By Rob Falbo, vice president of healthcare solutions, Imperva.
In most industries, an IT service outage can lead to lost revenue. In the healthcare industry, disruption of network or application services impacts critical patient care. In the past year, non-human web traffic spiked dramatically, a trend that should be concerning for any healthcare organization.
Research conducted by cybersecurity company Imperva found that, in 2022, 35.8% of all US healthcare website traffic came from bad bots. These are malicious, automated software applications capable of high-speed abuse, misuse, and attacks. What’s more concerning is that 27.1% of bad bots were classified as “advanced.” This breed of bot is capable of using the latest evasion techniques, closely mimicking human behavior to avoid detection.
With bad bot traffic continuing to rise across the globe, it’s critical for healthcare organizations to understand the potential threat bad bots pose and the steps they can take to mitigate it.
How Attackers Are Hitting the Healthcare Industry
In February 2023, the US healthcare industry was put on edge as a spade of denial-of-service (DDoS) attacks were carried out against various healthcare organizations by the Pro-Russian hacktivist group Killnet.
DDoS attacks are designed to overload a network with traffic, making it difficult, even impossible, for patients to access essential services. The attacks are carried out by a collection of bots or hijacked machines, known as a botnet. This enables the attackers to harness the power of many machines and obscure the traffic source. Since traffic is distributed, it is difficult for security tools and teams to detect that a DDoS attack is occurring until it is too late.
There’s no sugarcoating it: cybercriminals are attacking the US healthcare industry. The FBI announced recently that healthcare suffered more ransomware attacks than any other industry in 2022.
As healthcare professionals, the ultimate goal is to provide safe and efficient patient care. Consistent and accurate access to electronic health records is a massive part of this objective, which any data disruption can harm. Once a threat actor is inside a system, they can disrupt operations by exfiltrating data, locking or deleting files, and encrypting data until a ransom is paid. Healthcare organizations should be aware of ransomware’s threat, no matter the institution’s size, and plan to protect its data.
A rampant threat
The focus on healthcare as a target for ransomware attacks has been building for some time. From 2016 to 2021, ransomware attacks against US healthcare organizations more than doubled. But now, cybercriminals gangs are becoming more innovative, using new techniques to get into networks, evade detection, and encrypt files.
In February, the Health Sector Cybersecurity Coordination Center warned healthcare systems of a new ransomware variant targeting the industry: MedusaLocker. The group took advantage of the COVID-19 pandemic to infiltrate and encrypt healthcare systems. Ransomware variants like MedusaLocker, including Royal and Clop, make healthcare their primary target because of the wealth of personal information available in these systems. Additionally, healthcare organizations often have less robust IT/cybersecurity departments than other industries, such as the technology or financial sectors, due to staffing shortages, lack of funds, and outdated tech.
But ransomware isn’t the only thing that can take down a healthcare practice. Natural disasters, such as flooding or inclement weather, or human error, such as an employee accidentally deleting an important file, can happen just as unexpectedly. All hospital IT departments and independent practices should have a data backup and recovery plan to protect sensitive electronic medical records and keep patient care running smoothly and safely. However, often these departments only have the resources to implement solutions that run unmonitored in the background. Without a proper plan, this leaves them vulnerable when data disruptions occur.
While all of this may seem disheartening, actions are within our control. Consider these steps to be prepared for when data disruption strikes.
Rural hospitals are facing an exorbitant amount of pressure, and the pressure doesn’t seem likely to subside any time soon.
Whether it’s the ongoing labor shortage, the constantly changing regulatory environment or other market forces, the headwinds, at times, seem insurmountable. Couple those concerns with the constant worries about cyberattacks and security vulnerabilities, and the moment seems even more challenging.
It’s not that rural health organizations can’t tackle any of the issues head-on. It’s more a matter of rural health organizations often don’t have the staff or resources to address this topic.
As a result, security is often an afterthought. How rural hospitals and communities focus on security presents an interesting dilemma because they’re vulnerable from a cybersecurity side and particularly vulnerable if their security posture is left unaddressed.
According to the Center for Healthcare Quality and Payment Reform, 150 rural hospitals nationwide closed between 2005 and 2019, and even more closed in 2020. While funding has helped slow the trend of closures amid the pandemic, rural providers still face challenges, partly because they have higher proportions of vulnerable patients, the elderly or the chronically ill.
