In addition to dealing with COVID-19 like everyone else, I’ve had some medical issues in the family that has greatly increased my interactions with healthcare providers. Dealing with cancer and Alzheimer’s isn’t much fun, but we’ve received quality healthcare provider services throughout for my loved ones. But access to quality healthcare services could be compromised due to cybersecurity threat actors.
About the Healthcare Sector
As I noted in my recent blog on the U.S. National Cybersecurity Strategy, the Biden administration believes more needs to be done to ensure that the critical infrastructure sector operators establish and maintain an adequate security posture given today’s threats. While there are 16 sectors designated as “critical” in the U.S., post pandemic we all have a greater awareness of the healthcare sector’s importance due to the critical services and goods that keep us alive and healthy.
The healthcare and public health sector provides valuable services to the world’s population. The sector includes a variety of components including health care delivery and services, medical device research and manufacturing, pharmaceutical research and manufacturing, medical device, and healthcare equipment distribution. The sector also participates in the response and mitigation of unforeseen hazards such as infectious disease outbreaks (e.g., COVID-19), natural disasters, and acts of terrorism. The ownership and operation of the physical assets and organizations delivering the goods and services generated by the health care sector vary from country to country; in the U.S., the sector is primarily privately operated and owned. In other countries, the sector has a greater component of publicly owned providers of health care services.
Sector is a Natural Target for Cyber Threat Actors
I wrote about cyber threats to the healthcare sector in my blog on why the healthcare industry is every hacker’s favorite vertical back in 2021. Unfortunately, the situation has gotten worse. The pandemic accelerated healthcare’s digital transformation to serve patients better. Rob Aragao and I recently discussed the security ramifications of this rapid transition with Pediatrix Medical Group VP/CISO Louis Lerman in our Cyber Challenges in Healthcare podcast. This new connectivity has made some of the components of the sector more vulnerable given the value of the data they manage. Large-scale ransomware attacks have shut down portions of national health care systems in Ireland and the United Kingdom, and large hospital chains in the United States, forcing delays in the delivery of critical care and procedures.
Because the research portion of the healthcare sector creates valuable intellectual property, pharmaceutical development firms, in particular, have become the target of attackers seeking to exfiltrate sensitive R&D data. This represents a threat of both economic espionage but also data blackmail; attackers that have successfully breached systems and exfiltrated personally identifiable data now routinely threaten to publish that data online unless they are paid.
Greatest Cybersecurity Concerns for Healthcare
To highlight the cybersecurity risks to the healthcare sector, the U.S. Senate had a hearing on the issue on 16 March. In his testimony to the committee, Greg Garcia (Executive Director of the Healthcare and Public Health Sector Coordinating Council) shared the top five threats facing members of the Health Information Sharing and Analysis Center (Health-ISAC) based on the Current and Emerging Healthcare Cyber Threat Landscape report released last year:
- Ransomware deployment, by which the adversary can inject networks with malware that encrypts - or renders inoperable - networked devices and software applications and data and demands a ransom in exchange for returning the data and operations to the health provider;
- Phishing/Spear-Phishing Attacks, by which the adversary sends bogus emails that trick employees, clinicians, or influential senior executives into divulging information, clicking on malicious links, or opening corrupted attachments that release malware into the networks;
- Third-Party/Partner Breach, by which business partners or third-party software that support clinical or business operations become infected, in turn infecting networked clinical and business operations of the healthcare entity;
- Data Breach, which involves the theft and exposure of protected health information that can include name, address, social security number, insurance and financial information, and patient data; and
- Insider Threat, by which employees inadvertently, carelessly, or maliciously allow malware or other adversarial actions into the health system network.
To highlight the on-going ransomware threat, in early March the U.S. government sounded the alarm about a Royal ransomware operation that is targeting numerous critical infrastructure sectors. The FBI and CISA joint advisory on the operation followed a warning from the U.S. Department of Health and Human Services in December that Royal ransomware was “aggressively” targeting the U.S. healthcare sector. Royal’s dark web leak site currently lists Northwest Michigan Health Services and Midwest Orthopedic Consultants among its victims.
In this new and more dangerous environment, the question for healthcare organizations is no longer what an incident will cost, but rather how long an organization can survive an attack—and whether an attack might undermine the long-term viability of that organization.
