Risk Assessments/Management, Ransomware, Threat Management

Health-ISAC calls for ‘intelligence-led’ security, as actors continue to target healthcare

ir Force Maj. Jamie Laib, a nurse assigned to the medical augmentation team deployed to Manchester, N.H., uses a hospital computer as part of the COVID response operations at Elliot Hospital, Jan. 14, 2022. (Sgt. Kaden D. Pitt/U.S. Army)

Healthcare security leaders must adopt better communication tactics for obtaining financial investments and building cyber resilience through an “intelligence-led information security program,” using threat intel to impart risks to the board, such as the new cyber threat report from Health-ISAC, according to its chief security officer Errol Weiss.

The effective tactic is used in the financial sector, where annual threat reports become “key ingredients to the budget cycle in cybersecurity,” explained Weiss. Threat documents empower leaders to explain to senior leadership and the board of directors about ongoing, real threats.

The major incidents, like WannaCry, NotPetya, SolarWinds, Accellion, and a host of others can “drive home the message that we collectively need to do more,” he added.

Although investments are rising in healthcare, it’s still not enough — especially when compared with other sectors. The average IT budget dedicated to cybersecurity lands around 3% to 5%, compared with 10% or more in the financial industry.

In finance, cybersecurity is seen as a strategy for future banking with budgets built to support security. Finance leaders realized “how important cybersecurity was from the reputational standpoint,” said Weiss. “They wanted to ensure the perception was that online banking was safe and secure. Without that perception, people were not going to adopt online banking.”

The same ideology has not translated to healthcare. The initial driving considerations were The Health Insurance Portability and Accountability Act regulations and privacy. However, “the money was being spent as part of the IT budget to ensure that organizations were compliant, but not necessarily secure.” 

The recent spate of ransomware-related outages, and related care diversions, are improving awareness, but healthcare is nowhere near where it needs to be. Weiss called on security leaders to consider where to focus resource based on the data, leaning on ransomware reports released by hacked healthcare victims to further demonstrate ROI to the board.

The aim should be to impart to leadership: “If we invest this much, maybe we can avoid an incident of this magnitude and translate that into dollars.”

Ransomware leads concerns, as cybercrime dominates

Released on March 24, the Health-ISAC report was compiled with support from Booz Allen Hamilton. It includes survey responses from 132 Health-ISAC members on the greatest cybersecurity concerns facing their organizations, as compared with the ongoing threat landscape to address any gaps between the two.

However, there were “no considerable gaps” in the reported concerns and the evaluation of the threat landscape, confirming that the cybersecurity concerns felt in 2020 remained unchanged last year.

Ransomware remains the leading worry for healthcare security leaders, given the potential impacts to patient care and immediate financial and reputational implications. Phishing, third-party or partner breaches, data compromise, and insider threats complete the list of leading healthcare cyber concerns.

The report also shines a light on the leading cybercrime risks to the healthcare sector. Health-ISAC assessed that nation-state activity against healthcare will rise, particularly as strategic priorities and tensions between Russia and Ukraine evolve.

These nefarious activities will center on the theft of intellectual property, as well as economic strategies, like data tied to trade deals, negotiations and supply routes. In a likely scenario, Health-ISAC also noted it’s likely that some nation-state actors may rely on cybercriminals to hide their activities with ransomware attacks to readily extract sensitive data. 

However, there’s “no indication nation-state actors intend on using destructive malware or conduct activity that would put lives at risk…. [as] cyber threat activity that results in civilian deaths is considered an act of war by the global community.”

“Due to the huge growth in cybercrime and large ransomware payouts, sophisticated and organized criminal groups will be able to invest heavily into R&D and develop new ways to conduct automated and effective scams,” the report authors wrote.

These criminals will use AI, machine learning, and deep fakes in effective criminal campaigns, as they continue to transition into a ransomware-as-a-service model. The use of RaaS will make attribution more difficult, while helping threat actors become more agile.

Hackers understand the strict regulatory environment and will continue to target healthcare focused on brand damage, loss of production, and delay of basic care to motivate payment of ransoms. 

Health-ISAC expects that these groups will target critical systems to force healthcare entities to quickly pay ransoms “and not allow time for investigation or forensic examination prior to paying the ransom demanded.”

Lastly, the large supply chain compromises in the last year demonstrate a shift in attack strategies, finding success in exploiting IT vendors, managed service providers and enterprise management software systems to impact a larger group of victims. It’s likely attackers will continue to develop this tactic, with a keen focus on target cloud providers.

Other security vulnerabilities for healthcare

Healthcare’s interconnectivity and cloud-based infrastructures will also remain a leading target in the coming year, especially with the value of personal data stores, the increase of IoMT, insufficient cybersecurity protection, data transparency, and ineffective employee training. 

The heavy reliance on legacy systems and less secure remote devices are two of the biggest pain points for most healthcare organizations, which have created more endpoints for attackers to target sensitive data and could lead to disruptions in care and device function, or loss of life.

The Health-ISAC document provides further insights into these attack methods, as well as possible remediation strategies to mitigate these threats and potential impacts to operations. 

The report is intended to support security leaders with obtaining stronger cybersecurity investments from enterprise decision makers, with Weiss advocating for security leaders to leverage this document to communicate risk and needed remediation to the board.

Provider organizations should leverage threat documents like the Health-ISAC report as an “essential ingredient for the budget cycle.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.