Difference between revisions of "Journal:Emerging cybersecurity threats in radiation oncology"

From LIMSWiki
Jump to navigationJump to search
(Created stub. Saving and adding more.)
 
(Saving and adding more.)
Line 37: Line 37:


==Introduction==
==Introduction==
Modern image-guided radiation therapy is dependent on information technology and data storage applications that, like any other digital technology, are at risk from cyberattacks. In the fourth quarter of last year, America's healthcare institutions were subjected to a series of coordinated attempts to breach their [[cybersecurity]] defenses with criminal intent. Unfortunately, in some cases, these attempts were successful, resulting in a detriment to patient care. According to ''Cybercrime Magazine'', global cybercrime damage in 2021 amounts to $16.4 billion a day, $684.9 million an hour, $11 million per minute, and $190,000 per second. [1] The World Economic Forum estimated that the likelihood of detecting and prosecuting perpetrators of cyberattacks in the United States is at a dismal 0.05%. [1]


In the fall of 2020, the U.S. federal government issued a joint advisory warning that the Cybersecurity and Infrastructure Safety Agency (CISA), Federal Bureau of Investigation (FBI), and Department of Health and Human Services (HHS) had credible information of an increased and imminent cybercrime threat to U.S. [[hospital]]s and healthcare providers. [2] More recently, the Director of the FBI compared the increase in ransomware attacks on U.S. infrastructure to the threat of the September 11 terrorist attacks. [3] In New Zealand, ransomware incidents have been recently labeled as having worse impacts on cancer patients than [[coronavirus disease 2019]] (COVID-19). [4]


As the worst disruptions of the COVID-19 [[pandemic]] have passed (at least in some regions), the next pervasive disruptive threat to our medical profession appears to be cybersecurity risks. In light of this development, the American Society for Radiation Oncology's ''Advances in Radiation Oncology'' is inaugurating a special manuscript category devoted to cybersecurity issues.
==Emerging cybersecurity threats in 2021==
A study in 2014 showed that 94% of healthcare institutions have been victims of cyberattacks. [5] Based on a Medical Information Technology Advisors Threat Information Platform analysis [6] of incidents related to the Asian-Pacific, United States, and European Union, as well as various other threat intelligence agencies reports [7], the number of compromised business e-mail accounts and ransomware incidents from phishing or dark web-compromised credentials are growing and quickly becoming the number one risk for healthcare organizations. Recent years have seen an increase in phishing occurrences from “trusted” organizations or services that are being abused. Phishing e-mails will often dangle a financial reward or something too good to be true with urgency or a strict deadline to perform an action. Other attempts could be a promise to show something exciting or forbidden or threating with negative consequences or punishment. The phishing e-mail will often have an unexpected attachment, spoofed website, or link to update your password. ("Call the sender to verify whether the e-mail is legitimate" is often best before taking any action.)
The United States has seen an increase in ransomware, especially from ransomware as a service groups using double and even triple extortion tactics. Data are [[Encryption|encrypted]] and exfiltrated from the attacked healthcare organization, and then the attackers threaten to publish the data, directly extort patients, or threaten a distributed denial of service (DDoS) attack. [8] In fact, the HHS' Health Sector Cybersecurity Coordination Center (HC3) has found that 60% of global cybersecurity incidents during the first half of 2021 targeting healthcare providers affected the U.S. health sector. [9] Ransomware incidents are becoming linked to data breaches because in at least 72% of ransomware incidents, victim data were leaked. [10]
In an analysis of 5,275 reported cybersecurity breaches last year, the number one method used was social engineering, with 85% of breaches involving a human element in a targeted organization. The threat to healthcare organizations in recent years has shifted from malicious internal actors to external organizations. Personal data, rather than medical data, is the most commonly stolen information in a security breach, with financial motivation behind 91% of attacks. [11]
Usual scam tactics, including fear-based themes, prove to be successful, with only a few changes in frequency and some techniques abusing legitimate services to bypass protections. Themes on COVID-19, the work-from-home initiative, registration renewals, secure document exchanges, and even local festivals are used to trick victims into allowing these attacks. Some of the COVID-19 themes used in e-crime phishing schemes during the pandemic include [12]:
* exploitation of individuals looking for details on disease tracking, testing, and treatment;
* impersonation of medical bodies, including the World Health Organization (WHO) and U.S. Centers for Disease Control and Prevention (CDC);
* financial assistance and government stimulus packages;
* tailored attacks against employees working from home;
* scams offering personal protective equipment; and
* passing mention of COVID-19 within previously used phishing lure content (e.g., deliveries, invoices, and purchase orders).
The existing disruptions in healthcare globally presented new vulnerabilities for cybercrime. [13] Some cybercrime organizations announced their intention to not intentionally impact healthcare organizations during the pandemic, although how well they adhered to those pledges is unclear. Other organizations, such as Wizard Spider, intentionally targeted healthcare organizations at the end of October of 2020 at a time of increased medical facility utilization, when hospitals and clinics were under increasing pressure from the start of the influenza season and the pandemic fall surge. These actions mirrored a similar approach used against other industries, one of deliberately targeting organizations during times of institutional stress, such as what occurred with educational institutions at the start of the 2019 school year. [12]
Malicious actors have made phishing and malware smarter using new techniques to bypass sandbox detonations (i.e., artificial network environments designed to trigger malware in a closed network), and are increasingly using “trusted” compromised accounts and services to launch their attacks. Third-party supply chain risks and the [[internet of things]] (IoT) environment makes threat management complex and increases the attack surface. The World Economic Forum estimated that attacks on IoT devices soared by 300% in 2019. The increase in the number of individuals now working from home has added additional risks and increased the complexity in combating attacks. Healthcare organizations are typically attacked by well-organized crime organizations and state-sponsored actors. The predicted cost of ransomware damage in 2021 ($20 billion) is 57 times more than the cost in 2015. [1]
Finally, the lack of correlation, collaboration, and communication between service providers and their information technology partners increases the ease with which attackers can affect a wide range of targets. Organizations face at least 10 major cybersecurity risks today, including [14]:





Revision as of 17:51, 22 February 2022

Full article title Emerging cybersecurity threats in radiation oncology
Journal Advances in Radiation Oncology
Author(s) Joyce, Christine; Roman, Faustin L.; Miller, Brett; Jeffries, John; Miller, Robert C.
Author affiliation(s) The University of Tennessee Health Science Center, Medical IT Advisors, University of Tennessee Medical Center
Primary contact Email: rcmiller at utmck dot edu
Year published 2021
Volume and issue 6(6)
Article # 100796
DOI 10.1016/j.adro.2021.100796
ISSN 2452-1094
Distribution license Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International
Website https://www.sciencedirect.com/science/article/pii/S2452109421001548
Download https://www.sciencedirect.com/science/article/pii/S2452109421001548/pdfft (PDF)

Abstract

Purpose: Modern image-guided radiation therapy is dependent on information technology and data storage applications that, like any other digital technology, are at risk from cyberattacks. Owing to a recent escalation in cyberattacks affecting radiation therapy treatments, the American Society for Radiation Oncology's Advances in Radiation Oncology is inaugurating a new special manuscript category devoted to cybersecurity issues.

Methods and materials: We conducted a review of emerging cybersecurity threats and a literature review of cyberattacks that affected radiation oncology practices.

Results: In the last 10 years, numerous attacks have led to an interruption of radiation therapy for thousands of patients, and some of these catastrophic incidents have been described as being worse than coronavirus disease 2019's impact on healthcare centers in New Zealand.

Conclusions: Cybersecurity threats continue to evolve, making combatting these attacks more difficult for healthcare organizations, requiring a change in strategies, tactics, and culture around cybersecurity in health and radiation oncology. We recommend an "assume-breach" mentality (threat-informed defense posture) and adopting a cloud-first and zero-trust security strategy. A reliance on computer-driven technology makes radiation oncology practices more vulnerable to cyberattacks. Healthcare providers should increase their resilience and cybersecurity maturity. The increase in the diversity of these attacks demands improved preparedness and collaboration between oncologic treatment centers both nationwide and internationally to protect patients.

Keywords: cybersecurity, radiation oncology

Introduction

Modern image-guided radiation therapy is dependent on information technology and data storage applications that, like any other digital technology, are at risk from cyberattacks. In the fourth quarter of last year, America's healthcare institutions were subjected to a series of coordinated attempts to breach their cybersecurity defenses with criminal intent. Unfortunately, in some cases, these attempts were successful, resulting in a detriment to patient care. According to Cybercrime Magazine, global cybercrime damage in 2021 amounts to $16.4 billion a day, $684.9 million an hour, $11 million per minute, and $190,000 per second. [1] The World Economic Forum estimated that the likelihood of detecting and prosecuting perpetrators of cyberattacks in the United States is at a dismal 0.05%. [1]

In the fall of 2020, the U.S. federal government issued a joint advisory warning that the Cybersecurity and Infrastructure Safety Agency (CISA), Federal Bureau of Investigation (FBI), and Department of Health and Human Services (HHS) had credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. [2] More recently, the Director of the FBI compared the increase in ransomware attacks on U.S. infrastructure to the threat of the September 11 terrorist attacks. [3] In New Zealand, ransomware incidents have been recently labeled as having worse impacts on cancer patients than coronavirus disease 2019 (COVID-19). [4]

As the worst disruptions of the COVID-19 pandemic have passed (at least in some regions), the next pervasive disruptive threat to our medical profession appears to be cybersecurity risks. In light of this development, the American Society for Radiation Oncology's Advances in Radiation Oncology is inaugurating a special manuscript category devoted to cybersecurity issues.

