Published March 16, 2021
Associate Professor of Radiology, Hospital of the University of Pennsylvania
With our April 2020 AJR paper, “DICOM Images Have Been Hacked! Now What?,” well received by the ARRS membership, we were asked to record both an accompanying podcast and live webinar. We also presented our results at the Cybersecurity Refresher Course during the Radiological Society of North America 2020 Scientific Assembly, as well as at many other venues. Due to so many new developments in the worlds of cybersecurity and health care since the publication of our original AJR review, I have been invited to provide an overview summarizing a few of those latest developments.
The number of cyberattacks targeting medical institutions continue to increase. In 2020, 79% of all cyberbreaches affected the health care sector, so our sector has become a prime target. The breach portal of the U.S. Department of Health and Human Services Office for Civil Rights has reported a total of 620 new breaches of medical records in 2020. Trinity Health in Livonia, MI took the largest hit, when more than 3.3 million records with patient information were compromised as a result of a ransomware attack on Blackbaud, a cloud computing provider selling a fundraising database software.
Other recent breaches and attacks have received lots of media coverage, for example:
- In September 2020, Universal Health Services (UHS) was forced to shut down all computer systems at its facilities around the U.S. after a cyberattack by the Ryuk ransomware. This attack was likely triggered by a phishing email. UHS operates more than 400 health care facilities across the U.S. and U.K. After the shutdown, many of their facilities were left without access to computer and phone systems. Access to anything computer-based—from old labs and ECGs to radiology studies—was lost. UHS was forced to redirect ambulances and relocate patients in need of surgery to other hospitals nearby. Following the incident, four deaths were reportedly caused by delays in lab results arriving via courier. However, it is unclear whether or not these deaths were directly related to the cyberattack.
- In Düsseldorf, Germany, also in September 2020, a ransomware attack against Heinrich Heine University gravely affected its University Hospital. Cybercriminals encrypted about 30 hospital servers, preventing access to important medical information for patient care. Doctors had no access to this information, so patients had to be redirected to other hospitals. As a result, a female patient in transit to the emergency department in critical condition was rerouted to a hospital 20 miles away. With the detour causing a one-hour delay in her care, she died in transit—known to be one of the first cases of proven death from ransomware.
- A study by Greenbone Networks in September 2019 revealed that, worldwide, billions of confidential medical images on DICOM servers were freely accessible on the internet. This study headlined the news and even caught the attention of Congress, where Senator Mark Warner of Virginia became a strong supporter of improving the security of medical servers and images. In October 2020, New Net Technologies directed a follow-up study and discovered that, in the U.S. alone, millions of unprotected medical images were still exposed on the internet.
- In March 2020, Russian hackers (APT29), who were also responsible for the Democratic National Committee hack in 2016, inserted malicious code within an update of SolarWinds’ Orion software, which monitors the computer networks of governments and businesses to detect problems. Once the hacked update was downloaded by users, the perpetrators were secretly granted remote access to all the networks monitored by Orion, allowing for complete control and the ability to easily steal information. Hundreds of government institutions and private companies have been affected, including the Departments of Homeland Security, Treasury, Commerce, and Justice, as well as the Pentagon, Postal Service, and National Institutes of Health. As this article is being written, investigation continues to reveal the full extent of the damages. So far, at least 250 federal agencies and businesses have been compromised by the hack.
The outbreak of coronavirus disease (COVID-19) created a new set of problems for cybersecurity, producing a triple threat for health care systems:
- rapid expansion of networked devices and services, creating an expanded attack surface
- increase in the different types of cyberattacks
- fewer available resources to defend against cyberattacks
The use of telehealth has surged during the COVID-19 pandemic. At my institution, the Hospital of the University of Pennsylvania, consultations by telehealth skyrocketed from 50 to 7,000 per day. Many radiologists continue to work remotely from home, creating additional vulnerabilities in security.