However, rural health providers still have an arrow left in their quiver: technology. Increasingly, they’re turning to technology to ensure their staff can focus on delivering quality healthcare to patients without forgoing the most pressing needs and cybersecurity in particular.
Cybersecurity is the centerpiece of the path forward
Last year was among the worst years for ransomware attacks on healthcare. Healthcare is an ideal target; private health data is lucrative to sell on the dark web, and providers are more likely to pay ransoms with lives on the line.
Ransomware-as-a-service has also made it easier than ever to launch an attack, making it critical to invest in health IT platforms with built-in security solutions.
However, many rural providers cannot afford to invest in the same technology as their larger counterparts. They often face lean IT teams and limited budgets, constraining their investments and limiting what percentage of their budget they can spend on security.
Rural providers often find themselves on the unfortunate side of the digital divide, whether it’s clinician shortages or a suboptimal revenue cycle that results in a lack of capital. The result is that they may be unaware of the latest security updates, and even if they are, they often can’t implement them.
It’s not all doom and gloom, however. Rural providers can take steps to stay secure.
In recent years, the global healthcare industry has been under heavy attack by cybercriminals. The sector stands in fourth place among the most targeted industries, and one-fifth of its spending is dedicated to cybersecurity. The global healthcare cybersecurity market was valued at $12.6 billion in 2021 and is expected to expand at an annual growth rate of 18.3% from 2022 to 2030.
93% of healthcare organizations faced a data breach
The healthcare industry has suffered from significant growth in the number of cyberattacks. Forty-five million records of patients were exposed to healthcare attacks in 2021, a number that has tripled in the last three years. One-third of all significant data breaches targeted hospital accounts.
Thirty-four percent of data breaches are related to unauthorized access to healthcare networks. Furthermore, 1.5 billion users’ personally identifiable information (PII) was leaked due to third-party violations in 2021. Ninety-three percent of healthcare organizations experienced a data breach in 2016-2019 and a quarter of physicians couldn’t identify the common signs of malware.
By Jamison Utter, director of product evangelism, Medigate.
Last year (2020) was a year of chaos, and one that demonstrated why robust cybersecurity is an essential priority for all healthcare organizations. From COVID-19 disruptions to rapidly increasing networks of managed and unmanaged devices, it’s never been more important to secure the critical infrastructure that forms the basis of clinical care.
This is easier said than done- after all, the growing reliance on digital platforms has opened opportunities for increased attacks and raised questions about data collection and privacy. Threats like Ryuk and other high-profile breaches made a notable impact on the industry’s understanding of cybersecurity, not only for their monetary implications, but the significant operational disruptions that these incidents caused. On a national level, we’re seeing care networks expanding alongside access to telehealth services and the implementation of remote patient monitoring tools– with significant amounts of PHI being broadcast and analyzed each day.
When looking at these trends, there are two immediate realizations that all healthcare leaders should understand: 1) the rate of attacks is only going to increase as healthcare operations become smarter and more connected and 2) we need a better solution that works alongside clinical practitioners, biomed departments and organizational leaders even as it protects them from malicious attackers. For many of these concerns, the answer is Zero Trust, or more specifically, Clinical Zero Trust (CZT), that is uniquely attuned to the needs of the healthcare industry.
What Is Clinical Zero Trust?
Zero Trust represents the concept of “trust nothing, verify everything” in terms of cybersecurity. It has since grown to represent a networking approach that centers the design and application of IT networks around the identity and access rights of users and their data. Clinical Zero Trust applies this same idea but to the cyber and physical environment of healthcare organizations.
Think of CZT as a strategy and not a technology; it is an end goal rather than a feature or ability. Cyber protections like firewalls and end-point security solutions make up some of the offerings that help create a CZT environment. A typical healthcare organization has a security system that prioritizes protecting devices and data– CZT shifts the focus to protect physical workflows, which are made up of the people and processes involved in delivering care.
This means the protected surface extends to the physical world, including everything associated with administering a procedure or delivering care. At first glance, it seems like an impossible task to protect physical things with cyber technologies, but in reality, when you look at the clinical setting holistically it makes it easier to identify interdependencies and develop strategies that will effectively protect the physical, business and digital processes to drive optimal patient outcomes.
