In recent months we have seen nonstop headlines about cyber criminals exploiting COVID-19 to invade networks, steal identities, and pilfer data. Research from CYFIRMA, a cybersecurity strategy firm, uncovered plans for a large scale phishing campaign, utilizing malware and an email subject line that says “Coronavirus Correspondence.” Once clicked, the hackers’ financial motives would be all but realized.
When Microsoft ended support for Windows 7 this past January, it was to be expected that many firms and businesses would still rely on the OS for the foreseeable future, rather than instantly make the transition. If you consider the healthcare industry, however, this immediately presents problems. Research from Atlas VPN shows that 83% of US healthcare providers still use outdated legacy software, while more than half of the Internet of Medical Things (IoMT) devices are still operating on Windows 7.
Factors like these offer a unique challenge in the face of a global pandemic. According to Atlas VPN, one in four patient monitoring devices—which are in greater use now than ever before—have significant security issues. Hospitals and healthcare organizations are on their toes these days, trying to adapt to unprecedented security concerns as best they can. And yet medical devices like imaging systems are at increased risk of their older operating systems being hacked. Securing them has become a crucial goal for IT teams everywhere.
Of course, connected IoMT devices can be tricky for hospitals to secure during the best of times. A pandemic multiplies the difficulty exponentially, with more room for error. Any new device might take time for an organization’s IT staff to get a handle on and implement successfully; but thanks to COVID-19, that time frame has become accelerated by necessity. Much attention might be given to seemingly obvious points of attack, like respirators and ventilators that may indeed be insecure, but are also smaller in number. However, there are other connected devices that are much more prevalent throughout a hospital, like surveillance cameras or vending machines. These could prove an easier entry point for cyber criminals looking to infiltrate the network.
And even more medical devices will indeed be coming online, as companies in previously unrelated verticals start pivoting to medical devices in order to combat the pandemic: companies like Mexican home appliance manufacturer Mabe Sa De Cv, which is turning their refrigerator cabinets into new medical devices like splitters and ventilators to combat the pandemic. The attack surface for cyber criminals will only expand as other organizations take similar initiatives.
We have also seen incidents of insecure applications making the news. Whether it was Indian telecom Jio (in which Facebook purchased minority ownership) and its unprotected database, or government agencies rapidly deploying business relief apps without sufficient security, these have proven another high-risk vector during an already complicated time for cybersecurity. People working remotely might not have the same security capabilities on their own systems, which makes them and their firms more vulnerable to phishing than usual.
This also applies to hospitals that may be compelled to give care outside the traditional hospital setting, such as nursing homes or even creating temporary facilities in hotels to treat patients. From remote doctor consultations to prescriptions, there is currently a mass migration of the healthcare industry to the online space.
Naturally, the primary focus of hospitals and doctors is saving lives in the face of a pandemic, while also limiting their own exposure. This is as complicated a task as it sounds, and it is compounded by the continued need for strong cybersecurity. Connected devices facilitate many of the necessary tasks for healthcare workers, but they also create the many risks we’ve observed. There are no easy answers, but remaining vigilant is critical to protecting vulnerable devices.