A Cybersecurity Wellness Check for the Healthcare Industry

2020 was a challenging year for almost everyone due to the global pandemic. The healthcare sector, in particular, faced many unique and daunting challenges. Healthcare organizations were under enormous pressure handling large and, sometimes, overwhelming numbers of patients. To attack a sector desperately trying to keep people alive seems particularly craven, yet that is exactly what cybercriminals did; targeting overwhelmed and stressed health systems and supply chains for financial gain.

Most global citizens want to see a stronger, healthier world, but cybercriminals want to turn a profit no matter who or what is hurt in the process. Organizations under extreme stress are more likely to provide criminals profits by paying cyber-ransoms because they absolutely cannot afford downtime—especially when that downtime puts actual lives at stake. When a patient is waiting for life-saving surgery on an operating table, sage counsel about the risks of negotiating with cybercriminals must be balanced against the cost of losing a life.

Ransomware was by far the most common cyberattack type on the health sector in 2020. As detailed in the joint alert from US CISA, FBI, and HHS, criminals infected systems with malware like Trickbot and BazarLoader and then used them to deploy ransomware like Ryuk and Conti. The threat actors often accomplished this via targeted phishing attacks. But cybercriminals didn’t stop at ransomware, other notably depraved attacks include blackmail of therapy patients in Finland, exfiltrated patient data, and targeted the supply chain for COVID-19 vaccine distribution.

Since nothing succeeds like success, don’t expect cybercriminals to abandon their attacks on healthcare any time soon. But with that said, there are many steps that organizations across the health sector can take to strengthen their digital immune system to improve response times and decrease negative impacts from attacks.

To get healthcare organizations fast-tracked to cyber-wellness, I recommend the following activities to immediately focus on, along with a list of helpful resources for more long-term, in-depth planning.

1. 3-2-1 Backups - Backups are critical for cyber-wellness. If an attacker ransoms your systems, a robust backup program can reduce downtime and eliminate the need to pay ransoms. But one backup isn’t enough—implement a program based on the 3-2-1 concept. Three copies of the backups, on two different media—such as local NAS (network attached storage) and cloud storage, and one copy kept offline to ensure it’s protected—even if the ransomware spreads to the backup systems.
2. Segment and Patch - Medical devices can’t always be patched. Sometimes vendors don’t release patches quickly, and, sometimes, the medical application running on the device is only certified to an unpatched version of the OS. This is why segmentation is an important part of any healthy network. Segmentation can be accomplished physically or using more modern techniques, like SDN (software-defined networking). Of course, for any systems that can be patched, ensure patches are tested and rolled-out as quickly as possible.
3. Manual Fallbacks for BC and IR - If your organization doesn’t have an incident response or business continuity plan, now is the time to develop and implement them. And don’t forget to do some test runs or tabletops to build muscle memory for when a real attack happens. One area where health providers should focus on is a manual or paper-based fallback that will allow patient care even when EHR or other clinical systems are down.
4. Protect Credentials: Credential exploitation is a component of almost all cyberattacks—ransomware included. Manage the credentials (rotate, enforce complexity requirements, and other best practices) and also segment the power of those credentials. For instance, by implementing privilege separation you can ensure different privileged accounts are restricted in rights and access to perform a specific duty or set of duties.
5. Consider implementing Zero Trust security controls: In its strictest sense, this means not trusting anything automatically or by default. Every time there is an attempt to access a new system, step-up authentication should be applied.

We know securing a large health system or supply chain is a big job. Once you’ve tackled the three recommendations above, here are some additional resources to help get your health organization on the road to wellness for 2021 and beyond.

• Ryuk at MITRE ATT&CK (MITRE web page)
• Stop Ransomware Attacks like Ryuk with a Preventative Endpoint Security Approach (blog)
• MITRE Medical Device Cybersecurity Playbook (MITRE web page)
• HPH Sector Threat Briefs and Alerts (HHS web page)
• HHS Ransomware Fact Sheet (HHS document)
• How to Harden Medical Devices (FDA webpage)

For a more in-depth overview of cyber defense strategies for the healthcare industry, indicators of compromise, and more you can also check out my on-demand webinar: Security Wellness Check: Keeping Healthcare Safe from Ransomware & other Cyberattacks.