Between staff shortages and COVID variants, healthcare providers have had plenty to worry about during the past two years. Now alongside these worries, cybersecurity issues in healthcare are also putting patient care in jeopardy. Healthcare is one of the sectors most susceptible to cyber incidents, so cybersecurity issues in healthcare need to be urgently addressed.
Cybercriminals don't care that your organization is doing important, life-saving work. Or that when a ransomware campaign “succeeds,” the first people to notice tend to be frontline staff who can’t access vital patient records. For threat actors, all that matters is that after being hit with ransomware, at least one third of healthcare providers pay up. In 2020, the average ransom demand to healthcare institutions was $4,583,090.
It doesn't help that healthcare providers have a rapidly expanding attack surface. The market for healthcare Internet of Things (IoT) devices is expected to double by 2025. With 53 percent of connected medical devices and other IoT devices known to have a critical vulnerability, the challenges keep mounting.
Pivoting healthcare security towards proactive protection may seem like a tall order for some. Fortunately, prevention-focused defense is absolutely achievable if you take steps towards a zero trust architecture, as recommended by the National Institute of Standards and Technology. It's also the best strategy healthcare security teams can rely on. Here's why.
Remediation Is off the Table
In most healthcare cyberattacks, true remediation never happens. Having secure backups for patient data in place is very important. But by the time remediation measures come into play, serious damage has usually already happened.
The jury may be out on whether a ransomware attack has “officially” killed someone in a hospital setting. 2021 saw the first credible public claim that someone’s death was caused at least in part by hackers who remotely shut down a hospital's computers. But if no one has officially died as a direct result of ransomware, it's only a matter of time before they do. When ransomware shuts down hospital IT systems, it becomes almost impossible for frontline staff to do their jobs.
A 2021 attack on Memorial Health System in Ohio led to canceled surgeries, diverted ambulances, and days of partial downtime. Conti ransomware struck Ireland’s national healthcare system, the Irish Health Service Executive (HSE) in May 2021. It compromised dozens of hospitals, and the disruption lasted months, creating massive service backlogs through thousands of canceled appointments.
Patient data is the primary target for most ransomware, and doesn't come back after system access is restored. Attacks almost always create legal risks for providers. And not just HIPAA fines. Patients themselves are taking action against healthcare providers that lose their personally identifiable information (PII) during data breaches. Of all the lawsuits that happen due to data breaches, 23 percent involve medical organizations.
Why is Healthcare Attack Prevention So Hard?
Stopping ransomware attacks before they compromise systems, steal patient data, and expose providers to legal action is clearly the best strategy for healthcare. So why is it so hard to do?
One reason is that an abundance of legacy software makes healthcare providers more vulnerable to attacks than organizations in other sectors. A 2019 review of the NHS (the British national healthcare service) found thousands of PCs were still running Windows XP. Microsoft had stopped supporting it five years earlier.
With security teams needing to navigate complex and unclear FDA rules, patching med-tech devices can be a major struggle for healthcare security teams. Although robust patch management is a HIPAA requirement, not all organizations are able to patch bugs in a timely manner. And not patching devices is one of the riskiest things a provider can do. For healthcare institutions with a slower patch cadence, ransomware risk increases by as much as 700 percent, according to BitSight.
Popular detection-based security solutions such as NGAV, EDR, and EPP also expose healthcare providers by leaving vectors such as device memory essentially undefended.
The HSE attack last year was an illustrative example of such cybersecurity issues in healthcare. Cybercriminals, likely Russia-based, used Cobalt Strike beacons to move laterally across connected networks. They infected 80,000 endpoints across Ireland’s national healthcare system. They delivered Conti ransomware payloads into device memory, entirely bypassing signature-based security controls.
As well as these technical weaknesses, individuals working in healthcare don’t yet appear to have prioritized cybersecurity. A large-scale study of US hospital cybersecurity awareness in 2019 analyzed more than 2.9 million simulated phishing emails. It reported a staggeringly high click rate of 16.7 percent.
Real-World Healthcare Zero Trust
With patient lives and PII on the line, minimizing healthcare attack vectors is one of the biggest security challenges of our generation. Meeting these challenges means changing direction on how applications, devices, and networks talk to each other in a typical healthcare setting. This is what a zero trust architecture does.
Making zero trust work in any organization is a delicate balancing act. This is particularly true for a healthcare provider, where security can never get in the way of patient care. Zero trust is as much of a cultural shift as a technological challenge, with every network user treated like a potential attacker. Nevertheless, it is possible for organizations to take immediate steps towards zero trust.
Some of this is basic security hygiene. At the access control level, authentication processes need to be tightened through two factor authentication (2FA). Network architecture needs to be checked to ensure flat networks are minimized where possible and subnets are used instead. Effective antivirus is vital, but thanks to the now market-leading capability of OS native Microsoft Defender, it doesn’t have to be expensive.
Mitigate Cybersecurity Issues in Healthcare
To cut off oxygen to threats, healthcare providers must adopt zero trust architecture. As part of a “defense in depth” layer on top of basic proactive controls, Morphisec offers zero-trust solutions designed to solve cybersecurity issues in healthcare.
If you're interested in learning more about hardening your healthcare cyber defense, register for Morphisec's Healthcare Cybersecurity Summit: Prevention is Better Than the Cure on Wednesday June 1. Join healthcare industry security executives discussing:
- Protecting personally identifiable information
- How changes in HIPAA may result in a change in security posture
- Examples of compromised healthcare scenarios
- Overcoming patching challenges