A Portal to Danger
With the pandemic in 2020, it’s safe to say that healthcare changed forever. While many hospitals and care facilities had previously been distant to overhaul their telehealth services, the need for locked-down health facilities quickly shifted priorities. Patient portals rapidly became more common as they serve as a way for patients to communicate with providers, receive health advice, and access their treatment-related documents while reducing the risks of exposure.
But as Mike Wilson points out for Forbes, there is a dangerous undercurrent running beneath many of the new healthcare-related technologies: cybercrime. Over the past decade, threat actors of many types have identified the healthcare industry as a treasure trove of valuable data, including personally identifiable information (PII). In 2020, ransomware attacks cost the industry over $20 billion just in downtime.
How did this happen so dramatically, and so quickly? The answer may be found in the now-numerous patient portals.
When the chaos of the pandemic spun healthcare facilities into overdrive, patient portals became a way to address the ongoing need for contactless communication—but because the adoption of systems was so fast, security was often an afterthought. With data being exchanged through personal devices and health networks, and the lack of security present in the new patient portal systems, threat actors latched on to the many vulnerabilities.
In many cases, attacks were easy because of the well-meaning design of the patient portals. Due to the desire to make access straightforward and friction-free for patients, the portals are most often only secured by a password, which as many industry experts will know is a vulnerability. When people use weak or compromised passwords, the system becomes a prime target for threat actors.
One of the most common techniques used is credential stuffing, where bots are programmed to use previously stolen credentials to try to access the system. The goal of these attacks is to harvest information—including more credentials, PII, financial records, and International Mobile Equipment Identity (IMEI) numbers, just to name a few. Often threat actors will use a software technique called data scraping to facilitate their theft.
Many pieces of stolen information can have massive chain reactions. For example, now that threat actors are harvesting IMEI numbers—which are linked to a specific user’s phone—this can result in the attacker gaining access to two-factor authentication methods. In these SIM-swapping attacks, the threat actors will be able to intercept one-time codes sent to the user’s device, meaning they can dive even deeper into their other accounts.
It’s clear that for everyone’s safety, from patients to providers, we need to revamp the security around telehealth and patient portals. Here are five steps to help defend against cyberattacks.
Healthcare providers want their patients to be safe and healthy. But part of being safe and healthy is making sure that personal information is kept secure, and healthcare organizations are responsible for doing so. With e-health and patient portals becoming more ubiquitous, we must tackle the security vulnerabilities now. As healthcare providers will know, prevention is a better strategy than late treatment.