access even after they were detected. In addition to getting everything back up and running, our team is taking strong, preventative actions and developing more robust incident response capabilities so we can quickly respond to any future cyberattacks.”
In some parts of the world, recent cyberattacks have disrupted vital health services. In Lazio, Italy — the region that includes Rome — in August, cyber-attackers seized and encrypted data from the system residents used to schedule COVID-19 vaccination appointments.
A ransomware attack — in which criminals shut down or impair a system until payment is made — on Ireland’s Department of Health left providers without access to patient records, delaying appointments and care.
“Trying to deal with the impacts of these attacks and maintaining day-today operations is not compatible,” Biesiadecki said. “It becomes a competition among resources.”
Health agencies and hospitals are prime targets for attackers, according to cybersecurity experts. And the pandemic is making them more vulnerable. COVID-19 vaccination clinics, mobile contact tracing and ad hoc testing sites create opportunities for data to become more easily exposed.
“The inherent way in which some of those things are going to be done…lends itself to the information being more at risk,” Ed Mattison, MS, executive vice president of operations and security services for the Center for Internet Security, told The Nation’s Health.
Data transmission is an attractive target for cyber-criminals during work to contain COVID-19. Patient information that would normally be secured in an office, hospital or lab is in an environment where workers are using sometimes-unfamiliar devices on wireless networks.
“Protected health information and patient records is inherently very valuable to cybercriminals,”
Mattison said. “Something like a valid credit card number online can fetch a dollar or two, but a complete medical record of someone could fetch many times more.” Thieves are rarely interested in information such as COVID-19 vaccination status or body temperature. But information attached to a health record — such as addresses, phone numbers and insurance information — can make a complete package for identity theft.
“Thieves go where there is valuable information and health facilities have lots of data,” Darrell West, PhD, MA, vice president and director of governance studies at the Brookings Institute, told The Nation’s Health.
Cyberdefense in need of strengthening
While preventing a computer virus may seem like something that would mainly be the responsibility of an IT office, that way of thinking could leave critical infrastructure vulnerable.
“Cyberdefense has to be important to everyone along the line,” Biesiadecki said. “If you get locked out and have to revert to paper records, you better make sure you have the systems and training in place to deal with that change.”
In 2018, NACCHO and the Office of the U.S. Assistant Secretary for Preparedness and Response conducted a cybersecurity needs assessment survey to gauge the threat cyberincursions pose to public health infrastructure. Using data collected at a 2018 Preparedness Summit workshop, the organizations found that nearly half of surveyed public health officers felt their organization had either a limited or no role in responding to cyberattacks that would impact public health and health care systems.
While some jurisdictions may have since improved their systems and training, Biesiadecki said she doubts that significant progress has been made since the survey was conducted in 2018.
“Since the COVID-19 pandemic, health departments have had limited capacity to focus attention on other emerging national threats,” she said.
While antivirus programs and internet security measures such as two-factor authentication can reduce the likelihood of a successful attack, there is one common weak point agencies need to put more focus on: their staff. In 2019, Oregon’s government systems were snarled from a cyberattack that used a phishing scheme, in which an official-looking message is actually a lure for malware.
“We’re talking about people who are taking advantage of the nature of human beings and their ability to not be able to determine when something is a phishing email and when it’s not,” Mattison said. “They find themselves clicking on links that lead them to bad things like ransomware, malware infections or social engineering campaigns which are trying to steal their credentials to other systems.”
With widespread attacks that go beyond health agencies, many state governments are beefing up their security systems. A key preventive measure is cybersecurity training. Staff who are dedicated to internet and data security are critical considerations for modern agencies that maintain private health information. A good place to start for agencies is to tap into the plethora of state and federal resources already available to them through agencies such as HHS’ Technical Resources, Assistance Center and Information Exchange and CIS’s Multi-State Information Sharing and Analysis Center, Mattison recommended.
“I’m not sure health departments understand the importance of cybersecurity until they have gone through an attack,” Biesiadecki said. “These attacks have the potential for major disruptions and to have cascading impacts on other systems in the community.”
For more information, visit www.asprtracie.hhs.gov/cybersecurity and www.cisa.gov.
- Copyright The Nation’s Health, American Public Health Association
