Protecting EMS From Cyberthreats

On December 14, 2018, a cyberattack against Pasquotank-Camden Emergency Medical Services (PCEMS) in Elizabeth City, N.C., affected more than 40,000 patient records. The damage was slight but troubling: According to Pasquotank County Manager Sparty Hammett, the hacker erased some files but made no demands. Still, it cost Pasquotank County about $14,600 to fix the problems by paying to switch from its existing billing software provider to a cloud-based alternative.

Compared to Baltimore, PCEMS got off lucky. On May 7, 2019, Baltimore was hit by a ransomware attack in which a hacker encrypted many of the city’s data-based functions (with some impact on EMS) and refused to free them unless a $76,000 ransom was paid. 

According to the Washington Post, this ransomware attack succeeded due to the city’s poor “cyberreadiness.” In other words, Baltimore had not ensured that all city computers were running up-to-date operating systems, nor that adequate cybersecurity procedures were in use. It also didn’t have duplicates of crucial files stored in secure locations.

“Basic cyber hygiene, were it in place, could have greatly limited the damage in Baltimore or stopped the attack altogether,” said the Post. “The ransomware, called RobinHood, worked only because city computers had not applied freely available software patches and were operating without effective backups.”

At the time of this writing, Baltimore was still dealing with fallout from the ransomware attack. In line with advice from the FBI, the city did not pay the ransom. But it has spent $10 million so far to mitigate the fallout, and more money will likely be needed to fix the problem.

These are just two of the many cyberattacks that are affecting EMS services. More are inevitable as hackers seeks ways to compromise both public and private computer networks.

Types of Hackers

There are many reasons for hackers to attack EMS networks.

Some do it for money—to steal users’ identities, access their credit cards, and in extreme cases inject ransomware into their systems in order to extort payments.

Some hackers attack EMS networks just for fun. They seek “bragging rights” and to boast about their feats among other hackers online.

A third class of hackers is sponsored by hostile governments. They attack public response networks to cause chaos. 

A rule of thumb: Who you are influences the kinds of hackers you will face. “According to the cybercrime security firm Positive Technologies’ 2019 Q1 report, each readiness model attracts a different attack profile,” explains Joshua Brandt, president of the IT consulting firm Brandt VX. “For example, the public sector is most susceptible (and mostly attracts) cybercriminals seeking to steal data. The private sector, specifically healthcare, attracts ransomware (also referred to as cryptolockers) where data is not necessarily compromised but rendered inaccessible until a payment is made.”

Common Cyberthreats

What kinds of cyberthreats should EMS agencies be concerned with? 

The answer is all of them—but with the knowledge that most threats are perpetrated by low-end operators using basic scams such as “phishing” (fooling people into sharing personal information and passwords). Such operators also try to exploit known weaknesses in popular operating systems such as Windows. These are weaknesses for which fixes have not been installed by PC users and IT departments (as happened in Baltimore).

“TV tends to portray cybercriminals as technical geniuses who cut through the most sophisticated technical safeguards with ease,” says Peter Rizzo, IT manager with MedStar Mobile Healthcare in Texas. “Those criminals do exist, but they are a small minority. The threats we see every day are not usually targeting our systems—they target our people.”

The most likely work-related threat an EMS agency and its employees will face is phishing. Criminals will try to convince users to grant them access to the agency’s network by clicking on a link purporting to be from a trusted source like another employee, friend/family member, or bank/corporate supplier. Once the hacker gets this access, they can get into medical records and patient files, accessing personal data and credit card information.

“If a bad guy can convince you he is legitimate, he can use you to get access to anything you can access,” says Rizzo. To make matters worse, “actual risks are increasing rapidly with the increased use of personal devices to access agency e-mail and the risk of losing agency-owned smart devices that may provide access to sensitive agency data.”

A second common threat is known as “social engineering,” which relies on the hacker getting actual physical access to computers and networks by exploiting human nature. 

