Despite an increased toll on their computer systems amid Covid-19, healthcare organizations throughout the world generally are doing a good job of mitigating inbound attack attempts, according to a Vectra analysis of the first five months of 2020.
The report cites a doubling of data exfiltration behaviors to external destinations in Europe, Middle East and Africa (EMEA), such as cloud services, and healthcare’s increased reliance on remote work and collaboration.
“In North America, healthcare providers experienced an initial spike in external data movement activity that settled down over time,” the Vectra report said.
The new research studied the networks of 31 opt-in enterprise organizations that use the company’s Cognito NDR platform.
Vectra found an upward trending of command-and-control behaviors, significant increase in smash-and-grab behavior, but also flat lateral movement detections with the exception of May, “the strongest indicator that threats are spreading inside a compromised infrastructure and propagating across internal devices.”
The report viewed the lateral movement trend as positive, noting that the World Health Organization (WHO) saw over the same time period a fivefold increase in phishing and ransomware.
Vectra pointed out that despite its generally good findings, nevertheless, the healthcare sector must remain vigilant in detecting and fending off cyberattacks, not the least being its responsibility to safeguard protected health information (PHI). Just because a cloud provider is HIPPA-compliant and secure in design, the healthcare organization as user – not the cloud-service provider – is responsible for adequate protection of patient data in terms of policy and controls.
“The biggest setback to cloud adoption in healthcare is the possible security risk associated with it,” Vectra researchers said.
Risks also lie with the healthcare’s widespread use of unmanaged medical devices and unsecured protocols like FTP.
“While high-volume data-transfer behaviors from a single host can reflect the normal operation of a medical IoT device, low and slow attackers who wait and watch can use it to obfuscate their theft of data,” the report said, identifying “smash-and-grab” as a trend that needs to be closely scrutinized. Smash-and-grab occurs when a large volume of data is sent to an uncommon external destination in a short period of time.
It behooves healthcare organizations to also be on the guard against the second highest trend increase in data-transfer behavior: data smuggling.
This occurs when an internal host device consolidates a large amount of data from one or more internal servers and subsequently sends it to an unexpected external system.
Healthcare organizations routinely automate and validate large data transfers that still are subject to governance oversight and controls, the report found.
