By Peter Draper, EMEA director at Gurucul

Two years into a global pandemic, healthcare providers are just now starting to catch their breath. But if overworked staff and overpacked facilities weren’t enough, another threat loomed over hospitals in recent years: cyberattacks.

Threat actors have certainly ramped up their efforts and started launching increasingly sophisticated and high-profile attacks that, in 2021 alone, impacted more than 22.64 million patients. In fact, SC Magazine reported this January that the 10 largest healthcare breaches that happened last year each impacted more than 1 million patients. These numbers only account for the incidents that fell under the Health Insurance Portability and Accountability act, so it’s likely that many more compromises happened and were simply dealt with internally, without involving authorities.

More worrying than exposed patients data is the impact of ransomware, which, according to the Ponemon report “The Impact of Ransomware on Healthcare During COVID-19 and Beyond”, is leading to increased patient deaths. In fact, nearly one-fourth of the 597 surveyed institutions reported an increase in mortality rates, which is a reminder of how this type of cybercrime directed to hospitals and healthcare providers becomes a matter of life and death, rather than just economic and operational.

According to the same Ponemon report, the confidence of Health Delivery Providers (HDOs) in their ability to mitigate and respond to the risks posed by ransomware has also decreased. Post-COVID, 61% HDOs said they are not sure their organisation is prepared against cyberattacks, as opposed to 55% before the pandemic.

The impending threat of ransomware is reflected by the increased budgets that healthcare organisations are allocating to cybersecurity, which rose by 15% in 2022. But while increased spending is certainly a move in the right direction, it is equally important for this extra investment to be made towards tools that can simplify and streamline security operations and can provide visibility into the most common blind spots.

Redefining “Normal”

Behavioral Analytics approaches are based on a set baseline that represents normal activity and serves as a benchmark for IT staff and SOC analysts to identify deviations that might be considered suspicious. The pandemic, however, completely redefined what is normal and what is not. Some systems saw a significant increase in activity, which also translated into different traffic and data patterns.

In situations of emergency, especially when it comes to people’s health, it’s normal for operations to come first, security second. However, this means that the shift in the patterns of activity can be exploited by threat actors to cover their tracks. Traffic patterns and activity on healthcare systems is very dynamic and constantly changing, based on infections, hospitalisations, and deaths. These constantly changing baselines make it hard for analysts to determine what is normal and what isn’t.

The unique challenge of securing medical devices

Securing medical devices represents a unique challenge for hospitals and healthcare providers. Medical devices run an operating system (OS), which is often locked in and can’t be updated. But while OS are designed to have a lifecycle spanning a couple of years, medical devices are often large investments made by hospitals with the intention of using the machine for decades.

Many of these devices are connected to the hospital’s network, which represents a huge risk factor. An attacker could leverage those unsecured entry points to gain a foothold, move laterally through the network and eventually reach sensitive servers. ComputerWeekly recently reported recently that some 41% of NHS Trusts in the UK don’t have a real-time register relating to IoT assets, which further confirms how the issue of visibility and patching of medical devices is widespread.

Insider Threat

Much like in any other enterprise, employees are the first and the last line of defence against cyberattacks. But, by virtue of being human, they are prone to errors, or might be enticed by the prospect of making a quick profit.

Whether it is a rogue employee looking to access the file of a famous patient or an employee’s identity being compromised through phishing and exploited to escalate privileges, healthcare organisations need to be cognisant of this threat and need to put the appropriate controls in place. One of the most effective solutions is User and Entity Behaviour Analytics (UEBA), which relies on a defined baseline pattern of behaviour to identify any deviation that should be considered suspicious.

Ransomware looms large

The motivation behind most of today’s ransomware attacks is economic. Threat actors look for potential targets that are likely to have a cyber insurance policy, or whose pockets are deep enough that they can afford to pay the ransom. They also look for organisations that can’t afford downtime, and that is definitely the case for healthcare providers, who will feel incentivised to pay up in order to be able to continue saving people’s lives. Locking personnel out of systems that provide essential information and care for patients usually requires an immediate capitulation, no matter what the price.

Data for sale

Patient information is incredibly valuable to attackers. Like most personal identifiable information (PII), medical data can be sold on the dark web for a profit, can be used as part of other types of attacks, or can be leveraged to extort a ransom.

In some darker cases, medical information can also be used to blackmail individuals based on their medical condition. Fraudsters are also known to socially engineer sophisticated scams that gain the victim’s trust through the intimate knowledge of their health conditions.

Prevention is better than the cure

The extreme consequences that a successful cyberattack can have on healthcare providers make it paramount for those organisations to be even one step ahead of what attackers are doing today, but also what they will be doing tomorrow. This can be achieved with a risk-based approach.

Signature-based models are reductive and rely on historical data and statistical models to detect individual events, which then need to be analysed and manually linked together. This is time-consuming and error-prone. For such a critical, but also resource-strapped sector, optimisation and precision are key, which is why it is essential to opt for tools that allow for events to be prioritised effectively, and for new threats and intrusion tactics to be discovered before they can cause harm.