Modern healthcare is amazing. Hundreds of people, devices, and gigabytes of data are all harmonized to save lives and keep people healthy. Unfortunately, the very pieces that help keep us well provide a perfect hunting ground for threat actors.
Threat actors are attracted to the data rich environments in healthcare organizations. Patients, doctors, staff, students, consumers, healthcare research and government grants all contribute to making healthcare a desirable target for a variety of nefarious motivations.
Criminals and bad actors are leveraging a combination of traditional attack combined with more sophisticated target intelligence that requires organizations to embrace a layered defense approach to strengthen resilience to these threats.
The Threat Against Healthcare
We can see cybercriminal interest in this sector in the most recent data from the U.S. Department of Health and Human Services Office for Civil Rights breach portal. In June 2022 alone, providers reported 70 cyberattacks to the agency, and attackers are on track to surpass this number, with 37 attacks hitting healthcare as of July 21. The targets ranged from major medical facilities to individual medical practices and eye care centers.
Overall, about 50 million Americans had their personal healthcare data breached by hackers just last year.
Even though the threat is real and growing, the healthcare industry is not defenseless. There are steps it can take immediately to improve its threat posture.
- Improve Email Security – Email is the primary avenue used by threat actors to gain access to a network. Not just in healthcare but when attacking any organization. However, when it comes to healthcare, many attackers rely on business email compromise (BEC) as their primary weapon.
BEC attacks are when criminals send an email message that appears to come from a known source at an organization making a legitimate request, such as paying an invoice or asking for information. However, because the attackers often send the email in the persona of an executive, the worker does not double-check that the request is legitimate and simply carries out the act.
Medical facilities are busy places with individual staffers receiving hundreds of emails on a weekly basis, so it can be easy to slip in a malicious message. An attacker only has to fool one person to be successful. The FBI lists the usual tactics implemented during such a scam.
The good news is a proper email security solution, such as Trustwave's MailMarshal, can detect and block these emails as they come into an organization's email system. Additionally, training workers to be on the lookout for unusual email requests and that it's best always to confirm payments, money transfers, or requests for information outside of an email chain.
- Be Ready for Ransomware – Ransomware is potentially the most dangerous threat facing a healthcare facility, not just because it can damage or destroy expensive equipment. Such an attack can be lethal.
Sophisticated attackers now use a multi-prong approach when it comes to ransomware. Gone are the days when data was just encrypted, and money demanded for its release.
Now, the first step is the adversary gains entry to a system via an email scam, unpatched IoT device, or perhaps a vulnerability and removes critical medical and employee records. The system is then encrypted, locking the staff out of the data and sometimes necessary medical equipment.
If a hospital has solid backups and the ability to recover an infected system, the attackers then move to stage 2. They threaten to release sensitive data either publicly, where other criminals can gain access, or sell it on the Dark Web.
Trustwave SpiderLabs research has found threat actors selling a wide variety of records and access on the Dark Web. These include webshells, malware that usually allows an attacker to control a website remotely, upload, change or download content from those web servers without authority. The prices ranged from $2 to $17 for access to a specific healthcare facility.
Again, having a strong email security system in place can stop most ransomware attacks, or utilizing a Managed Security Service Provider equipped with a Managed Detection and Response solution, which is backed by skilled threat researchers and hunters, almost eliminates this threat.
- Bolster IoT Device Defense – Modern healthcare facilities utilize a great deal of connected medical equipment, which means they are highly susceptible to Internet of Things (IoT) attacks.
There are an estimated 450 million connected medical devices in use today across the world, and while citizens benefit from increased healthcare accessibility and improved care, these devices do come with security issues. Primarily, each device adds one more bit of area to the healthcare facility's attack surface that threat actors can exploit. Therefore, many medical devices must be patched with the latest software release. This task is difficult for some hospitals because it requires personnel, training and the ability to take the device out of service for a period of time.
Connected medical devices can make up 74% of a hospital's network devices. Yet, these devices are typically invisible in the eyes of traditional endpoint and network security solutions, according to Forrester Research on Medical Device Security. In addition, many IoT devices also come with pre-loaded admin login credentials that are known to threat actors and again, for the reasons just mentioned, take time to change.
- Harden Your Supply Chain – Suppliers and third-party partners also present a risk as outside entities often have access to or even house protected health information (PHI), personally identifiable information (PII), and other protected information.
This setup means a successful attack on a third-party vendor can still result in your organization losing data.
Trustwave, however, has vendor assessment tools within its Security Colony product that allows clients to vet their vendors. Unlike other security checks such as penetration testing, Security Colony Vendor Assessment does not require access to an organization's system. Instead, we can gather all we need from publicly available sources and let the client know if the vendor has any security issues.
- Adhere to Password and Credential Best Practices – The need to maintain a strong password program is obvious by the number of stolen login credentials found for sale on the Dark Web. In addition to the previously mentioned system access being sold, Trustwave SpiderLabs found leaked emails with login credentials and stolen browser sessions that allow adversaries to log into the healthcare facility's website all being advertised on the Dark Web.
To maintain a high level of security, organizations must insist users have complex passwords that are frequently changed. In addition, IT administrators should use unique, random "salts" when "hashing" stored passwords, whereby a piece of unique, random data is combined with each password before the hash is calculated.
To ensure these policies are followed, organizations need to perform password audits to determine where the weak links are in companies and finally, two-factor authentication is a must.
- Train Your Talent – All the best technology and processes, however, are next to useless unless an organization properly trains its staff. The human element makes the difference between having a successfully defended perimeter and one that an attacker can breach.
Because hospitals deal with life and death situations every day, it is imperative that its staff and security partners can quickly assess a situation and immediately take steps to mitigate the problem.
Trustwave has extensive experience working with healthcare clients to prepare them for a worst-case scenario attack. For example, with one healthcare client, Trustwave designed a custom tabletop exercise centered on a ransomware attack.
Throughout the session, the Trustwave consultants presented the ransomware scenario along with a series of variables, from the possibility of insider involvement to the leakage of patient data and the need to handle media inquiries as the mock incident becomes public. A significant component of the exercise is to simulate the sense of pressure and uncertainty of an actual incident. The crisis management team was prompted at various points during the response to answer questions that would demonstrate their thinking processes and how they might work together to contain the incident using the documented incident response processes while managing the operational impacts of the incident.
“Healthcare organizations are prime targets for threat actors. In a recent Wall Street Journal article, Trustwave client Children’s National Hospital shared its ‘code dark’ protocol to counter cyberattacks and secure the hospital and its patients. With advanced security controls and remote cybersecurity partners like Trustwave, Children’s National Hospital is a leading example for how healthcare organizations can stay safe in today’s connected environment.
- Test Your Defenses – Once your staff is as sharp as a spear and the technical side of the organization is locked down, the next step is to ensure it is working properly.
One way to check is through penetration testing. The first is a managed test that includes basic hygiene checks. Next is system scanning with actionable findings for remediation. Third are network and application penetration tests.
A security team can also conduct a physical penetration test by attempting to enter a facility and obtain information that it can later use for future attacks.
Finally, Be Prepared and Ready to Respond
Hospitals already know how to handle almost any medical emergency but, for various reasons such as security staffing shortages, budget, and knowledge, are in some cases woefully unprepared for a cyberattack.
However, the answer to this problem is already well known to those in the medical community. If a doctor does not understand what is wrong with a patient, they bring in a specialist.
The same holds true on the cyber front. Bring in an expert.
 (Source: The Forrester New Wave™: Connected Medical Device Security, Q2 2020.; June 11, 2020; Chris Sherman, Senior Analyst)