Rural Healthcare and the Catch22 of Cybersecurity

Rural America and Urban America can seem like two different worlds. Just look at the political map, or the disparity in wealth between ‘country folks’ and ‘city slickers’. Perhaps the most alarming difference, however, is the availability of basic healthcare services.

If you live in rural America, you could be 2- or 3-hours’ drive away from the closest renal dialysis center, or radiotherapy and chemotherapy clinic. You may also be several hours away from the nearest stroke or trauma center which in an emergency, could mean the difference between life and death.

As for many other medical services, rural Americans must make do with what is available in their community - a local midwife rather than a maternity hospital ‘new life center’ staffed with neonatal experts and incubators in case they are needed. Go into labor early or present as a high-risk pregnancy and be prepared to be ambulanced or worse, air-ambulanced at huge expense, to a city hospital where you and your infant can be properly cared for. Today, anything other than basic medical services usually means a long drive to the nearest city.

The trouble is, that what remains of rural health services is rapidly declining. Rural hospitals and entire rural health systems are closing, and those that remain open, are continuously reducing their specialist services, which may not be used enough to remain profitable or even to cover costs.

A new report from the American Hospital Association (AHA) states that 136 rural hospital closures have occurred between 2010 and 2021, and a record 19 closures in 2020 alone. Beckers, in a recent article reviewed a larger period claiming that nearly 200 rural hospitals have closed since 2005. What’s even more alarming is the pace of closure is accelerating. Eight rural hospitals closed in 2023, as many as in 2022 and 2021 combined, according to the Center for Healthcare Quality and Payment Reform's latest report. 2024 could be even worse, given the financial brinkmanship caused by the UHG Change Healthcare cyberattack. 

Just last month, the Eastern Plains Healthcare Consortium (EPHC) stated during its annual conference that 20% of rural hospitals in Colorado are at risk of closing. They require a 4% operating margin to replace equipment and maintain existing services, however, nearly all are currently running in the red, some as much as -17%. EPHC estimates that some 30 rural Colorado hospitals will be forced to convert to emergency only services as Emergency Rural Health Hospitals to save closing altogether.

Some of these hospital closures are the result of cyber-attack and in particular, one recent Illinois hospital closure is blamed upon a 2021 ransomware attack that prevented it from submitting claims to payers for months, killing its cashflow and financial viability. Another small hospital had its entire payroll stolen in a cyberattack preventing it from paying any of its staff and placing it in financial peril.

The Change Healthcare cyberattack earlier this year has exacerbated the plight of small providers and in particular rural clinics and physician practices. Many physicians are struggling to keep their practices afloat according to the American Medical Association (AMA) and even though UHG, the owner of Change Healthcare, has publicly said it will provide relief in the form of Temporary Funding Assistance to impacted providers, this is very selective, one-sided and fraught with caveats according to Richard Pollack of the AHA in a letter to UHG.

Challenges for Rural Healthcare Providers

Rural providers face many challenges: finances, through rural depopulation and a disproportionate number of rural patients on Medicare and Medicaid, general resource constraints, and huge difficulty attracting and retaining nursing, physician, and other staff. Most notable of these is the lack of trained and experienced cybersecurity staff to protect rural providers from an increasing volume of cyberattacks.

These hospitals run on a small number of IT generalists and often find it difficult to patch systems in a timely manner, let alone obtain the budget or expertise to implement security leading practices or the latest security tools and services. Many operate on end-of-life computer hardware and medical devices no longer supported by vendors. Compared to urban providers these hospitals are an easy target for criminals and are frequent victims of PHI breaches, ransomware, and other attacks.

Like their urban cousins, rural hospitals are undergoing a digital transformation to new clinical and IT systems. This involves the addition of more medical and other IoT systems including connected building management systems for HVAC, elevators, proximity door locks, CCTV cameras, and Pyxis drug cabinets. These systems dramatically expand the cyber threat surface and unless secured and maintained, can significantly elevate the risks of attack. But rural providers often lack the specialist skills to safely manage these systems. That is perhaps why, many are turning to a combination of Managed Services Providers (MSPs) and Managed Security Services Providers (MSSPs) to effectively outsource security and much of IT.

Rural Healthcare Needs Help   

MSPs and MSSPs will manage a large number of hospitals at the same time, and through a leveraged model can provide point expertise as needed in more or less any technology or vendor system. They can also implement advanced SaaS tools from Cylera and others to identify the growing number of connected assets and evaluate and prioritize risk remediation. Indeed, the incorporation of SaaS services is rapidly helping to drive improvements in rural provider cybersecurity, especially in medical device security, a growing problem for all healthcare providers.

