Different kind of virus: Hospitals, already strained by pandemic, find selves squarely in hackers’ crosshairs

Hospitals face the nightmare scenario of being overburdened by an invisible threat they weren’t prepared for.

The one besides the masses of patients infected by a novel coronavirus.

Hackers are setting their sights on the industry this year for fraud schemes, phishing attacks and other cybersecurity threats, preying on the march of more remote work options and electronic record-keeping systems into hospitals as well as the strain of a health crisis on these institutions.

Gerry Blass, CEO of Colts Neck-based hospital risk and compliance firm ComplyAssistant, said the precious data hospitals hold — and their reliance on information systems in day-to-day operations — can make them completely hostage to hackers in the event of an attack.

“The question becomes whether you have to shut down in that situation,” he said. “But, it’s also a pandemic, and where does a patient go if they can’t go to a hospital? It’s scary and overwhelming. It’s keeping hospital leadership awake.”

At a different point of the pandemic, hacking groups reportedly announced that they would be holding off from unleashing extortion attempts on health organizations until they got a handle on the virus situation.

But, late last year, the FBI, the Department of Health and Human Services and another federal agency warned of credible threats of imminent cybercriminal activity targeting the country’s hospitals that could lead to a “disruption of health care services.”

“Cyberattackers love to go after what they view as weaknesses, especially with phishing attacks and ransomware,” Blass said. “That happens to be how the health care industry is perceived right now. It’s now one of the top verticals being attacked.”

Blass, who served as information security officer at the former Meridian Health before launching ComplyAssistant in 2002, said his company has been gearing up hospital and health system partners with the right software and protections to try and safeguard their platforms.

The company, which mainly handles HIPAA compliance and other regulatory audits for organizations, has more than 100 clients nationally, including several systems in New Jersey.

Blass said it was around 2015 that there was an increase in cybercriminal focus on the industry, after major migrations of paper documents to electronic medical records for the first time for many organizations.

“Each year it has gone up and up — with the addition of new touch points and vulnerabilities,” he said. “It basically comes down to, how many locations do you have protected electronic health information? The more locations that get created, the more vulnerabilities there can be.”

Telemedicine and the remote workforce on the administrative side of health systems — which, as Blass pointed out, was a transition that happened extremely quickly — has added yet more vulnerabilities.

“At the same time, the health care industry has not dramatically increased their resources internally for (cybersecurity and privacy) budgets,” he said.

Today’s hackers hobble organizations with data-scrambling ransomware. It encrypts an organization’s compromised data until a high-price ransom is paid to the hacker, after which keys are provided to unlock the data.

Well-prepared organizations can bounce back in a matter of days from such an attack, Blass said. Other times, it can take a month or more, he added. That’s a problem, given that a lot of hospitals’ disaster recovery plans only cover up to three days of downtime.

In either case, organizations often pay up, Blass said. Otherwise, they’re threatened with patient data being exposed on the anonymous dark web.

“So, hospitals are in a pretty tough position there,” he said.

Hospitals and their connected health care systems have grown by leaps and bounds over the past few years due to new mergers and industry consolidation. When the digital fingerprint of two systems mix, that can, but doesn’t always, bring on new risks.

Even if a hospital does feel prepared, one of the largest risks — that cybersecurity experts often cite as a hazard across all sectors — is the high volume of third-party vendor programs used in the industry. For the past two years, the largest health care data breaches were allegedly caused by a third-party vendor.

In one example, hackers compromised Solarwinds, an information technology management firm that worked with Fortune 500 companies, governmental agencies and health care organizations.

Blass said it’s important to vet — and regularly vet again — vendor companies, as connectivity across different tech systems can bring vulnerabilities that are either real or just perceived as being so by hackers.

And perceived vulnerabilities can be just as bad — as it’s how hackers’ targets are sometimes decided.

“We hope that we’re helping the sector reduce those perceived vulnerabilities, as well as other companies like ours,” he said.