It is known that security breaches in the healthcare sector have long-lasting impacts upon both operations and patient care. In July, ambulance services were impacted following a cyber attack on IT supplier Ortivus, leaving medical staff unable to access electronic patient records. Barts Health NHS Trust, which runs five London-based hospitals in the UK and serves more than 2.5 million patients, was added to the dark web leak site of the ALPHV ransomware gang. In June a ransomware attack on the UK’s University of Manchester affected an NHS patient data set that holds information on 1.1 million patients across 200 hospitals. In November TransForm, a not-for-profit, shared service organization founded by five hospitals in Erie St. Clair, Ontario to manage their IT, supply chain, and accounts payable, confirmed its operations had been affected following a ransomware attack which saw the attackers steal a database containing information on 5.6 million patient visits, corresponding to approximately 267,000 unique individuals
By not taking proactive action to safeguard their cybersecurity operations, hospitals risk losing sensitive patient data to public domains, unable to be retrieved and active through the patient’s entire life.
Why hospitals?
Medical data is unique and often holds extremely sensitive information which can leave patients extremely upset when exposed. Threat actors can use it to hold an individual to ransom, threatening to expose their medical conditions. It can be used to build a picture of an individual to help spoof them into believing a phishing message. Once exposed the patient can’t change the details as they would if a password were stolen. For the affected organization, there is the risk of major compliance fines, as well as long-lasting damage to reputation and patient trust.
For too long security teams have struggled to address the challenge of prevention in the face of evolving attack techniques. Instead, they’re left firefighting reactively as threat actors breach defenses. This means infrastructure is left exposed instead of finding and fixing the flaws threat actors exploit.
A study, based on a commissioned survey of 825 global cybersecurity and IT leaders, (including 59 healthcare and 39 pharmaceutical organizations) conducted in 2023 by Forrester Consulting on behalf of Tenable, found that, in the last two years, the average organization’s cybersecurity program was prepared to preventively defend, or block, just 57% of the cyberattacks it encountered. This means 43% of attacks launched against them are successful, and must be remediated after the fact.
Hospitals are taking a great risk by overlooking their cybersecurity and threat response strategies. While financially, ransomware attacks can push organizations to closure, the impacts of these breaches on patients are incomparable. Once sensitive data is lost to public domains, it cannot be retrieved and it will stay in the public domain for the patient’s entire life. Improvements of IT and operational technology (OT) systems are long overdue, through action, health organizations can avoid becoming the victim.
According to the study, nearly three-quarters (74%) believe their organization would be more successful at defending against cyberattacks if it devoted more resources to preventive cybersecurity.
Proactive cybersecurity – Prevention is better than cure
Securing today’s complex and dynamic IT environments in hospitals and healthcare has never been more important. With its reliance on multiple cloud systems, numerous identity and privilege management tools and multiple web-facing assets, brings with it numerous opportunities for misconfigurations and overlooked assets. Healthcare organizations can prevent breaches by ensuring IT departments have the capacity and resources to monitor and forge timely threat responses. This requires a holistic approach.
Proactive cybersecurity requires the ability to assess and prioritize vulnerabilities and misconfigurations in context with user data and asset prioritization so that IT and cybersecurity employees can make the right decisions about which systems or classes of users and assets to remediate first.
An exposure management program brings together data from tools associated with vulnerability management, web application security, cloud security, identity security, attack path analysis and attack surface management and analyzes it within the contextual view of an organization’s unique mix of users and IT, operational technology (OT) and internet of things (IoT) devices and software to effectively evaluate what’s happening across the attack surface. The goal? Having the contextual data needed to execute an ongoing, preventive security program built on risk-based workflows.
Security needs a unified and contextual view of its environment. By focusing resources on the vulnerabilities that are exploitable and understanding how attackers chain vulnerabilities and misconfigurations, security teams can design more complete strategies for reducing their overall risk exposure. Understanding attacker behavior helps inform security programs and prioritize security efforts to focus on areas of greatest risk and disrupt attack paths, ultimately reducing exposure to cyber incidents. Organizations that can anticipate cyber attacks through proactive cybersecurity and communicate those risks for decision support, will be the ones best positioned to defend against emerging threats.
To ensure the protection of sensitive patient data and critical infrastructure, hospitals and healthcare professionals must re-evaluate their threat response strategies in recognition of a world that has become increasingly digitized. Safety online and offline is paramount. They must take action to understand the risks they face, address the challenges standing in their way and ultimately reduce the sheer volume of successful cyberattacks they have to respond to.
By Bernard Montel, Cybersecurity Strategist and Technical Director, Tenable