Source: Getty Images
Much like the previous year, ransomware was one of the healthcare sector’s biggest cybersecurity threats seen in 2020; spotlighting the need for proactive measures.
December 18, 2020 – In 2020, the resiliency of the healthcare industry was tested in terms of its response to two national crises: a global pandemic and hackers taking advantage of an oft-weakened workforce. Ransomware was yet again the biggest cybersecurity threat, a further reminder of the need for proactive security measures.
This evolution of ransomware is a sign of what’s to come in 2021, and those continuing a reactive cyber posture are at the greatest risk.
As the year draws to a close, the threat landscape for the healthcare sector mimics that of 2019: an overabundance of ransomware attacks and a range of phishing campaigns designed to give hackers a foothold onto the network.
Ransomware reached its highest numbers in late 2019, but COVID-19 seemingly gave the sector a reprieve as the number of reported victims quickly diminished long into the spring. At the time, researchers warned hackers were still targeting the sector in great force and to expect a resurgence of victims as the year progressed.
For those on guard, the multiple federal alerts warning of the ransomware wave came as no surprise. What is different, however, is the dominance of nation-state threat actors attempting to disrupt care operations and steal valuable data related to vaccines and treatments.
Now, as data extortion attempts occur in half of all ransomware incidents, and hackers have started to cold call their victims to hassle them into paying demands, it bears an important question: Will 2021 mark the year that proactive security finally gains traction in the healthcare sector?
More importantly, can providers sustain their current cybersecurity model without greater investments?
Given the pace of change in cybersecurity, predictions are often wholly conjecture. Instead, HealthITSecurity.com spoke with Bruce Potter, Expel CISO; Mike Riemer, global chief technology officer of Ivanti; and Eric Friedberg, co-president of Stroz Friedberg and Aon’s Cyber Solutions Group, to address the healthcare sector’s greatest challenges and how to best defend against these threats.
THE NEVERENDING REIGN OF RANSOMWARE
Beginning in September, ransomware again asserted its dominance on the healthcare sector, after a relative lull in reported events during the spring. By the end of November, more than a dozen healthcare delivery organizations were driven into EHR downtime by the evasive threat.
Even as some bad actors increase their attacks’ sophistication, Riemer noted that at the end of the day, hackers are opportunistic in nature and able to pivot quickly across the network once they’ve gained a foothold.
“Money and lives are at risk, to put it bluntly.”
Hackers will use anything to gain an advantage, including people, new networks, and especially COVID-19.
To Potter, Friedberg, and Riemer, ransomware and other opportunistic threats will continue well into 2021 as the healthcare sector continues its response to the COVID-19 outbreak. Those risks will only amplify as more entities migrate data to the cloud and with the pandemic stress.
Friedberg noted that those stressors may lead to data exposures due to misconfigured cloud and on-prem servers.
“For 2021, we can expect a continued uptick in ransomware, and in more cases we will see a doxing component in which the attacker threatens to publish exfiltrated personally identifiable information and protected health information, if the healthcare institution does not pay the ransom,” Friedberg said.
“A growing ransomware trend is for the attackers to disable victims’ incident response, restoration and recovery platforms and technologies, all with the purpose of further pressuring the institution to pay,” he added.
While nation-state actors are increasingly targeting the sector, he added that ransomware has remained the largest threat. Regardless of the attack method, similar security efforts can defend against these prominent threats.
And as the pandemic is largely handled during the first half of 2021, Potter predicted that there will likely be less interest in healthcare from those nation-state actors. Investments in this attack activity will likely cease, altogether.
“That said, the knowledge they gained in the last year will likely serve them well in future intelligence and cybercrime operations against this sector making them a perpetually dangerous adversary,” Potter statedconcluded.
SERIOUS SECURITY SHORTCOMINGS AND RESOURCE FAILURES
The Department of Health and Human Services released an audit report gauging HIPAA compliance across the sector based on a sample of healthcare organizations. It found that the majority of providers are failing to perform required risk assessments and risk management processes.
As threat actors continue to hunt and exploit vulnerabilities, the risks to the sector have drastically increased in severity, and many providers are failing to keep pace with threats.
