On the dark web, private health information (PHI) sells for up to $1,000 per record. In response to surging healthcare cyberattacks, it's now glaringly obvious that data security in healthcare needs to go in a new direction.
Recent statistics are illustrative. In only three years the amount of PHI exposed in data breaches has surged by 300 percent. According to a report from Critical Insight, over 45 million patient records were exposed in data breaches in 2021. That means around 1 in 7 Americans had information like their names, home addresses, Social Security numbers, and even biometric data stolen last year. Right now, hospitals alone make up 30 percent of all large data breaches.
So why is data security in healthcare producing such terrible outcomes? Since computerized patient record technology evolved in the early 1990s and the Health Insurance Portability and Accountability Act (HIPAA) became law in 1996, minimizing breach risk has been a core priority for healthcare providers. The problem is that healthcare organizations rely on a fundamentally reactive approach to reducing breach risk. Unfortunately in 2022, no healthcare organization holding patient PHI can depend on identifying, prioritizing, and mitigating threats that have already entered their networks. Here's why.
Threats Are Getting Harder to Spot
When executives at Kroger Pharmacy were notified about a breach by the CLOP gang on January 23rd, 2021, they were extremely surprised. After all, there hadn't been a ransomware attack. All their systems were online, and none of their networks showed signs of malicious activity. But a data breach had happened—a massive one. A week after the first notification, Kroger received a $5 million ransom demand. It included evidence that over 500,000 Kroger customers’ PHI had been stolen. Although the exact amount was not made public, we know Kroger paid up.
To compromise Kroger Pharmacy, CLOP used a known Accellion file sharing vulnerability as an attack vector. CLOP used a zero day attack to gain entry, then deployed a DEWMODE web shell in device memory to access and exfiltrate hundreds of thousands of PHI records without raising any endpoint security solution alerts. This kind of situation is becoming more common. With healthcare attack surfaces continuing to expand, and health care zero day attacks reaching all-time highs, threat actors have more places to enter networks and stay hidden once inside.
According to IBM, it already takes a healthcare organization an average of 329 days to detect and contain a data breach. Worse, threat actors are increasingly using malware that doesn't produce signatures or rely on on-disk executables. Last year, the rate of fileless attacks using signature-less tools like Cobalt Strike beacons soared by over 900 percent. These kinds of threats may bypass EDR or AV tools which rely on signatures and recognizing behaviors of known threats.
Providers and Their Patients Are Starting to Feel Serious Pain
Attacks are not only getting harder to spot. It is now also more difficult to pinpoint where the damage they cause ends. When a cyberattack took patient record systems offline earlier this year at five hospitals owned by Tenet Healthcare, the first phase of disruption lasted over a month. Some healthcare staff were even forced to return to pen and paper record-keeping methods. Because the attack also impacted PHI belonging to over one million patients, it is causing lasting damage to Tenet's business.
Based on the company's Q2 earnings report, collateral damage from the April 2022 cyber attack has already cost over $100 million. Most of this is due to the expense of rebuilding several hospitals' entire IT systems. But even a $100 million bill won't cover the damage. The company is now facing a lawsuit that may soon become a class action. Out of 58 data breach lawsuits in 2021, 48 were against healthcare organizations. Kroger pharmacy also became involved in several lawsuits after their cyberattack, and has already had to pay $5 million in settlement fees.
For smaller providers, cyberattacks may create lower headline costs. But they take an even more destructive toll. For a midsize hospital, the average cost of downtime caused by a successful breach is $45,700 per hour.
The long-term impact of having to notify the Department of Health and Human Services that you have breached HIPAA and let someone steal your patient's PHI? Almost unquantifiably bad. We know at least 27 percent of patients say they will switch providers if a cyber incident exposes their health data. This number has increased from 20 percent in 2020. It will likely keep climbing as more people wake up to the consequences of PHI exposure and HIPAA enforcement increases.
In this threat environment, healthcare organizations would be unwise to continue relying on a reactionary strategy. Especially when very few organizations with a HIPAA-mandated incident response plan in place actively practice that plan and are prepared to respond to cyber threats. The alternative is to work towards stopping attacks in the first place.
From Reactive to Proactive Data Security in Healthcare
Improving the security posture of healthcare networks requires moving toward zero trust environments and a deep Defense-in-Depth (DiD) strategy. However, even basic zero trust requirements like mandating multi-factor authentication (MFA) or disabling accounts after a specific time limit can be tough to enforce. Healthcare workers have little tolerance for security controls that impact their productivity or make life harder.
Overcoming these obstacles is a procedural and political challenge for security teams. But enhanced zero trust and deeper DiD is both technologically feasible and economically do-able right now. Morphisec’s lightweight, revolutionary Moving Target Defense (MTD) technology proactively blocks the advanced fileless and runtime attacks next generation anti-virus (NGAV) and endpoint detection and response (EDR) can’t consistently detect. And MTD brings zero trust protection to healthcare servers and endpoints without impacting user experience.
How? MTD turns application memory into a trustless environment that randomizes trusted runtime application code and automatically blocks unauthorized code. It basically ‘moves the real doors’ while leaving false doors behind. For authorized applications and processes, nothing changes. But if unauthorized code tries to execute on a target, it opens a false door where it is trapped for forensic analysis. MTD proactively blocks the most advanced and disruptive attacks without having to recognize or analyze them first, and before they can deploy and do damage. Critically for healthcare environments, there is no impact on device performance, and no monitoring is required. MTD adds an ultra lightweight layer of proactive defense that plugs the security gap of runtime exploits other security solutions can't effectively close. To learn more, read the white paper—The Ultimate Ransomware Strategy: Zero Trust + Moving Target Defense.