A matter of life or death: security challenges for the healthcare industry

By Robert Golladay, EMEA and APAC director at Illusive

According to the 2020 IBM Cost of a Data Breach Report, the monetary cost of recovering from a cyberattack is significantly higher for healthcare organisations than for companies operating in any other sector. The price tag increased by 10% between 2019 and 2020 and currently sits at around $7.13 million.

But more concerning than monetary losses is the human cost that a successful cyberattack targeting healthcare providers can have. In the November of 2020, German officials attempted to prove that the death of a patient was the direct result of a ransomware attack that shut down a hospital’s infrastructure and forced medics to turn the ambulance away, thus delaying life-saving treatment.

Since the Wannacry ransomware attack against the UK’s National Health Service in 2018, the specter of cyberattacks has loomed large on healthcare institutions. Whether it’s a data breach that exposes patients’ information or a more dangerous ransomware attack that encrypts data and renders systems unusable, healthcare providers have no margin of error when it comes to defending against cyber threats.

But as breaches continue to occur, we are forced to look at the inherent flaws of most healthcare institutions’ approaches to threat defence. In this article, we will explore the most common threats facing hospitals and healthcare providers, as well as the paradigm shift that is necessary to equip these organisations against cybercriminals.

Looking for a quick buck: ransomware

Ransomware attacks are rampant across all sectors, but a recent report by Checkpoint Security revealed that this type of attack is of particular concern for healthcare institutions. In January 2021, ransomware attacks against healthcare orgs had jumped about 45% since early November the previous year. The spike followed an alarming 71% increase in the October of 2020. According to the same report, at the beginning of this year healthcare providers were facing an average of 90 attempted attacks every single day.

The reason behind cybercriminal’s determination to breach the security of hospitals and healthcare providers is simple: leverage. There is nothing that will motivate a victim to pay up more than endangering the health and safety of individuals. Furthermore, the value of medical information is even higher than other types of personal identifiable information. Double-extortion ransomware, whereby threat actors steal data before encrypting their target’s systems, has become the norm among cybercriminal gangs. This allows them to monetise on their efforts twice, first by asking for a payment to decrypt the data and then by threatening to publicly release the stolen information.

Nation-state sponsored espionage and disruption

The Covid-19 pandemic launched nations into something like a new “space race”, with foreign powers competing to triumph over therapy, prevention, and vaccine development. Already valuable clinical trial and research data became even more appealing to state-sponsored threat groups, so much so that in early October 2020, Philadelphia-based medical software company eResearch Technology was hit with a ransomware attack believed to have been orchestrated by a nation-state actor. In that instance, attackers were able to shut down a number of clinical trials eResearch Technology provided tools to.

IoT and operating systems

Medical devices, just like operational technology, run an operating system. When these machines are connected to the network, they can be targeted by an attacker motivated to disrupt normal functionality.

Thankfully, an attack on an MRI machine or an insulin pump hasn’t been recorded yet, but proof of concept demonstrations have been conducted by well known hackers, who have proven that this eventuality is not as far-fetched as it seems.

The matter is made worse by the fact that the OS running on these machines is often locked in, meaning that it can’t be patched, and agents-based endpoint security solutions, such as EDR, can’t be deployed on them.

How deception helps

Attackers might dispose of sophisticated tools and tactics, but the secret to beat threat actors is to think like them. Rather than repeating the somewhat depressing mantra about organisations having to be right all the time while bad actors only need to be right once, we need to shift security postures to make sure we make it too time-consuming and expensive for a hacker to launch an attack.

Improving detection capabilities is a key component of shifting this paradigm, and deception can be an invaluable tool to achieve it. Rather than limiting detection capabilities at the endpoint level, and rather than relying solely on signatures, deception allows organisations to stop lateral movement, even when other layers of defence have failed. By distributing deceptions that mimic genuine IT assets throughout the network, attackers are essentially trapped in a net of fake connections that will trigger an alert if an exploit is attempted. Instead of relying on traditional signatures, deception technology alerts are generated by real attacker movements within a network.

Alerts are generated in real time, meaning that the IT team will know about an attack as it starts unfolding and will be able to mitigate the incident before any critical system can be accessed.

As threats continue to mount for organisations in the healthcare sector, understanding the mindset of an attacker and implementing a strategy that can flag suspicious behaviour in real time, whether around or within the perimeter, is literally a matter of life or death.

