As the old saying goes “haste makes waste” and the field hospitals being set up around the world to handle the influx of Covid-19 patients is creating a lot of waste when it comes to their cybersecurity and the privacy of their patient’s data. The global COVID-19 pandemic has already created an air of tension that makes someone vulnerable to scams that prey on their fear, and in the rush to create a surplus of treatment capacity many countries are assembling field hospitals near hot spots using whatever they have on hand. Hospitals are already notorious for having poor cybersecurity practices (one need only look at the EternalBlue crisis to see the cost of that laissez-faire attitude) and being under tremendous pressure has not helped improve those practices.
Old, unpatched systems are pressed into service, which leaves data stored on them vulnerable. That data represents a gold mine for any malicious actor looking to extract money from an individual. These vulnerabilities may also create the possibility of fines under the various privacy laws in the US such as HIPAA or the CCPA, both of which require an entity to take the appropriate measures necessary to protect their data. Part of the issue is budgeting: hospitals are concerned with saving lives, not with a secure IT infrastructure particularly in a crisis that is exacerbating existing supply issues and hampering procurement. Every dollar spent on new software licenses is a dollar that could have gone towards PPE, medication, and other life-saving supplies. As important as the donation of masks, disinfectants, and gloves are, if you’re someone with the skills necessary to improve the security of your local healthcare facilities, why not give them a call and see if you can donate your time? While it hasn’t happened yet, an attack that shuts down or slows the technical infrastructure of the healthcare system would be devastating and cost lives.