Modern healthcare’s reliance on technology is both its boon and its burden. Our standard of living has improved hugely as a result of its advancement, but when disrupted, the results can be devastating. That’s why cyber-attacks by criminals are targeting healthcare organisations around the world trying to combat the virus – they realise their power.
In many cases, cyber-attacks are targeting third parties and vendors with privileged access to healthcare organisations’ critical data and systems. This has become a regular occurrence for those involved in COVID-19 vaccine research, development, and delivery in particular, as vaccine programmes accelerate around the world.
Cyber-criminals get first-rate opportunities from third-parties
The European Medicines Agency (EMA) – the EU’s governing body responsible for approving vaccines – is one of those that has already been affected, disclosing in December that it was subject to a cyber-attack. At the time, it did not divulge specific details. However, later that day pharmaceutical company Pfizer and biotech company BioNTech issued a joint statement indicating documents pertaining to its COVID-19 vaccine had been accessed via an EMA server.
This attack is just one example of how third parties can be targeted to access valuable information. What is really alarming is that in this case, it was information that affects the health and wellbeing of millions.
In another effort from cyber-criminals in December, IBM discovered a large-scale email phishing campaign targeting COVID-19 vaccine supply chains across the world. According to the IBM research team, the precise and targeted method of the attacks displayed the hallmarks of nation-state tradecraft.
IBM then proposed that the purpose of the campaign may have been to harvest credentials – high-level corporate passwords – to gain access to extremely sensitive information. This ‘access’ could mean anything from gaining insight into specific internal communications, to getting hold of the plans to distribute a COVID-19 vaccine.
These cyber-attacks highlight the challenges today’s R&D organisations and healthcare providers are facing. Third-party networks present a big challenge for IT teams, because they are not under their security jurisdiction, and their security is not within their control.
Snatching the keys for privileged access
The ability to exchange patients’ protected health information (PHI) across all identities and technology components is instrumental in providing modern, integrated healthcare. Privileged accounts and credentials make this interoperability possible because they allow administrators to access applications or data, or devices and systems to access each other, by demanding these credentials be served at each stage in this process. Everything from cloud-based virtual care applications, to patient diagnostic data integration from third-party services requires this ‘privileged’ access.
Privilege is the path to PHI, however, and attackers know this very well. They’re often very motivated to gain access. Why? Because a single PHI record can fetch as much as £267 on the dark web, according to non-profit CIS. When compared to credit card information, which usually goes for around £1, it becomes clear just how valuable this information is perceived to be by attackers. The potential cost to society of it being breached, as well as COVID-19 vaccine ‘recipes’ and related intellectual property, is unimaginable.
Breaking into a heavily guarded fortress is a tough ask for any individual, whether it’s in the physical or virtual realm. Hijacking a ’delivery truck’ authorised to enter the premises is a more surmountable task. That’s why most attackers target suppliers, third parties, and partners of all sizes across the healthcare industry when they’ve decided what they want to target.
Providing secure privilege, blocking malign access
Each third party working with a health organisation requires a different, and often unique, level of privileged access to perform its role – from managing medical devices to keeping patients’ health records up to date. Providing and managing privileged access for each of these identities is a huge job for IT and security staff, and one of the reasons many accounts are often left misconfigured. Healthcare security teams must find a way to streamline these processes, however, to protect their organisations from cyber-attacks – whether from the outside, inside and across third-party networks.
Automation provides one method of accelerating privileged access management tasks, and tools are already available that ensure security protocol is followed, without interrupting operations. They allow IT teams to massively reduce the time spent manually managing credentials or user sessions, and invest this resource elsewhere to further improve their organisation’s security posture.
Automating other processes can also be cost and time effective. Take ‘just-in-time’ privilege management – the method of providing high-level access to specific accounts for specific periods of time. Traditionally seen as a manual task, this too can be automated, reducing not only IT teams’ time investment, but also unnecessary friction for vendors. With automation, third parties working in healthcare can gain the required access when (and only when) they need it.
It’s clear healthcare is under threat from both civilian and state cyber-attacks, but fortunately there is also a manageable path to its protection. Third parties do present a risk, as shown by the recent attacks outlined above. But by focussing on proven methods of securing these third parties, healthcare’s IT teams have a chance to stay ahead of the opposition.
By David Higgins, EMEA Technical Director at CyberArk