By Robert Golladay, EMEA and APAC director at Illusive

According to the 2020 IBM Cost of a Data Breach Report, the monetary cost of recovering from a cyberattack is significantly higher for healthcare organisations than for companies operating in any other sector. The price tag increased by 10% between 2019 and 2020 and currently sits at around $7.13 million.

But more concerning than monetary losses is the human cost that a successful cyberattack targeting healthcare providers can have. In the November of 2020, German officials attempted to prove that the death of a patient was the direct result of a ransomware attack that shut down a hospital’s infrastructure and forced medics to turn the ambulance away, thus delaying life-saving treatment.

Since the Wannacry ransomware attack against the UK’s National Health Service in 2018, the specter of cyberattacks has loomed large on healthcare institutions. Whether it’s a data breach that exposes patients’ information or a more dangerous ransomware attack that encrypts data and renders systems unusable, healthcare providers have no margin of error when it comes to defending against cyber threats.

But as breaches continue to occur, we are forced to look at the inherent flaws of most healthcare institutions’ approaches to threat defence. In this article, we will explore the most common threats facing hospitals and healthcare providers, as well as the paradigm shift that is necessary to equip these organisations against cybercriminals.

Looking for a quick buck: ransomware

Ransomware attacks are rampant across all sectors, but a recent report by Checkpoint Security revealed that this type of attack is of particular concern for healthcare institutions. In January 2021, ransomware attacks against healthcare orgs had jumped about 45% since early November the previous year. The spike followed an alarming 71% increase in the October of 2020. According to the same report, at the beginning of this year healthcare providers were facing an average of 90 attempted attacks every single day.

The reason behind cybercriminal’s determination to breach the security of hospitals and healthcare providers is simple: leverage. There is nothing that will motivate a victim to pay up more than endangering the health and safety of individuals. Furthermore, the value of medical information is even higher than other types of personal identifiable information. Double-extortion ransomware, whereby threat actors steal data before encrypting their target’s systems, has become the norm among cybercriminal gangs. This allows them to monetise on their efforts twice, first by asking for a payment to decrypt the data and then by threatening to publicly release the stolen information.

Nation-state sponsored espionage and disruption

The Covid-19 pandemic launched nations into something like a new “space race”, with foreign powers competing to triumph over therapy, prevention, and vaccine development. Already valuable clinical trial and research data became even more appealing to state-sponsored threat groups, so much so that in early October 2020, Philadelphia-based medical software company eResearch Technology was hit with a ransomware attack believed to have been orchestrated by a nation-state actor. In that instance, attackers were able to shut down a number of clinical trials eResearch Technology provided tools to.

IoT and operating systems

Medical devices, just like operational technology, run an operating system. When these machines are connected to the network, they can be targeted by an attacker motivated to disrupt normal functionality.

Thankfully, an attack on an MRI machine or an insulin pump hasn’t been recorded yet, but proof of concept demonstrations have been conducted by well known hackers, who have proven that this eventuality is not as far-fetched as it seems.

The matter is made worse by the fact that the OS running on these machines is often locked in, meaning that it can’t be patched, and agents-based endpoint security solutions, such as EDR, can’t be deployed on them.

How deception helps

Attackers might dispose of sophisticated tools and tactics, but the secret to beat threat actors is to think like them. Rather than repeating the somewhat depressing mantra about organisations having to be right all the time while bad actors only need to be right once, we need to shift security postures to make sure we make it too time-consuming and expensive for a hacker to launch an attack.

Improving detection capabilities is a key component of shifting this paradigm, and deception can be an invaluable tool to achieve it. Rather than limiting detection capabilities at the endpoint level, and rather than relying solely on signatures, deception allows organisations to stop lateral movement, even when other layers of defence have failed. By distributing deceptions that mimic genuine IT assets throughout the network, attackers are essentially trapped in a net of fake connections that will trigger an alert if an exploit is attempted. Instead of relying on traditional signatures, deception technology alerts are generated by real attacker movements within a network.

Alerts are generated in real time, meaning that the IT team will know about an attack as it starts unfolding and will be able to mitigate the incident before any critical system can be accessed.

As threats continue to mount for organisations in the healthcare sector, understanding the mindset of an attacker and implementing a strategy that can flag suspicious behaviour in real time, whether around or within the perimeter, is literally a matter of life or death.