There are two general types of cyberattacks. Spray-and-pray attacks don’t have a particular target. Attackers simply go into an environment and hope the worm or malware spreads. WannaCry, which crippled the U.K. National Health Service in 2017, is a spray-and-pray attack.
The recent attack on the U.S. hospitals is known as an advanced persistent threat. This kind of attack is far more sophisticated, and focused on a specific area – in this case, the American healthcare system. We haven’t heard of a similar attack in Europe.
This attack doesn’t appear to have been staged for fun by a group of guys in a college dorm room. It’s a big attack. The FBI is telling American healthcare systems to block 150 IP addresses.
The Threat Ravaged Some and Left Others Unscathed
Some of the targeted healthcare organizations were severely affected by this recent attack. The malware landed on computers and moved very rapidly to encrypt hard drives, making the IT resources of these organizations essentially useless.
At least one impacted organization may have to build and migrate everybody slowly but surely to a new Active Directory environment. That’s a doomsday scenario. Active Directory acts as the very core of an organization’s identity. Without Active Directory, an organization can’t say for sure whether its IT environment – and, thus, its organization as a whole – is safe.
By Navin Balakrishnaraja, practice director for healthcare IT Services, All Covered (IT services division of Konica Minolta).
Technology continues to advance the healthcare industry, providing more precision and improved delivery of care. However, it’s more important and even more challenging than ever for organizations to secure patient information and keep health data safe.
Advancements in cybersecurity measures need to go hand in hand with privacy and still a necessity. The frequency of data breaches in the healthcare industry has been on the rise and healthcare is now the most targeted sector by cybercriminals.
According to the Ponemon Institute, the average cost of a healthcare breach resulted in $7.13 million, a 10% increase from 2019. Healthcare has been a primary target in recent ransomware attacks, as you’ve probably seen the headlines and continue to hear it all over media.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have received “credible information of increased and imminent cybercrime threats” aimed at hospitals and healthcare providers in the United States. They released an advisory of this targeted activity to all healthcare networks and that it appears that targeted attacks are only going to escalate.
Because of the immutable, high-value nature of electronic patient health information (ePHI), health data is a gold mine to cybercriminals. On the dark web, the cost of one record averages around more than $400 per record. A large shift in ransomware deployment operations has taken place. Cybercriminals are like psychologists, staying one step ahead of tools and user sophistication. Many of them depend on malware, but the focus has been on gaining privileged access and exploring target networks to disable security processes.
Loaders start the infection chain by distributing the payload; they deploy and execute the backdoor from the command and control (C2) server and install it on a victim’s machine. This example shows what organizations are running up against, making cyberattacks more intricate in nature.
Recently, hacking group Cozy Bear attempted to steal COVID-19 vaccine research from multiple organizations in Canada, the United States, and the United Kingdom. The hackers, reportedly under the employ of the Russian government, scanned targets for network vulnerabilities in an effort to infect them with network tracking and file exfiltration malware. This is not the first time research into the novel coronavirus has been a target and it is unlikely to be the last.
On some level, this news is unsurprising, as healthcare has always been an attractive target for cybercriminals.
Patient data is a valuable commodity on the black market, often containing everything one would need to know in order to commit various types of fraud. Access to critical systems can be a literal case of life and death, and these systems are often so interconnected that an attack may spread like wildfire. Finally, many healthcare agencies lack the time and resources to prioritize cybersecurity to the degree that they should.
Yet this is also a unique situation. We are currently in the midst of a global pandemic, a period of heightened sensitivity and unprecedented digitization. People in all industries are exhausted and anxious, a combination which makes them particularly susceptible to mistakes.
Moreover, vaccine research is a priority for governments across the world. Each seeks to lessen the virus’s impact on their citizenry and economy, with many employing state-sponsored actors to give themselves a leg up. Rank-and-file criminals, meanwhile, are also perfectly willing to exploit the situation for their own gain.
At all levels, phishing campaigns remain the number one attack vector. There’s no need to waste effort trying to break through an organization’s defenses if one can simply trick an employee into granting access. Agencies researching the COVID-19 vaccine are particularly susceptible to targeted phishing attacks due to the collaborative nature of their work.