Emerging cybersecurity threats in 2021

A study in 2014 showed that 94% of healthcare institutions have been victims of cyberattacks. [5] Based on a Medical Information Technology Advisors Threat Information Platform analysis [6] of incidents related to the Asian-Pacific, United States, and European Union, as well as various other threat intelligence agencies reports [7], the number of compromised business e-mail accounts and ransomware incidents from phishing or dark web-compromised credentials are growing and quickly becoming the number one risk for healthcare organizations. Recent years have seen an increase in phishing occurrences from “trusted” organizations or services that are being abused. Phishing e-mails will often dangle a financial reward or something too good to be true with urgency or a strict deadline to perform an action. Other attempts could be a promise to show something exciting or forbidden or threating with negative consequences or punishment. The phishing e-mail will often have an unexpected attachment, spoofed website, or link to update your password. ("Call the sender to verify whether the e-mail is legitimate" is often best before taking any action.)

The United States has seen an increase in ransomware, especially from ransomware as a service groups using double and even triple extortion tactics. Data are encrypted and exfiltrated from the attacked healthcare organization, and then the attackers threaten to publish the data, directly extort patients, or threaten a distributed denial of service (DDoS) attack. [8] In fact, the HHS' Health Sector Cybersecurity Coordination Center (HC3) has found that 60% of global cybersecurity incidents during the first half of 2021 targeting healthcare providers affected the U.S. health sector. [9] Ransomware incidents are becoming linked to data breaches because in at least 72% of ransomware incidents, victim data were leaked. [10]

In an analysis of 5,275 reported cybersecurity breaches last year, the number one method used was social engineering, with 85% of breaches involving a human element in a targeted organization. The threat to healthcare organizations in recent years has shifted from malicious internal actors to external organizations. Personal data, rather than medical data, is the most commonly stolen information in a security breach, with financial motivation behind 91% of attacks. [11]

Usual scam tactics, including fear-based themes, prove to be successful, with only a few changes in frequency and some techniques abusing legitimate services to bypass protections. Themes on COVID-19, the work-from-home initiative, registration renewals, secure document exchanges, and even local festivals are used to trick victims into allowing these attacks. Some of the COVID-19 themes used in e-crime phishing schemes during the pandemic include [12]:

  • exploitation of individuals looking for details on disease tracking, testing, and treatment;
  • impersonation of medical bodies, including the World Health Organization (WHO) and U.S. Centers for Disease Control and Prevention (CDC);
  • financial assistance and government stimulus packages;
  • tailored attacks against employees working from home;
  • scams offering personal protective equipment; and
  • passing mention of COVID-19 within previously used phishing lure content (e.g., deliveries, invoices, and purchase orders).

The existing disruptions in healthcare globally presented new vulnerabilities for cybercrime. [13] Some cybercrime organizations announced their intention to not intentionally impact healthcare organizations during the pandemic, although how well they adhered to those pledges is unclear. Other organizations, such as Wizard Spider, intentionally targeted healthcare organizations at the end of October of 2020 at a time of increased medical facility utilization, when hospitals and clinics were under increasing pressure from the start of the influenza season and the pandemic fall surge. These actions mirrored a similar approach used against other industries, one of deliberately targeting organizations during times of institutional stress, such as what occurred with educational institutions at the start of the 2019 school year. [12]

Malicious actors have made phishing and malware smarter using new techniques to bypass sandbox detonations (i.e., artificial network environments designed to trigger malware in a closed network), and are increasingly using “trusted” compromised accounts and services to launch their attacks. Third-party supply chain risks and the internet of things (IoT) environment makes threat management complex and increases the attack surface. The World Economic Forum estimated that attacks on IoT devices soared by 300% in 2019. The increase in the number of individuals now working from home has added additional risks and increased the complexity in combating attacks. Healthcare organizations are typically attacked by well-organized crime organizations and state-sponsored actors. The predicted cost of ransomware damage in 2021 ($20 billion) is 57 times more than the cost in 2015. [1]

Finally, the lack of correlation, collaboration, and communication between service providers and their information technology partners increases the ease with which attackers can affect a wide range of targets. Organizations face at least 10 major cybersecurity risks today, including [14]:


References

Notes

This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. Everything else remains true to the original article, per the "NoDerivatives" portion of the distribution license.