threat condition delta attack imminent banner

Threat Condition Delta: Attack Imminent

william burns

By William Burns • September 1, 2020

Why global Healthcare business entities are under cyberattack and why it’s not going to stop anytime soon

Fallout from a breach within healthcare is far more than financial. Providers and Life Sciences organizations must consider a range of worst-case scenarios and guard themselves against evolving cyber threats. Ransomware attacks in the global healthcare space have increased a whopping 350 percent during the last quarter of 2019 with the rapid pace of attacks already continuing throughout 2020, according to a new report from the World Health Organization (WHO). “Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.” said Jürgen Stock, INTERPOL Secretary General, in a statement. “The increased online dependency for people around the world, is also creating new opportunities, with many businesses and individuals not ensuring their cyber defenses are up to date,” he added. “The report’s findings again underline the need for closer public-private sector cooperation if we are to effectively tackle the threat COVID-19 also poses to our cyber health.

Healthcare Is in the Crosshairs

 Medical records—whether held for ransom or hacked and sold—have become a hot commodity, with money as the motivating factor.

According to World Health Organization (WHO) healthcare providers are targeted for three reasons:

  1. Because the nature of the business demands patient care trump concerns over cyber security
  2. The healthcare industry offers an ever-increasing attack surface, especially as more medical devices and machines require network integration
  3. The stolen data is profitable, fetching $40-$50 per healthcare record.

When you examine the average record set of a healthcare facility, it contains a great deal of personally identifiable information (PII), sensitive information about individuals, including the patient’s name, billing information, date of birth, social security number, medical insurance information, and diagnostic codes or treatments. The sensitive nature of the information creates opportunities for extortion, finance-related identity theft, and obtaining medical care or prescriptions with somebody else’s medical information.

 While a compromised credit card can be discovered rather quickly and cancelled, the effects of medical identity theft can be long-lasting, making the data more valuable on the black market. However, it might take someone years and the receipt of collection notices due to unpaid fraudulent medical claims, to discover his or her medical information was breached.

Healthcare Facilities Must Make Cybersecurity a Priority

Because of all these drivers, many healthcare providers have not traditionally given security as high a priority in their IT management strategies as they should. However, this latest spate of attacks may be the wakeup call to start to vet vendors more closely, applying technical controls to those vendors to prevent and limit the effect of attacks, and monitoring and auditing vendor remote access with the use of technologies such as Privileged Access Management (PAM) and Vendor Privileged Access Management (VPAM). Otherwise, “death by ransomware” may soon become a checkbox on the coroner’s report.

The Takeaway

 First, the growing number of cyberattacks makes it clear that even the best preparation may not prevent a successful attack.

The number of ransomware attacks doubled in 2019 by some estimates and they can have a crippling impact. The city of New Orleans suffered a ransomware attack recently serious enough for the mayor to declare a state of emergency. In October, a network of Alabama hospitals had to stop accepting new patients because of a ransomware attack.

Healthcare providers are especially vulnerable for several reasons. We operate 24/7 and lives are at stake. Also, as the industry makes quantum leaps forward in technology, systems are increasingly complex and connected. Cybercriminals know that they can target one vulnerability in a single device and impact the entire network.

Second, have a strong response strategy, including mitigation of the spreading attack.

Ensure that backups are reliable and well-tested. Make sure you still have old standbys on paper including phone lists and physician orders—and make sure they are easily accessible. Just as physicians place fragile patients into medically induced comas, IT teams when adequately prepared power down systems to prevent further damage, including electronic health record systems. If you don’t take these vital steps and remove malicious files, there will be a more lengthy and costly return to normalcy.

Third, this menacing world of cyberattacks needs to be brought into the sunlight so we can understand the depth and breadth of the problem.

Try to commit to going public with an attack as soon as you can. Quickly alert state and federal authorities immediately, but going public is different. You don’t want to jeopardize negotiations with your attackers and you may be able to leverage time as an advantage. The more candid everyone is about the workings of cyberpirates, the more insight we will gain about their operations.

In this new age of active cybercrime prevention and detection, ransomware activities will continue to be a “cat and mouse game” at best as cybercriminals and their activities become increasingly complex. Organizations need to heighten their focus on what happens after their systems become compromised and ask themselves these simple health-based checklist is as follows:

  1. Will I be able to reduce my IT attack surface via leveraging a single backup platform?
  2. Can I defend backup from becoming a target with immutable file systems and WORM capabilities?
  3. Do I currently possess the ability to detect ransomware attacks on production IT systems with active anomaly detection?

 If the answer to any of these questions is NO or you’re simply just not convinced that your current recovery plan will stand up to today’s heightened cybercriminal activity, it’s time to start taking some action.