A home radiology workstation connects to a home router, which connects via the internet to the hospital virtual private network device, which itself connects to the hospital servers. Each of these connection points are vulnerable. Radiologists reading remotely often forget to change the default administrator password on their home router. Hackers have performed domain name system hijacking on hundreds of thousands of home routers, redirecting links from legitimate institutions to hackers’ websites and intercepting data.
As soon as COVID-19 became a pandemic, there was a massive surge in different kinds of cyberattacks. Whenever there is a social crisis, cybercriminals exploit the situation in full force, as people are more stressed out and, therefore, more prone to make mistakes. Phishing attacks pretending to originate from entities such as the World Health Organization spread across the globe like wildfire. These emails included fake links and malicious file attachments.
Real websites, such as the Johns Hopkins Coronavirus Resource Center’s COVID-19 map, were quickly duplicated, becoming major sources of worldwide malware distribution. Upon visiting the fake websites, computers became infected by Trojans stealing crucial information. Information about those fake websites was spread via phishing emails, malicious online advertisements, social engineering, and search engines. Since the beginning of the pandemic, over 60,000 COVID-19-related fake websites have been created.
Meanwhile, nation states, like Russia and China, have been attacking pharmaceutical companies and vaccine developers to steal intellectual property. They use phishing emails to obtain login credentials, and then use exploits to transmit files or execute code remotely. Two well-known groups of cybercriminals, APT29 from Russia and APT41 from China, have stolen COVID-19 research data by exploiting weaknesses in servers and routers.
Late last year, the National Cybersecurity Center of Excellence, part of the National Institute of Standards and Technology (NIST), released its final practice guide on how to protect PACS technology and DICOM servers. NIST recommended a combination of strategies, including defense in depth, access control mechanisms, a holistic risk management approach, and the use of cloud storage. A defense in depth strategy involves multiple layers of defense at the level of the perimeter, the network, the workstation, the application, and the data; if one fails, data are still protected. NIST also recommended network segmentation into groups of devices sharing similar functionalities. This can be accomplished through virtual local area networks or by finer segmentation using software-defined networking—often used to secure legacy devices that lack inherent security features.
Also in December 2020, the Health Sector Cybersecurity Coordination Center issued a sector alert regarding vulnerabilities in DICOM image servers, while adding a series of recommendations on how to better protect them. These suggestions included general ones (use secure passwords, close unused computer ports, apply the most recent patches), as well as using encryption of data at-rest and in-motion, restrictions on network access, and network segmentation.
The U.S. government enacted into law the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 in December, too. Responding to the significant increase in control of IoT devices by cybercriminals during the year, this law establishes new mandatory minimum-security standards for IoT devices purchased using government funds, including supply chain security.
Early this year, the U.S. government enacted into law the HIPAA Safe Harbor Bill to amend HITECH (Health Information Technology for Economic and Clinical Health) to incentivize the use of cybersecurity best practices for meeting HIPAA requirements, especially those recommended by the NIST. The HITECH Act from 2009 was responsible for expanding the adoption of electronic health records (EHR) by health care providers— keeping one million U.S. physicians busy every evening, entering clinical data into the EHR.
What can we expect in 2021 for cybersecurity in health care? The new administration will start by repairing the massive damages to the cybersecurity infrastructure caused by the previous administration. Nation states will continue cyberattacks on COVID-19 vaccine developers to steal trade secrets and gain a competitive advantage. Smaller health care institutions, barely surviving this pandemic economically, will face increased attacks by cybercriminals. They do not have the same cyberdefense budget and manpower as larger institutions, although they face the same cyberthreats. As health care organizations transition more and more of their data to the cloud, we should see increasing numbers of data breaches from patient data on cloud infrastructures. Phishing with a health care theme will be more prevalent, given the focus on all health issues during COVID-19. And IoT and wearable medical devices will remain targets of cyberattacks for the foreseeable future, until the industry fully implements the new IoT security standards imposed by the latest legislation.
The opinions expressed in InPractice magazine are those of the author(s); they do not necessarily reflect the viewpoint or position of the editors, reviewers, or publisher.