Breach, Data Security, Malware, Ransomware

Time to stop the money-making business of kicking hospitals when they’re down

Today’s columnist, Casey Ellis of Bugcrowd, says companies need to do a full inventory of their assets, patch the Log4j bug, and follow CISA’s guidelines. (Credit: Department of Defense)

The recent spate of ransomware attacks against hospitals must stop. It’s unconscionable. We’re in an ongoing global health crisis and medical workers are already overworked — they don’t need to worry about cybercriminals on top of all the other medical issues they’re confronting. 

Late last year, a joint advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) that warned of cyber actors targeting the healthcare sector using TrickBot and BazarLoader malware, resulting in ransomware attacks, data theft, and disruption of services. 

But it goes beyond those most recent strains. Check Point Research published a report in October 2020 that found ransomware attempts jumped 50% in the previous three months compared to the first half of 2020, with healthcare organizations the hardest hit. 

This surge of malicious activity at hospitals comes as no surprise to security professionals. Healthcare has emerged as the industry most targeted by cybercriminals, with one-third of all data breaches in the United States occurring in hospitals. Healthcare’s singular focus on saving lives has long meant cybersecurity was placed on the back burner. Given the choice between investing time and money to save a life versus patching insecure software, the decision has always been clear. Unfortunately, the industry has a target on its back, leading to attacks that cost the industry approximately $4 billion in 2019 alone. 

Healthcare organizations are in the vanguard of adopting IoT devices, such as blood glucose meters, blood pressure monitors, and pulse oximeters that let providers better understand and track patient health. Many of these devices are inadequately secured and ripe for attackers looking for an entry point into the broader hospital network.

The COVID-19 pandemic has added further fuel to the fire by accelerating the adoption of remote care through telemedicine. Telehealth claim lines increased dramatically nationally from 0.17% of medical claim lines in March 2019 to 7.52% in March of 2020. Telehealth provides a great upside for providers, but a challenge for the IT and security teams that must maintain network uptime and ensure the safety of the network. Any change in the IT environment can increase risk, and when that change comes rapidly, it’s more likely to increase that risk by multiples.

Attackers have long had their eyes on healthcare organizations. The pandemic has become an opportunity for attackers to exploit these weaknesses when hospitals are most vulnerable, knowing they’ll have no choice but to pay the ransom just to keep the lights on.

So what can hospital IT teams do to mitigate the risk? Lean on security frameworks and regulations.

Healthcare regulations and cybersecurity frameworks are designed to give consumers and patients peace of mind that their data will remain private and available only to providers. They also provide healthcare organizations with standards to follow to improve their overall security posture. Here’s an overview of the primary frameworks:

  • HIPAA and HITECH guarantee that patients can access, and control access to their personal data. The regulations also dictate how patient data and protected health information should be kept private and secure. 
  • NIST CSF framework offers industry-standard guidelines that CISOs can employ to secure infrastructure across the organization. 
  • HITRUST was developed in collaboration with data protection professionals and rationalizes relevant regulations and standards into a single overarching security and privacy framework. 
  • MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. This helps healthcare organizations understand how adversaries operate so they can plan how to better secure their networks and devices as well as to detect and stop attacks. 

These frameworks are an integral part of improving healthcare security and combating ransomware, as they provide guidelines that let organizations protect devices, networks, and sensitive patient health data and certify that appropriate actions are taken to keep the data secure and private. The challenge, as always, is dedicating the resources needed to ensure standards are being met.

Leverage the network

This may sound controversial, but it’s a losing battle to focus myopically on ransomware prevention. Attackers are highly sophisticated, and healthcare organizations need to assume that bad actors can and will find a way in. It’s imperative that healthcare organizations prioritize robust detection and response capabilities and put strategies in place, so they can stop ransomware attacks before there’s any significant damage. 

Hospitals need to rely on their networks for detection and response. Think of network data as the ultimate source of truth because it sees every communication across the entire hybrid network, and it’s tough to tamper with. 

Network detection and response passively monitors network data, meaning attackers can’t know they are being watched, and it’s extremely hard to evade. Hospitals can use this kind of technology to shine a light inside the network to detect unusual behavior that would indicate an attack in progress, helping them to quickly stop attacks in real-time before they’re severely compromised. 

Additionally, network detection and response also helps organizations comply with HIPAA/HITECH regulations by simplifying the implementation of NIST and HITRUST recommendations and enabling rapid detection and investigation of MITRE ATT&CK tactics, techniques and procedures used against the organization.

Healthcare organizations are under pressure from all sides. Ransomware and other attacks on healthcare organizations are skyrocketing and connected medical and IoT devices proliferate. At the same time, healthcare cybersecurity teams must keep up with the surging use of telemedicine in the wake of the COVID-19 pandemic and the increased adoption of cloud. 

But by prioritizing a few key strategies and technologies — leveraging industry resources and standards, and monitoring network data to provide the oversight needed to stop attacks before they breach the network — hospitals can come out on the other side stronger and more secure than ever. 

Jeff Costlow, chief information security officer, ExtraHop

Jeff Costlow

Jeff is a security technologist and leader with over 20 years of deep experience securing information and technology assets as well as years of successful engineering leadership, delivering secure product deployments to thousands of customers. Jeff leads the ExtraHop team towards groundbreaking security and privacy services.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.