The advent of managed services has become particularly important given a new assistance program for rural hospitals orchestrated by the White House and the AHA in June of this year. Microsoft and Oracle have agreed to provide free and heavily discounted cybersecurity resources to assist rural hospitals with access to many of their security tools and technologies. However, so far, relatively few rural hospitals are taking advantage of a free program designed to thwart ransomware attacks according to the White House this week. Only 350 of the 1,800 small and rural US hospitals are currently leveraging this assistance program.

It appears that without MSP or MSSP help, many rural providers are simply unable to accept or implement these discounted tools or utilize the free security assessments because they don’t have the manpower bandwidth to do so. This is the Catch22 of providing security assistance to rural health providers. Thankfully, for some, the MSP/MSSP buffer is helping to facilitate this today.

While near term improvements to rural hospital cybersecurity will be of great assistance in helping to reduce cyberattacks, there are still long-term structural problems of maintaining the continued presence of rural providers and access to healthcare services for rural communities. The healthcare industry faces many problems, not least of which is unmitigated cybersecurity risk. While urban providers can rely upon numbers to maintain services and a plentiful supply of cybersecurity talent nearby to avoid the worst of the attacks, rural providers face almost insurmountable challenges. This is undoubtedly a larger political question of healthcare reform that the next administration will need to prioritize.


A version of this blog was initially published here

Read More

Isn't it about time we secured BGP?

Border Gateway Protocol or ‘BGP’ as it is more often referred to as, has been a staple of internet routing since the heady days of 1989 when TCP was finally getting into its stride, and the internet as we know it, was in its infancy.

BGP enables routers to determine the most efficient paths for data to travel across networks to ensure scalability and efficiency. The protocol allows network backbone providers to announce routes across networks and is the primary routing protocol used to exchange routing information between different autonomous systems on the internet. The trouble is that like many things to do with the internet it was never really designed to be secure and this leads to all kinds of problems as we shall see.

BGP has been abused multiple times, since Al Gore claims to have invented the Internet. Joking aside - it was actually Vint Cerf and Bob Khan who are credited with the accomplishment, but BGP has suffered some pretty high-profile attacks that have caused outages, or even more alarmingly, to route traffic through a specific country – one known for its prolific cyber espionage practices.

In 2008, a Pakistani ISP wanted to block access to YouTube within Pakistan but accidentally announced a BGP route that led to all of YouTube’s global traffic being redirected through Pakistan. This caused a worldwide outage of YouTube for several hours, although YouTube has probably never been faster in Pakistan before or since.

Then in 2010, China Telecom “accidentally” advertised incorrect BGP routes that caused a significant amount of global internet traffic, including that of U.S. government and military sites, to be routed through China. Naturally, neither the US government nor the Department of Defense was very happy about that little so called “error”, especially considering at the time, not all government network traffic was being encrypted.

More recently in 2018 cybercriminals hijacked BGP routes for Amazon’s Route 53 DNS service to redirect traffic intended for MyEtherWallet, a popular cryptocurrency wallet service, to a malicious server owned by the perpetrators. The attackers then stole users' cryptocurrency by tricking them into entering their credentials on the fake site.

The White House naturally has been considering options to replace or upgrade BGP with an improved authentication scheme to remove opportunities for abuse and cybercrime, including any cyber espionage that nation states may be considering. Its proposed solution is the Resource Public Key Infrastructure (RPKI) - a security framework designed to enhance the security of BGP by providing a way to cryptographically verify the ownership of IP address blocks and the authorization of networks to announce specific routes.

To that end, the White House has released a guidance document for ways of improving upon BGP in a proposed roadmap to enhance internet routing security. This includes the adoption of new technologies including RPKI. As a government press release stated today, “these recommendations are of particular importance to the networks used by critical infrastructure owners and operators, state and local governments, and any organization dependent on internet access for purposes that the entity considers to be of high value.”

The press release went on to say that “by the end of the year, it is expected that over 60% of the Federal government’s advertised IP space will be covered by Registration Service Agreements (RSA), paving the way to establish Route Origin Authorizations (ROA) for Federal networks.”

The White House is obviously taking the risks of major BGP attacks very seriously and is looking to protect against these apparent threats immediately.

“Internet security is too important to ignore which is why the Federal government is leading by example by pushing for a rapid increase in adoption of BGP security measures by our agencies,” said White House National Cyber Director Harry Coker, Jr. “ONCD, along with our public and private sector partners, are guiding a risk-informed path forward towards our communal objective. We aim for this roadmap to mitigate a longstanding vulnerability and lead to a more secure internet that is vital to our national security and the economic prosperity of all Americans.”

The full roadmap can be read or downloaded in PDF here.

Read More