There’s never a good time for a health department to be hacked, but the middle of a historic pandemic is worse than most.

That’s what happened last month in Illinois, when the Champaign-Urbana Public Health District’s website was taken hostage by “ransomware,” a cyberattack that shuts people out of their own computers by encrypting their data and demanding payment in exchange for a key.

David Mussington headshot“That’s what keeps me up at night,” said David Mussington, professor of the practice at the UMD School of Public Policy and director of the Center for Public Policy and Private Enterprise.

Mussington is now at the forefront of the effort to ensure attacks like what happened in Illinois don’t endanger the lives of patients across the world. He is part of two new groups—the international COVID-19 Cyber Threat Intelligence League and Canada’s COVID-19 Cyber Defense Force—that are bringing together hundreds of experts to share information and advise governments, hospitals and health care organizations on how to keep their networks secure in an opportunistic moment for bad actors.

It took three days and $300,000 of insurance money to regain control in Illinois and similar problems have occurred around the globe: a cyberattack forced a hospital in the Czech Republic to postpone surgeries and turn away patients; Greater Paris University Hospitals foiled an attempt to overwhelm its computer system; a foreign state reportedly tried to overload U.S. Health and Human Services Department servers; and Spain’s hospital workers were targeted by a massive email campaign seeking to install dangerous software.

Earlier this week, Microsoft announced it was making a threat notification service free to health care providers and human rights and humanitarian organizations.

“The dangers are rising very quickly,” Mussington said.

He identified five key points about health-care cybersecurity challenges with Maryland Today.

  • The coronavirus pandemic is empowering cyberattackers. While ransomware attacks have yet to spike in the United States, Mussington said, lots of people are buying up internet domain names related to COVID-19 and using them as a way to launch “spear phishing” attacks that trick people into installing malicious software. “There’s that opportunistic element,” he said.
  • Data protection will be crucial. From triaging patients with their health records to disease testing and vaccine trial results, the information held by hospitals and labs has to be constantly accessible, Mussington said. That’s why ransomware attacks pose the most formidable threat for a health system already stretched to its limit. “The loss of critical data or the failure of medical devices,” he said, “all add to the burden.”
  • Not all vulnerabilities are new. Hospitals and other health care organizations face many of the same budgetary constraints as other nonprofit and government entities, Mussington said, so their technology is rarely the newest and best. “I don’t consider the health care landscape worse (than other sectors),” he said, “but it isn’t better.”
  • Virtual connections are a target. Any medical device that plugs into the Internet—the so-called “Internet of Things”—is a potential hacking bullseye, Mussington said. In addition, as more routine medical checkups move online to videoconferencing applications like Zoom, health care providers need to make sure telemedicine visits with patients are secure. “That could be a very serious problem,” he said.
  • Best practices can be started immediately. Now is the time to enable multifactor authentication to prevent unauthorized log-ins and double-check to make sure system administrators have the right level of control, Mussington said. Extra vigilance should be applied to what emails are sent or received, and anything connected to a network should be taken off if it isn’t critical infrastructure. “If you don’t need to connect something to a network,” he said, “don’t.”