The recent spate of ransomware attacks on hospitals which have disrupted clinical operations and forced patients to be turned away – for example, the Synnovis attack on the NHS which stole data and the breach on St Louis-based Ascension Healthcare – serve as a reminder of the fragility of the infrastructure we depend upon to save lives and the need for robust healthcare cybersecurity.
These attacks are both lucrative for attackers and allow them an opportunity to sow discord into patients’ lives. As such, the healthcare industry is one of the most sought after sectors for threat actors today. Yet, with the average cost of a ransomware incident having risen 63% to $450,000 between 2022 and 2023, when attacking lifesaving organisations with minimal budgets, attackers know they’ll have an upper hand in any ransom negotiation and hold out for bigger paydays. It’s a tried and tested strategy for attackers.
A recent example from this year is when Change Healthcare was breached due to a lack of multifactor authentication, exposing millions of American’s health data. The frequency and severity of these attacks led to remarks from the White House stating the administration will soon require hospitals to adhere to minimum cybersecurity standards, as well as begin free cybersecurity training for small and rural hospitals.
The Complexities of Healthcare Cybersecurity
Healthcare organisations not only hold troves of personal and confidential information on patients, they also have mass networks of critical medical technology, and operate on complex, interconnected supply chains involving multiple software providers and devices. The interconnectedness of this ecosystem, while great for rapid advancements in medical care, is lucrative for opportunistic threat actors.
The more integrated hospitals and care facilities are, the larger the attack surface on which cyber criminals can launch a social engineering scam or a malware-based attack. The most common attacks we see levied against the healthcare industry tend to take advantage of the legacy technology these hospitals run on, and usually involve long-known external facing vulnerabilities and phishing attacks.
When organisations are either too busy to patch or simply unaware of these known vulnerabilities, they put themselves and their patients at risk. Likewise, when the staff at a hospital or medical facility aren’t trained to recognise and report phishing emails, attackers can simply spam their targets with spoofed email addresses or realistic messages until they find a victim. Attackers know this and use it to their advantage.
These types of attacks are endlessly viable for threat actors because they focus on exploiting the weakest link in any given healthcare company. With the NHS being as large and interconnected as it is, it’s a struggle to shore up all cyber vulnerabilities, putting patient health and safety at risk.
While its vital to prevent attacks in the first place, recovering from an incident is just as critical. In these cases, victims must prioritise patching external facing vulnerabilities and establishing a comprehensive top-to-bottom 24×7 security operations capability. Without these in place, the risk of a repeat, successful attack is high.
Reducing the cyber risk in the healthcare industry is a multi-step process that should focus on establishing a baseline of cybersecurity standards, such as implementing multi-factor authentication and identity access management principles that reduce the risk of network intrusion or stolen credentials. Privileged access management tools, for example, are vital to ensuring attackers who get into a network are unable to elevate their privilege and easily access a company’s most sensitive data.
Regularly scheduling information security training will help employees stay educated and alert for social engineering scams. IT departments should also be conducting annual or biannual compliance checks against themselves to ensure they’re up to date against an ever-changing threat landscape. Doing so will ensure healthcare organisations won’t hit our headlines for serious patient-impacting breaches in the months and years to come.
By Mark Manglicmot, SVP of Security Services at Arctic Wolf
