A wave of ransomware attacks in the United States and United Kingdom that have disrupted clinical operations and forced hospitals in both regions to turn away patients is the latest reminder of the fragility of life-saving infrastructure and how lucrative it can be for attackers looking for a payday or an opportunity to sow discord into the lives of patients.
In May, St. Louis-based Ascension Healthcare, one of the largest private healthcare systems in the United States, had to take clinical operations offline due to a breach in their system. Even more recently, several hospitals within the U.K.’s NHS were crippled when attackers launched a ransomware attack against a vendor company called Synnovis that helps manage blood transfusions and lab services in some U.K. hospitals.
The healthcare industry is one of the most sought-after sectors for threat actors today, with the average cost of a ransomware incident having risen 63% to $450,000 between 2022 and 2023. When attacking life-saving infrastructure like hospitals and care centers, these attackers know that they’ll have upper hand in any ransom negotiation, and thus can hold out in hopes of receiving more for their stolen or encrypted data.
This is unfortunately a tried-and-true strategy for attackers. A recent example occurred earlier this year, when Change Healthcare was breached due to a lack of multifactor authentication and exposed millions of American's health data. The frequency and severity of these attacks led to remarks this week from White House deputy national security advisor Anne Neuberger that the administration will soon require hospitals to adhere to minimum cybersecurity standards, as well as begin free cybersecurity training for small and rural hospitals. Healthcare organizations not only hold the keys to troves of personal and confidential information on patients; they also have mass networks of critical medical technology, and operate on complex, interconnected supply chains that involve multiple software providers and internet-connected devices.
Why does this interconnectedness of this ecosystem matter? It’s because while it is great for rapid advancements in medical care, it’s equally lucrative for opportunistic bad guys. The more integrated hospitals and care facilities are, the larger the attack surface on which bad guys can launch a social engineering scam or a malware-based attack. The most common attacks generally seen levied against the healthcare industry tend to take advantage of the older technology these hospitals run on, and usually involved long-known external facing vulnerabilities and phishing attacks.
When organizations are too busy to patch or simply unaware of these known vulnerabilities, they put themselves and their patients at risk. Likewise, when the staff at a hospital or medical facility aren't trained to recognize and report a phishing email, attackers can simply spam their targets with spoofed email addresses or realistic-looking messages until they find an employee who unwittingly gives up their credentials. The attackers know all of this and use it to their advantage.
These types of attacks are endlessly viable for threat actors because they focus on exploiting the weakest link in any given healthcare company. Organizations that are as large and interconnected as Ascension or other national healthcare providers struggle to shore up all their cyber vulnerabilities, inadvertently putting patient health and safety at risk. But when recovering from an incident, it’s critical that these victims prioritize patching external facing vulnerabilities and establishing a comprehensive top-to-bottom 24/7 security operations capability. Without these in place, the risk of a repeat, successful attack is very high.
Reducing the cyber risk in the healthcare industry is a multi-step process that should focus on establishing a baseline of cybersecurity standards, such as implementing multi-factor authentication (MFA) and identity access management principles that reduce the risk of network intrusion or stolen credentials. Privileged Access Management tools, for example, are vital to ensuring that if an attacker gets in, they are not able to elevate their privilege and easily access a company’s most sensitive data.
These tools can enable the separation of administration and normal user credentials through implementations such as Privileged Access Workstation (PAW) and Tiered Access Models, helping prevent the bad guys from accessing critical patient data once they walk through the front door. Companies should prioritize regular reviews of their privileged access pool and make the necessary changes as they are needed.
Regularly scheduling information security trainings can also help employees stay educated and alert for social engineering scams, and the IT department should be conducting annual or biannual compliance checks against themselves to ensure they’re up to date against an ever-changing threat landscape. Keeping security training lessons front of mind via micro-sessions is key versus annual bulk training that isn’t as well retained by employees.
If healthcare organizations follow these key steps, there will hopefully be less of them in the headlines for serious, patient-impacting breaches in the months and years to come.