The past few months have seen a marked increase in cybercrime activities aimed at exploiting the chaos and disarray that has arisen as a result of the COVID-19 pandemic, particularly in the field of healthcare. This threat prompted senators Richard Blumenthal, Mark Warner, Edward Markey, Tom Cotton, and David Perdue to send a joint letter on April 20, 2020, to Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency (CISA) at the US Department of Homeland Security, and General Paul M. Nakasone, commander of the US Cyber Command (USCYBERCOM), urging CISA and USCYBERCOM to take all necessary measures to protect hospitals, medical researchers, and other health institutions during the coronavirus pandemic.
In the letter, the senators wrote, “In recent weeks, Russian, Chinese, Iranian, and North Korean hacking operations have targeted the health care sector and used the coronavirus as a lure in their campaigns.” In referring to a recent report about the Chinese hacking group APT41, the letter went on to state, “This latest campaign sought to exploit several recent vulnerabilities in commonplace networking equipment, cloud software, and office IT management tools—the same systems that we are now more reliant on for telework and telehealth during this pandemic.”
The cybersecurity of the U.S. healthcare industry is now coming to be fully understood as a matter of national security. Moreover, the letter from these senators makes it clear that the threat landscape is populated with powerful and sophisticated actors who are as ruthless as they are relentless. As our dependence on the benefits and advantages of telehealth continues to grow, it is unfortunately quite certain that the frequency and complexity of cyberattacks against telehealth systems will also continue to expand.
Evaluating Threats to Your Telehealth Environment
While there’s been a great deal of focus and attention lately on video conferencing technology and its application to telehealth, not all telehealth deployments require video conferencing, some are audio-only. There are telehealth applications for Telerehabilitation, Telepsychiatry, Teledermatology, Teleophthalmology, Teleoncology, Teleobsterics, Tele-ICU, Teleradiology, and Telecardiology.
Telehealth deployments typically involve three entities working together – the telehealth platform provider, the healthcare delivery organization (HDO), and the patient – which means you cannot completely assess the threat to a telehealth system without carefully examining the telehealth platform and its environment, the healthcare provider’s environment, and the patient’s environment. Adding to the complexity is the fact that each environment has its own layers of complexity, somewhat like a Russian Doll. Of course, you can consider each in isolation when a situation calls for it; however, you’ll never have a complete picture of the threat without considering the sum of all parts.
In order to build an adequate defense, you must have a clear understanding of the threats you will be required to confront. This is where threat modeling becomes a useful tool. While there are several possible approaches to threat modeling, one widely recognized approach is known as STRIDE. STRIDE is an acronym for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevated Privileges. The STRIDE approach to threat modeling was invented at Microsoft Corporation and documented in 1999 in an internal paper written by Loren Kohnfelder and Praerit Garg titled, “Threats to Our Products.” However, STRIDE wasn’t made publicly available for over a decade.
This past Thursday, April 30, The Department of Health and Human Services (HHS), Health Sector Cybersecurity Coordination Center (HC3), released a report titled, “Threat Modeling for Mobile Health Systems,” featuring STRIDE as a threat monitoring approach for mobile health systems. Mobile Health (mHealth) is one of four approaches to Telehealth described by the Center for Connected Health Policy (CCHP), the others being real-time interactive services, store and forward services, and remote patient monitoring. The HC3 Report gave illustrations of how mHealth cybersecurity (and by extension any telehealth cybersecurity) threats could be modeled through an analysis of each system component using STRIDE. Threats due to spoofing (impersonation) attacks, system tampering (both internal and external), repudiation (i.e., the ability of an attacker to elude audit and detection), unauthorized access, or disclosure of sensitive information and the threat to data security due to an unauthorized elevation of privileges (both internal and external) can be applied to all components of a telehealth system.
STRIDE is an excellent starting point that has the advantage of being useful to non-experts as well as experts due to its clear, straightforward approach. Keeping in mind that STRIDE is intended to be used as “the first step in a proactive security analysis process.” (Kohnfelder, 1999).
Responding to an Ever-Evolving Threat Landscape
Unauthorized access to a telehealth system (be it locally or remotely) not only threatens the confidentiality of patient information but also has the potential of compromising the availability and integrity of patient care, once again affirming that Cyber Risk Management in healthcare is a patient safety issue. Some recommended guidelines in responding to the telehealth cybersecurity landscape include:
- Follow NIST standards by implementing the NIST SP 800 series and the NIST Cybersecurity Framework
- Thoroughly assess the risk for each component that creates, receives, maintains, or transmits ePHI within your telehealth networking, infrastructure, and data storage environment
- Understand and rate the risks to your telehealth assets from highest to lowest based on likelihood and impact
- Design and implement a risk response program to accept, avoid, transfer, or mitigate those risks, taking steps to remediate those risks which are above your organization’s risk threshold
- Continue to monitor, assess, and respond (in as real-time as possible) to an ever-evolving threat landscape through ongoing risk analysis and risk management
Critical tools for monitoring, assessing, and responding to threats include:
- Internal & External Vulnerability Assessment–Identify weaknesses in your telehealth environment and understand how they can be exploited by malicious actors to gain access to those systems and possibly other connected devices within your network. Pay special attention to vulnerabilities posed by cloud services and the Internet of Things (IoT) devices.
- Wireless Security Validation–Conduct regular vulnerability assessments and penetration testing of your wireless network, including access points and controller configurations.
- Network Architectural Assessment–Evaluate the design of the infrastructure and technologies that interface with your telehealth environment(s). The goal is to ensure a synergistic defense and an in-depth cybersecurity posture of all your assets.
- Penetration Testing–Conduct a series of authorized simulated attacks on your telehealth systems to evaluate the effectiveness of existing security safeguards. Use a risk-based approach to develop effective safeguards to remediate security weaknesses.
- Web Application Testing–Identify security flaws and weaknesses that could allow damaging compromises or disruptions to public-facing web applications and services. Leverage the latest OWASP (Open Web Application Security Project) testing standards to assess web application security defense posture of your telehealth systems.
- Security Awareness Assessment–Assess the effectiveness of your security awareness training by simulating attacks that attempt to exploit the human factor in your telehealth program. Conduct phishing, pre-texting, and other social engineering evaluations focused on telehealth participants.
Going back to the idea of Russian Dolls, when evaluating the threat to telehealth platforms and deployments, organizations must conduct a systematic assessment of all their telehealth vendors and related subcontractors, especially those with access to protected health information. Organizations also need to classify the risks associated with each vendor based on a predetermined range of factors arrived at as a result of telehealth governance and planning.
It is essential to expand, intensify, and continuously improve your vendor risk management program through the enforcement of telehealth governance and technology oversight processes. Four areas that are vital to building an effective and scalable vendor risk management program are:
- Defining policies and procedures for monitoring vendors on a continual basis.
- Consolidating existing vendor profiles and contracts into a single data repository.
- Closing critical vendor data gaps (e.g., unsigned, expired, or missing business associate agreements, service level agreements, purchase contracts, and periodic vendor reviews or security assessments).
- Detailed analytics and reporting that reflects how vendor risk profiles are changing over time.
While it is understandable that many organizations have limited resources to put toward these efforts, conducting an end-to-end Vendor Risk Assessment is just too important to ignore when it comes to something as complex as the field of telehealth and the emerging threats on the horizon.
At Clearwater, we have experts ready to assist your organization with the risk analysis and risk management, technical testing, and vendor risk management work necessary to protect your telehealth environment using a lifecycle management approach. Reach out to our team at info@clearwatercompliance.com with your questions and concerns.