In light of the changes that have emerged in the threat landscape, the healthcare sector must rethink many of the approaches to cybersecurity they’ve taken in the past. The shifts caused by the pandemic has forced healthcare organizations to move quickly and embrace new tactics and techniques to achieve a better security posture and stop threat actors early. There are several ways that CISOs could shore up their security posture to specifically address weaknesses:
Better Understand the Attack Surface
Due to the increasing use of cloud computing platforms and SaaS offerings, the attack surface healthcare organizations must protect has grown and diversified. Workers also are more likely to access organizational networks from personal devices over the public Internet, often using unsecured Wi-Fi. Information security teams can no longer demand that all access be gated by proximity or location within a perimeter. COVID accelerated the widening of the attack surface by creating an even more distributed map of access and forcing even broader permissions for access.
Analyze and Improve Cyber Resilience
CISOs and security leaders in the healthcare sector should analyze how their systems will respond in case of attack and how long it might take to bring them back up. Based on this analysis, CISOs can lay out plans to improve cyber resilience. This might mean putting in place additional architectural redundancy or identifying ways to restrict the “blast radius” of an attack to better preserve other parts of IT systems and networks. CISOs could even take this to an extreme like the country of Estonia, with full backups of all systems ready to deploy as cloud servers. There is a price to architecting in cyber resilience. But in the wake of the past year and the ongoing cyberattacks to the sector, the cost of ignoring resilience has become crystal clear and clearly unacceptable.
Implement More Robust and Adaptive Authentication
In most cases, breaches and threat actors could be more easily detected and blocked if authentication systems were more robust and could continuously adapt to risks. Much of the healthcare sector still relies on the perimeter security model with additional authentication for sensitive systems that usually is required only once per session. Too often, those systems only require password and username combinations. Two-factor authentication (2FA) is being used more but implementing 2FA on older systems common in many healthcare settings is challenging. Nevertheless, healthcare organizations need to follow the lead of the financial services and telecommunications sectors by deploying authentication that requires multiple factors and is more continuous. In addition, CISOs should be moving away from 2FA, which relies on SMS and text messages because of the ease of compromising SMS-based authentication.
This shift can leverage a risk-based approach to be effective. A CISO may gradually decrease the frequency of authentication requirements for parties whose actions indicate they can be trusted. Alternatively, a CISO can implement Zero Trust by insisting on authentication prior to starting any new transaction on systems, even within sessions. More generally, the old reliance on passwords should be reduced or eliminated if possible.
Enhanced Forms of Data Protection
Healthcare providers rapidly spun up workloads in the cloud during the pandemic. However, these organizations must ensure that their sensitive data, both on-premises and in the cloud, is protected in a consistent approach. Current system and application-centric data protection controls embedded throughout existing IT infrastructure don’t extend to the cloud, creating risks when data is moved to a public, untrusted environment. Monolithic applications and associated security aren’t designed for the cloud, which requires a continuous integration and continuous development DevOps model.
As healthcare organizations embrace the values of cloud computing, this opportunity comes with the trade-off of introducing potential new threats to data security. Data protection must be fundamentally embedded into the data itself in order to scale along with workload elasticity, while remaining agnostic to the platform where it may reside.
The healthcare ecosystem represents a sector that is both critically important and highly complex. The data assets in play are sensitive and directly targeted by threat actors ranging from nation states to cybercriminals, to fraud entities, to skilled individual hackers. The healthcare sector is undergoing rapid technology adoption and change and the associated cybersecurity implications that accompany that adoption rate. We have all seen in the news post-pandemic how the healthcare workforce is fatigued and depleted and highly susceptible to the tactics of cyber-adversaries.
But steps MUST be taken to mitigate these threats.
How OpenText Security Can Help
Learn more about how OpenText Cybersecurity can help healthcare providers improve their security posture within the following blog posts:
- Security in the healthcare spotlight
- Application security challenges in the healthcare industry
- How to persistently protect healthcare data
- Cyber resilience in healthcare: How to preserve health data privacy
- Business continuity and data recovery for healthcare sector
- What are solutions for AppSec challenges in the healthcare industry?
- Securing Internet connected devices in healthcare