In late October the FBI issued an alert regarding imminent and increased advanced ransomware risk to hospitals and healthcare providers in the U.S. Such attacks had already affected five hospitals that week. This is just the latest in a string of headlines regarding cyberattacks against the healthcare sector. Others include warnings about hacks on medical IoT devices and assaults on pharmaceutical companies working on COVID-19 treatments and vaccines. When the stakes are highest—human life—so are the potential rewards for cybercriminals.
As if this weren’t bad enough, average costs related to data breaches are highest for healthcare organizations. The “2020 IBM Cost of a Data Breach Report” found that the average healthcare data breach costs $7.13 million, up 10% from the year prior. As this sector becomes an increased focus for bad actors, it’s important to evaluate some of the biggest vulnerabilities and how these can be combatted with an active defense approach.
The Healthcare Danger Gets Real
There’s never a good time to suffer a ransomware attack, but now might be the worst time in history. Today’s hospitals may be filled with COVID-19 victims, already at the brink of operational disaster. Any margin of error on hospital operations is highly likely to cost lives, as it did in Dusseldorf, Germany, when a ransomware attack hit the University Hospital in September. The malicious software encrypted 30 servers, with an extortion note left on one of them. The hospital’s systems gradually crashed, and staff weren’t able to access data. Due to operational re-routing of emergency patients, a woman in need of life-saving treatment died.
The Role of Nation-State Actors
There are a variety of reasons that nation-state attackers do their work: to steal corporate IP, to create confusion and discord during election cycles, to intimidate or demonstrate power over an enemy and so on. These days, many nations are engaged in this generation’s “space race” to be the first to triumph with COVID-19 prevention or therapy. Competing enemy countries’ cyber offensive forces may endeavor to steal priceless patient data, clinical trial information or other COVID-related insights from hospital IT networks.
In early October, for example, medical software company eResearch Technology was hit with a ransomware attack thought to have been carried out by a nation-state actor. The Philadelphia-based company supplies pharmaceutical companies with tools for conducting clinical trials, and the attack slowed down a number of them, though the company hasn’t said how many customers were affected.
IoT and Medical Devices
It no longer stretches credibility to say that it is entirely possible for cyberterrorists to disrupt the normal functioning of medical devices such as MRI machines, insulin pumps and other machines and equipment. Even a slight malfunction on such a device can lead to patient illness or even immediate death. Due to the FDA approval process these devices must go through, they aren’t able to be patched by traditional cybersecurity technologies and a typical agent-based security solution such as endpoint detection and response (EDR) can’t be deployed on them.
In fact, this idea isn’t novel. In 2013, a well-known hacker was demonstrating the ability to hack into insulin pumps and warning about cardiac implant cybersecurity. The latter concern came after an episode of “Homeland” featured a terrorist hacking into a politician’s pacemaker to instigate a heart attack. Although internet of medical things (IoMT) device makers go to great lengths to secure their products, cybercriminals continue to show the lengths they will go to in pursuit of their goals.
Think Like an Attacker: Be Deceptive
There is some good news, though: such attacks can be defeated. But you need to think like an attacker to beat an attacker. When a security team thinks like an advanced attacker, it can know what the attacker is after and can focus on those assets. As far back as 2015, experts were recommending shifting the IT security budget ratio of prevention to detection and response from a 90%/10% split to a 60%/40% split. Detection has become a critical aspect of security.
An active detection campaign is one that includes the ability to seek malicious lateral movements within the network. Deception technology is a category of security tools designed to detect attackers who are already in the network and prevent them from doing damage. It works by distributing deceptions that mimic genuine IT assets throughout the network. Instead of relying on traditional signatures, deception technology alerts are generated by real attacker movements within a network.
Deception finds attacker activity taking place in real-time, which means there are no false alerts. The IT team knows exactly what’s happening and can mitigate the attack, protecting the computer systems that literally keep people alive.
A Healthcare Security Strategy for the Whole Attack Life Cycle
Cybercriminals have hit upon a lucrative idea that they aren’t likely to let go of anytime soon: attack facilities where lives are on the line to get a quick cash infusion. There’s no time to waste waiting for a standard security system to find anomalies; rapid detection and response are essential to prevent loss of life. This is where automation and deterministic alerting come in. Deception technology enables defenders to follow attack pathways and identify the location of high-risk, critical assets—both foundational to creating a strategy before and after the network is breached. The information noted above will help you establish a stronger defense for your healthcare organization.
