Submitted by: Daryl Haegley (CS)²AI Fellow and Director, Mission Assurance & Cyber Deterrence at the DOD
By Jai Vijayan 9/10/20
The hasty shift to online delivery of primary care services since the COVID-19 outbreak has attracted significant attacker interest. The mass adoption of telehealth applications and services in the months since the COVID-19 outbreak began has introduced new cyber-risks within the healthcare industry. New research by SecurityScorecard and Dark Owl found that the rapid onboarding of technologies for enabling the delivery of health services online has significantly broadened the attack surface at many healthcare organizations, putting both patient and provider data at risk.
SecurityScorecard and DarkOwl analyzed data related to the use of telehealth products from 148 vendors by healthcare providers around the country. Prior to the pandemic, the use of such products hovered at less than 1% of the overall visits to healthcare providers by people seeking access to primary healthcare services. The public health emergency prompted by the pandemic resulted in primary care visits dropping precipitously after mid-March, while the use of telehealth apps soared 350%, SecurityScorecard said, referring to a report from the US Department of Health and Human Services.
The speed at which the transition to online health-services delivery happened left little time for healthcare providers to properly vet telehealth products for security issues or to ensure their safe use, says Alex Heid, chief R&D officer at SecurityScorecard. "We examined the 148 most popular telehealth apps from a number of angles, and there are concerns across the board, from the development, deployment, and configuration of the applications themselves, as well as the digital supply chain that supports them," Heid says.
To assess the increased risk from telehealth apps, SecurityScorecard and Dark Owlexamined the increase in security alerts sent by users of these apps to IT staff at their respective organizations. The two companies
compared data from September 2019 to February 2020 and from March 2020 to April 2020. For the study, they looked at a variety of alerts, including those related to IP reputation, patching cadence, endpoint security, DNS health, application and network security, and leaked credentials. For example, for patching cadence, analysts from SecurityScorecard and Dark Owl looked at the number of alerts that were sent
to IT staff involving irregularly installed or missing patches.
The analysis uncovered a 117% increase in IP reputation alerts, a 65% increase in issues involving patches, and a 56% increase in endpoint alerts. The study revealed similar increases across every other single risk vector.
Application security alerts, for instance, increased 16%. FTP issues jumped by 42%, and alerts related to the frequently abused Remote Desktop Protocol (RDP) went up by 27%.
SecurityScorecard and Dark Owl also observed a sharp increase in chatter pertaining to telehealth apps and credentials on Dark Web markets and hacker forums. For example, mentions of names of telehealth vendors and products such as Teladoc, CareClix, and MeMD jumped noticeably after the pandemic began. They also noticed malicious code being shared in March via criminal forums that would allow attackers to collect patient identity and prescription information for telehealth systems. According to the researchers, the malware is likely being used presently to harvest patient data. In another instance, they discovered a hacker providing specifics on how to compromise a medical imaging system so X-rays and other medical images could be downloaded, altered, or sold.
"Healthcare organizations need to fully and completely vet the telehealth vendors they integrate with their systems," Heid says. "As with any third-party vendor, their security risks become your security risks."
The new cyber-risks within the healthcare sector since the COVID-19 outbreak started is by no means unique. Security vendors have reported similarly heightened risks across almost every other sector. Attackers trying to take advantage of the sudden shift to remote work have been hammering away at weaknesses in home networks and devices, videoconferencing and remote collaboration tools, virtual private networks, and other network equipment. Government organizations, educational institutions, and healthcare organizations have proved to be especially popular targets for ransomware, distributed denial-of-service attacks, and account takeovers. "We were surprised to find that, prior to the pandemic, the healthcare industry had improved its overall cybersecurity posture since our report last year." Heid says. "However, the mass adoption of telehealth applications has introduced new digital surface areas, which in turn introduce new risks."
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication.