Even before the novel coronavirus pandemic, which forced healthcare organizations to shift to provide patients remote care and telemedicine rapidly, the healthcare industry had already embraced the cloud, as well as the digital transformation of their technology systems and business models.
The result for healthcare security teams is that they have a much larger and more dynamic attack surface in which to contend.
The result for healthcare cybersecurity teams is that they have an ever-increasing attack surface they must protect when cyber-criminals are choosing to target healthcare organizations more than ever before. And one of the reasons they're targeting healthcare data is because it's so valuable within the underground markets. As we covered in The Five Biggest Challenges in Healthcare Security Right Now, a Social Security number may demand $1 on the dark web, while a Driver's license may get $20. However, medical records will get up to $1,000 depending on how complete the information. The only other data that equals or surpasses healthcare data value among criminals is a U.S. Passport, which can fetch $1,000 to $2,000.
With the heightened value of healthcare data and the increasing business-technology healthcare attack surface, organizations in the healthcare industry need to be aware of the most significant cyber attack risks and threats they face in the years ahead. Here they are:
The continuing ransomware plague
Ransomware remains one of the most popular attacks against healthcare security organizations. The ransomware threat rose so high during the novel coronavirus pandemic that the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a rare joint cybersecurity advisory that warned U.S. hospitals and healthcare providers of ongoing ransomware attacks. "The CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. CISA, FBI, and HHS are sharing this information to provide warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats," the advisory stated.
Last year, colleague Silviu Stahie covered a related survey that found that a whopping 172 healthcare cyber attacks were successful in the past four years. The overall cost of these attacks was estimated at $157 million. The actual cost is likely higher since few institutions report payments or final costs, Stahie concluded.
In their advisory, the CISA, FBI, and HHS advised organizations not to pay ransoms, as doing so not only fuels additional criminal activity, but many organizations don't successfully regain access to their files after payment. They also advise data to be regularly backed up, and backup copies are air gaped and password-protected offline.
The advisory also asks healthcare providers to focus on staff security awareness and training. Because end users are targeted, healthcare organizations should "make employees and stakeholders aware of the threats—such as ransomware and phishing scams—and how they are delivered. Additionally, provide users training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities," it stated. The advisory also stressed ensuring employees know who to contact and how to contact them in the event of an attack.
While the healthcare industry will constantly be attacked with ransomware, how ransomware attacks are conducted against healthcare organizations will undoubtedly change. Earlier this summer, our Filip Truta wrote that ransomware gangs are increasingly employing double extortion techniques. As pioneered by the now-defunct Maze Team, these schemes coerce victims to pay by stealing their data before encrypting it and then threatening to publish that data if ransom demands are ignored.
"It worked so well that, throughout 2020, ransomware aggressors using strains like Sodinokibi, Ryuk, DopplePaymer, and Egregor all started using this novel coercion scheme to extort their victims," Truta wrote.
Denial-of-service attacks block healthcare availability
While ransomware, for a good reason, gains most of the headlines, ransomware isn't the only type of extortion attack healthcare organizations have to remain on the lookout against. Denial-of-service attacks have also long been part of extortion-type attacks. Only with these attacks, instead of encrypting data and demanding payment before providing the recovery key, criminals knock services offline through some type of disruptive attack. Essentially, Denial of Service (DoS) attacks make some IT asset — anything from a server or web application/site to an IoT device (such as a networked medical device) — unavailable for use.
While there are many different types of denial-of-service, such as SYN Flood and SMBLoris, attacks, the attacks are essentially different variations of flooding assets with traffic to overwhelm the device to the point that the service the device is expected to provide is "denied."
There are many reasons why attackers conduct DDoS attacks. Sometimes attackers want to make a political statement and use the attack to knock their target offline to gain attention to some perceived wrong or political position. Other times the DDoS attack is designed to extract an extortion payment from their victim before access to the disrupted services is granted. When it comes to healthcare organizations, DDoS attacks can be especially troublesome. While they obviously can place patient data at risk of exposure, they can also stop systems used to schedule appointments or keep doctors locked out of the systems they need to deliver care — therefore placing lives at risk.
