29 Million Healthcare Records Were Compromised In 2020, But You Can’t Protect Your Cyber World If You Leave Your Real World Unsecured

April 16, 2021

By Wyly Wade

Section 13402(e)(4) of the HITECH Act requires the U.S. Department of Health and Human Services (HHS), Office for Civil Rights, to post notice of any breach of unsecured protected health information that affects 500 or more individuals. According to HHS, 155 healthcare data breaches have been reported to them just this year — between Jan. 1 and April 9, 2021 — that are currently under investigation. These breaches have come about for a variety of reasons, from hacking or IT incidents involving networks or devices, to unauthorized access of emails or servers, theft, or even because of the loss of physical papers. 

Hospital systems have always had vulnerabilities, but the Covid-19 pandemic appears to have magnified them several times over. According to HHS data, more than 29 million healthcare records were exposed or compromised in 2020. This story, though, isn’t about those breaches or exposures, it’s about putting in place protocols to protect vulnerable virtual systems by securing the real world: Verifying credentials, having pinch point admissions, implementing physical access protocols to devices, and being able to assess internal and external threats from employees, visitors, patients and vendors.

In late October 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and HHS issued a joint cybersecurity advisory, saying they had “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The advisory described the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware for financial gain.

On Feb. 24, 2021, IBM Security released their 2021 X-Force Threat Intelligence Index, examining how cyberattacks developed in 2020 against the backdrop of new challenges created by the pandemic. The report, based on insights from monitoring more than 150 billion security events per day in more than 130 countries, observed that threat actors pivoted “their attacks to businesses for which global Covid-19 response efforts heavily relied, such as hospitals, medical and pharmaceutical manufacturers, as well as energy companies powering the Covid-19 supply chain.”

According to the report, “cyberattacks on healthcare, manufacturing, and energy doubled from the year prior, with threat actors targeting organizations that could not afford downtime due to risks of disrupting medical efforts or critical supply chains.”

Trust No One, Check Everyone

Approximately 6.6% of all attacks in 2020 targeted healthcare industries, with 33% of global attacks focused on North America. A host of cyber ops specialists have recommended healthcare — and other — organizations adopt a security concept called Zero Trust, which basically means they should trust no one, within or beyond their physical and virtual boundaries, and verify and authenticate all credentials while authorizing access to network systems.   

With resources dispersed across multiple IT environments because of the pandemic, and people working remotely, it becomes even more crucial for healthcare systems to be able to Know Your Employee, Know Your Visitor, Know Your Vendor, and Know Your Patient and verify their threat potential in real-time, in order to protect not just their physical environment — their people and physical assets — but also their virtual ecosystems. There’s no such thing as cyber if you don’t protect the physical. If that doesn’t quite make sense, read on.

We’d taken a deep dive into this a few years ago, in the aftermath of extraordinary DDoS attacks on DNS provider, Dyn, by hackers using an estimated 100,000 infected devices, and decided to revisit why organizations have to look at fortifying the real world if they want to secure virtual spaces. We already do certain things to keep ourselves digitally secure: We change passwords, we secure networks, and we put double validation processes in place for online access. We also spend a lot of money protecting the copper wire — the fiber-optic wires that come into a building and attach to the network or the Internet.

The problem, however, is that we don’t spend that same quality time protecting our actual doors, i.e., our access points, or vetting the people who come through those access points. And we should. Why? Because once someone walks through the front door and has physical access to a building, they could infiltrate your digital ecosystem from anywhere. People tend to think of cyber as being something in the cloud, or something that comes across the Internet. Quite frankly, that’s really not the persistent attack surface.

It is very, very hard to crack cryptography, despite the attention it gets when it happens. It’s easier for a committed hacker to walk into a building, act like he or she belongs there, pay attention, and steal or gain unauthorized access to an insider’s credentials to get access to a system.

Graphic courtesy: CISA, FBI, HHS Advisory

Physical Access Matters

What happens if you walk into a busy place like a hospital? You watch. People get up and walk away from a terminal for any number of reasons, and it’s not all that difficult to casually gain access, if you look the part. It’s quite easy to gain access to a hospital’s network if you’re hanging out there, you can plug into a network port, plug a USB key into an unmonitored computer and download something. For an assured, practiced hacker with mala fide intent, that’s all it takes.

Take the Target hack in 2013. Hackers installed malware in their payments system not by hacking into Target’s systems, but simply by stealing credentials from a third-party contractor, an HVAC vendor who had access to Target’s network. They eventually used those stolen credentials to upload malicious software onto point-of-sale devices at stores, which led to the exposure of a massive 40 million credit and debit cards of Target customers during the peak retail season between Thanksgiving and the pre-Christmas sales. 

Hacking does happen, we know that. There are any number of cases, including the 2014 Anthem breach, where hackers gained illegal access when someone on the inside clicked on an email link they shouldn’t have clicked on and allowed the malware in. Those attacks make the news, and we do spend lots of money securing against them — we repel a lot more cyberattacks than we allow. What we don’t spend enough on securing however, are the simple things that we can secure. Most organizations, especially in places like hospitals, have policies in place that specify who has the right to be on their premises and who doesn’t. But with multiple points of entry and exit and a huge number of people moving in and out of the premises — employees, contractors, patients, visitors and vendors — they’ve got to look for innovative solutions in real-time. 

What could those be?

Most facilities should have a single point of registration of entry and exit. This doesn’t mean you don’t have emergency exits, but in the normal course, force everyone to go through pinch points, that way you have everyone walking through a particular area where you can validate their credentials, whether it’s a building, a facility, a floor or anything. There should also be no tailgating allowed.

The next step is making sure you have some kind of Know Your Visitor (KYV) real-time software in place, something that would allow your security guard or intake professional (for a patient or visitor), to run a basic criminal background check on the individual in seconds, even while they’re signing in. Is that possible? Yes, including with Biometrica’s software, you can actually run a background check in under 10 seconds, longer than it takes for someone to fill in their visitor or intake details and get signed in.

Third, make sure you continuously monitor everyone who may not be on the premises but has remote access to your network systems for any arrests or convictions. Anyone who is arrested — for any reason — is stressed and vulnerable, you need to be able to know of that arrest in real-time in order to make a determination of any action: Get them help, depending on what the arrest is for, but if they are in a sensitive role with access to information or networks, help yourself by conducting an internal investigation and pausing access to your network.  

If you don’t control physical access to your systems, your credentials, your mobile devices, you don’t really control the cyber aspect to that device. Essentially, if I am able to steal a device on your network, or I’m able to compromise, with physical access, a device that has access to your network, there would be no way for you to know that I’m not supposed to be doing that. Especially if I am physically on site. There are lots of little devices I can simply plug into a wall, and they would just sit there and hack your system from inside your own network, get onto your WiFi and create a tunnel back to me and my network. So later, even remotely, I can now act like I’m internal to your network.

It would then not only look like I am a credentialed user on your network inside your system, but I’m also literally inside your system. I’m inside your virtual walls. And how I got there was because you didn’t protect your physical walls.