Hospitals are deploying virtual care apps in a matter of days, exposing them to more cyber attacks

The coronavirus has forced hospitals to fight an uphill battle on multiple fronts, and as they scramble to establish virtual healthcare solutions to minimize the strain on other resources, they’re becoming prime targets for hackers looking to capitalize on the chaos.

Read full article featuring iSecurity in IT World Canada.

“Hospitals and other healthcare centres are being asked to start providing virtual care…requiring hospitals to set up and install new infrastructure and technologies to facilitate this,” explained Raheel Qureshi, co-founder and partner of Toronto-based iSecurity. “And it’s getting set up within a matter of a week or two, instead of three months, which is what we usually expect.”

Qureshi said their company is working closely with at least five large hospitals in Ontario, all of which are working to install secure virtual care capabilities. Most of them are relying heavily on internal resources and leaning on the expertise of their boards to establish virtual care applications.

“This is the best time for malicious hackers to maximize their revenues,” he added.

COVID-19’s rapid spread, combined with the imminent threat that hackers pose, has forced healthcare organizations to respond much faster to the cyber attacks aimed in their direction, indicated Qureshi.

“At this point, they’re not going back to the province and asking ‘what do you have for us?’ They understand they need to take matters into their own hands and figure this out now,” Qureshi said.

To help hospitals and healthcare centres operate more flexibly, the Ontario government this week announced that it was spending $7 billion in additional resources for the healthcare system. Out of that total, $160 million will be allocated to Telehealth Ontario, additional COVID-19 monitoring and testing equipment, and virtual care upgrades. Health Minister Christine Elliott also announced that the merging of Ontario’s Local Health Integration Networks into the province’s new super agency, Ontario Health, is being postponed in light of the pandemic response.

The federal government last week also issued an alert warning Canadian health organizations about the spike in ransomware attacks.

Managed services providers like Long View Systems that have close ties with the public sector across the country are noticing the additional spending on healthcare infrastructure behind the scenes.

“We’re actually working with a couple of our partners [in healthcare] to move forward on some rapid deployments, especially in the arena of virtual care,” Dave Frederickson, executive vice-president of Long View Systems told the publication this week.

But there are a few basic steps Canadian healthcare organizations can take right to minimize their exposure to threat actors, according to Qureshi, especially the hundreds of organizations flying blind without the guidance of an MSP or technology partner.

Quick facts

·       According to data gathered and analyzed by Atlas VPN, the number of phishing websites spiked by 350 per cent during the coronavirus pandemic

·       In January, Google registered a total of 149,195 active phishing websites. In February, the number increased by 50 per cent, reaching 293,235 of registered phishing websites

·       The number of coronavirus-related phishing websites hit a total of 316,523 in March

·       The number of suspicious websites, containing COVID-19 related keywords peaked on March 21, hitting over 67 thousand

“We understand that a lot of organizations are having to develop an application very quickly in a matter of a week, so we are asking organizations to please, at minimum, do some kind of ethical testing on the website especially if you’re accepting patient intake forms online,” he said.

Qureshi also encourages health care organizations to strongly consider tools such as Microsoft Office 365 and the crisis management tools included within.

“Microsoft has done a very good job of setting up crisis management tools and we’re asking organizations instead of developing your own, take a look at these cloud providers and what they’re
offering. Sure, it’s free right now and it might not be later, but you have to consider the tools that are available right now. We’re not being paid by Microsoft to say that, but we have to offer good guidance and recommend tools we believe are secure.”

Kaspersky recently announced the free availability of some of its endpoint security products for health organizations, which includes Office 365.

And lastly, Qureshi stressed the importance of not giving broad access to data across the organization and think long and hard about role-based access controls.

“There are a lot of other points, but these basics are top of mind right now,” he said.

By: Alex Coop | @itsjustalexcoop