“For example, an attacker may leave an infected USB thumb drive on the ground for an employee to find as they enter the office,” says Brandt. “In an attempt to find the owner, the employee plugs it into their work station and inadvertently uploads malware into the network.

“Another extreme case may be an attacker who sends a shipment of new keyboards configured with malware,” he continues. “The manager assumes they were purchased by the IT department and distributes them to employees, compromising the network.”

How EMS Can Respond

To repel cyberattacks—to achieve a state of true cyberreadiness—EMS agencies need to tackle this threat in a range of ways.

Cyberreadiness starts with employee education: teaching people not to fall for phishing e-mails and other hacker ploys—to think before they click on links. It also trains employees to turn over suspect USBs and other devices to the IT department without plugging them in, to avoid in physical infiltration by social engineering hacks.

“Human factors tend to be the greatest controllable risk to cybersecurity,” says Rizzo. “The two main things all EMS/first responders can do are to know who you are e-mailing and to report all suspicious e-mails to your IT department. Not every e-mail that claims to be from your CEO actually is. If you are in doubt, don’t reply and don’t click any links or open any attachments.” (The same is true for USB keys and other storage devices whose origins are unknown to you and for peripherals you didn’t order.)

The next step is to ensure all computers/servers on the network are loaded with the latest software patches as they become available—no exceptions. The IT person/department needs to spearhead this practice on an ongoing basis and ensure user computers are also loaded with regularly used antivirus/antimalware software.

The third step to achieving EMS cyberreadiness is to invest in education. “There are companies that will train and test all of your employees on security best practices,” Rizzo says. “You can Google security awareness training to find several.  For IT professionals there are many good security certifications and training courses. CompTIA Security+, Certified Information Systems Security Professional (CISSP), and Certified Ethical Hacker (CEH) are three popular certifications.”

One popular high-end course is CyberSec First Responder (CFR-310). This is a comprehensive certification ideal for EMS IT managers to enhance their cyberreadiness skills before, during, and after cyberattacks. (CFR complies with ANSI/ISO/IEC 17024 standards and is approved by the U.S. Department of Defense to fulfill Directive 8570/8140 requirements.)

Headquartered in Rochester, N.Y., CertNexus is a certification company that offers cybersecurity, IoT and AI certification prep courses through training partners worldwide. “This is an intermediate-level course aimed at IT professionals with 3–5 years of experience,” says Megan Branch, CertNexus’ chief product officer. “It takes people who have basic networking skills and helps them become cybersecurity professionals.”

Advice to EMS Agencies

There are three lessons to learn from this EMS cyberreadiness story.

Lesson #1—Cyberattacks come in a full selection of sophistication and stealth levels, from the most mundane phishing attacks foilable by wary staff to subtle state-sponsored attacks that require well-trained IT professionals to knock down.

Lesson #2—Since most cyberthreats are of the mundane variety, these can be countered by vigilant employees and properly updated/protected computers and networks.

The professionals’ advice: “Remember the human factors and treat training and repetition of cybersecurity just like you do safe driving!” says Rizzo. “Security incidents can be very expensive and damaging to the reputation of any agency. Implementing best practices now is the most effective way to avoid them.”

According to Brandt such best practices include:

• Removing old apps and canceling services no longer required to reduce the “surface area” available for hackers to attack.
• Using a non-cloud-based password manager program to contain staff’s uniquely complex passwords, rather than using simple ones that are easy to remember. Ideally, “passwords should be unique for each service, ridiculously long, and impossible to remember,” says Brandt.
• Third, organizations should always back up their data so they can restore it should their primary data be encrypted in a ransomware attack. “If a cloud solution is selected, end-to-end encryption with a zero-knowledge provider is essential,” Brandt says. “Never let anyone outside your organization hold your encryption keys.”

Lesson #3—Some level of cyberreadiness is doable for all EMS agencies no matter their size. Even a small agency can make a difference by educating staff, updating software, and backing up their files. This alone could have protected Baltimore from its multimillion-dollar ransomware headaches.  

James Careless is a freelance author and frequent contributor to EMS World.