That makes it critical healthcare organizations know how to overcome DDoS attacks. Our Razvan Muresan's post, DDoS Attacks on the Rise — Here's what Companies Need to Do, covers many of the steps all organizations, including healthcare providers, can take to improve their DDoS attack protections. The Center for Internet Security has a guide that details specific steps organizations can take to mitigate the impact of specific DDoS attack types.
Phishing for credentials and data
Phishing attacks continue because they work. For decades now, the most successful way to compromise a business was simply sending malicious emails and waiting for someone within the organization to click on a malicious link or open a malicious attachment, which is why phishing remains one of the most dangerous vectors of attack.
Consider a survey conducted by the Healthcare Information and Management Systems Society (HIMSS) in 2020 that found 57% of respondents stating that phishing attacks targeted their organizations. The 2020 HIMSS Cybersecurity Survey found phishing to be "the most common type of significant security incident" among its healthcare survey respondents. That phishing, either general phishing attempts or spear-phishing attempts, is the typical initial point of compromise.
In an analysis provided by HealthITSecurity.com, The Phishing Problem in Healthcare, of the 676 healthcare active data breaches under investigation at the time, 42% involved email. What makes matters worse is that many staff members aren't sure what a phishing email looks like, as our Filip Truta previously covered.
So, what can healthcare organizations do to help mitigate the risks of phishing attacks? First, they can provide all of their employees security awareness training. And not just once and done, or once a year — but regular prompts through training, webinars, newsletters, and reminders. Another is requiring multi-factor authentication to access applications and IT services. That way, even if an employee hands over their credentials, the attackers will also need to find a way to bypass the stronger authentication. Of course, some phishing attacks will be successful, so endpoints must be protected with antimalware and endpoint detection and response software.
Attacks on healthcare web applications
As healthcare providers continue to digitally transform their organizations, the number of web applications they rely upon grows. Unfortunately, the number of web applications with security-related flaws is high in healthcare. According to the State of Security Software (SSOS) report from web application security vendor Veracode, 75% of applications within the healthcare vertical have a security vulnerability.
According to an analysis provided by Hope Goslin at Veracode, like most companies today, those in healthcare a trying to adopt secure coding practices, especially in DevOps environments. The excellent news pertaining to healthcare web application security is that they regularly scan their applications for vulnerabilities and follow a consistent scanning schedule. The healthcare industry ranks second in the median time it takes to remediate security-related flaws.
Attackers will continue targeting web applications because that's where enterprise data reside.
To improve application security, healthcare organizations must adopt DevSecOps practices within their development practices, including conducting code security reviews earlier in the development process and increased collaboration between security teams and application development teams. And they should regularly scan their applications for vulnerabilities and build effective patch management processes. There should also be periodic penetration tests conducted designed to test the efficacy of web app security and intrusion detection capabilities.
The attacks on healthcare clouds continue
Also, because of digital transformation efforts, healthcare organizations are embracing the cloud in record numbers. According to a recent study conducted by IDG, the three security challenges for healthcare IT are cloud security (46%), which tied the security of connected medical devices (46%) and outweighed remote and mobile workforce (36%).
In that survey, 53% admitted they suffered a data breach within a cloud system over the past year. And 34% of those healthcare providers who did experience such a cloud data breach said the incident cost at least $2 million, sometimes more. Nearly half, or 47%, said they were the focus of a malware attack that targeted their cloud systems.
How should healthcare organizations improve cloud security? A lot of it has to do with maintaining basic cloud security hygiene. Healthcare organizations need to understand what cloud services are running in their organization, where their patient and other critical data are running, and ensure that these third-party providers have mature security programs themselves. And just like with on-premises systems, it's crucial to manage access to these cloud services. That means effective identity and access management and multi-factor authentication designed to protect cloud services from phishing attacks that target those services.
No matter how diligently healthcare providers work to mitigate the threats that target these risks, there will still be successful attacks. This is why having a plan for effective incident response is so important. Such a plan must include proactively seeking potential threats within your systems and having the capabilities to respond to remove those threats and mitigate their damage.
In a recent post, Why Healthcare Cybersecurity is Needed to Address Rising Modern Threats, we detailed things healthcare organizations can begin doing right now to modernize and strengthen their cybersecurity efforts.