“Many of the small-to-midsize providers continue to face resourcing issues when it comes to implementing cybersecurity controls,” Potter explained. “Lack of funding and lack of staff mean that these organizations will continue to be relatively easy targets for attackers, and the critical nature of their services mean that criminal organizations know that they are likely to pay up.”
For Riemer, healthcare’s greatest challenges are caused by budgetary constraints, staffing shortages, and a “lack of cybersecurity prowess with needed IT support staff.”
A decline in cybersecurity expertise has also been predicted for the coming year, and coupled with usability issues and multiple hacking exploits to get into the network, providers are struggling to adequately defend their networks.
Diving deeper into those threats finds many entities are falling victim to attacks due to a failure to effectively block malicious phishing emails from employees’ accounts, explained Friedberg.
Others have failed to deploy effective visibility tools to better detect hackers moving laterally across their networks, while overall, there’s a lack of advanced malware detection capabilities on network traffic and endpoints.
Healthcare’s shortcomings also include password issues, a lack of enterprise forensics software and anomaly detection tools, and sub-par security monitoring or threat hunting. And some providers are still failing to segregate their data backups from the network.
“In more cases we will see a doxing component in which the attacker threatens to publish exfiltrated PII and PHI.”
But to Potter, the biggest security failure within the industry is a lack of needed workforce support.
“For the larger players, they are able to hire staff and buy the required tech to run reasonably secure organizations,” Potter said. “For down-market providers, particularly those in less urban parts of the nation, the situation is much more dire. Even with funding it will be difficult to first staff the required jobs and then actually build out the necessary security controls.”
“A national initiative to assist placing skilled cybersecurity staff in small- and mid-market healthcare companies would go a long way to closing this gap,” he added. “A shared responsibility model with the USG may be the only way to address this problem in the near term.”
TIME FOR ACTION
Collaboration is crucial for all levels of healthcare privacy and security, including with medical device security needs. Potter stressed there’s a serious need for greater assistance from both federal and state governments in terms of grants, financial incentives, and concrete cybersecurity guidance.
For many providers, security is a new domain, and as such, they lack a revenue model or organizational structure to successfully bolster cybersecurity across the enterprise.
“Money and lives are at risk, to put it bluntly. Some of the problems these organizations face go beyond what they can solve on their own,” explained Potter. “These entities should work with state and federal organizations already focused on healthcare and critical infrastructure security to make their case and get whatever assistance they can.”
“Hopefully those government organizations will be able to assist,” he added.
For Friedberg, patient privacy should be considered when making security-based decisions in the healthcare setting. From increased maturity in cybersecurity tools, to the processes and needed skills, these elements must be completely aligned with increasing patient privacy across the enterprise.
In general, cybersecurity obstacles are similar to patient privacy, including bandwidth unable to support new projects across complex, and often sprawling infrastructure, Friedberg explained.
The ideal security model for healthcare is zero trust: an evolving set of network security parameters designed to narrow defense perimeters from the current wide state, to more individualized resources. The model was designed in response to an expanse of remote users and cloud-based assets not directly located within the enterprise network.
However, a host of misconceptions plague progress in this area, including the thought that the project is too broad in scope or too expensive to tackle. However, many providers already employ many of the tools needed to accomplish a zero trust model within their infrastructure, Riemer explained.
Those elements include two-factor authentication, encryption, endpoint posture assessments, evaluating connectivity, visibility into access management, and the like. As COVID-19 spurred the rapid adoption of telehealth, temporary care sites, and remote work, providers can meet the challenges of today’s security issues by employing a model of least privilege and other zero trust elements.
“The reality of the situation is that breaches and attacks are happening on a daily basis,” Riemer said. “Given the scale and size of the attacks, it’s imperative to act now. We only hear about the big attacks, and small ones go unnoticed, or the hacker will save the victim for another day.”
“One of the biggest things providers need to understand is that a lot of the technology available to them fits within a zero trust model,” he added. “Early 90s defense-in-depth security has gone through multiple iterations, and zero trust is just a later version. Companies don’t need to feel this is an overwhelming budget issue: it works with what you have in place or reutilizes system assets.”
Regardless of the security model or tools chosen to defend a healthcare network, what’s imperative is that some form of best practice steps are taken now. The threats seen this year have only begun to spotlight the inherent risk healthcare is facing. Hackers will not wait for the sector to play catch-up; instead, they’ll continue to take advantage of their mass weaknesses.