How the pandemic increased cyberattacks on the healthcare industry

Through the challenges of the pandemic, the stories of resilience and overcoming adversity have kept us smiling despite everything. It showed that no matter how hard things were, there are always positives to be seen.

But, the sad reality is that there are some bad actors that look to take advantage of the chaos and situations for personal gain. This has led to scams, misappropriation of aid and more – resulting in potential harm for millions of people around the world.

One such issue that is becoming more commonplace is the increased cyberattacks on medical facilities like hospitals and labs, leaving their data vulnerable or holding their systems ransom. These are not only costing institutions millions but also putting people at risk and slowing down relief efforts.

To find out more about these issues and to discuss the findings from their latest report “Building Immunity: The 2021 Healthcare and Pharmaceutical Industry Cyber Threat Landscape Report“, we spoke to Paul Prudhomme, who heads Threat Intelligence Advisory at IntSights, a Rapid7 company. Paul has a long career in cyber defence, having served as a leader of the cyber threat intelligence subscription service at Deloitte.

We wanted to get a better understanding of the threats in the industry and the potential impact on healthcare in general. Paul was kind enough to share his time with us to give us insight into the growing threat of cyberattacks on healthcare.

An interesting finding in the report touched on usability. How do you suggest industries try to balance depending on their needs?

It has always been a tough call when it comes to the balance between security and usability. Industries have to look at their business and operational needs to strike that balance. It comes as no surprise that an industry such as financial services would focus more on security, given its high desirability as a target for criminals and its critical need to maintain customer trust. 

When it comes to the healthcare industry, usability often comes first. Time is of the essence when faced with life-or-death situations and no healthcare provider would want any interruptions, downtime or inconveniences that could potentially slow their ability to respond to urgent needs. The trade-off for usability is that it can leave organizations vulnerable and coupled with the high value of healthcare data these days, make these organizations more attractive targets for cyber attacks. 

It is critical for security teams to scrutinize their operations and find the best ways to improve security posture with minimal impact on usability. For example, implementing multi-factor authentication (MFA) via mobile authenticator apps, rather than SMS, is better both from a security perspective and from a usability perspective. Organizations can also look at ways to increase security that have minimal consequences such as disabling RDP services that no one is using or disabling VPN credentials or other remote access services as employees return to physical workplaces to minimise avenues for cyber attacks. 

What is your estimation of the cyber-security threat-risk currently for the global (and SEA) healthcare industry?

The healthcare industry globally is facing increasing threats. In 2020, more large healthcare data breaches were reported than in any other year in the US. In addition, 2021 has seen five consecutive months (March through July) in which industry data breaches have been reported at a rate of two or more per day. 

The COVID-19 pandemic has caused a massive transformation of the health care threat landscape. Health care organizations bearing the burden of large numbers of COVID-19 patients may be more vulnerable to compromise due to overwhelmed employees, vulnerable ventilators, or other factors. Ransomware operators may also perceive that the burden of large numbers of COVID-19 patients makes health care organizations more vulnerable to extortion. The COVID-19 pandemic has also greatly expanded and increased the exposure of patient data in the form of COVID-19 testing and vaccination records, which criminals now buy and sell on underground forums. Pharmaceutical companies have also become more desirable targets for threat actors, including cyber espionage groups, that seek access to COVID-19 vaccine research.  

Another interesting point raised in the report focused on the problem with compliance and regulation. Give us some insight into the issues. 

The last thing that we want is for healthcare organizations to have a ‘false sense of security’. With the healthcare and pharmaceutical industry being heavily regulated, organizations would comply with the security standards in accordance with healthcare laws and regulations. The issue arises if they think that is sufficient and just stop there. 

The threat landscape is evolving at a rapid pace, faster than any security regulations would be able to cover. Attackers are more than likely to find ways that are beyond the current security requirements with the latest tools or tactics. 

It is imperative for healthcare organizations to treat industry’s security standards as a bare minimum and seek to go above and beyond what they require.

What should healthcare facilities be doing right now to prepare themselves for potential attacks?

Prioritization is key. With the global pandemic, many healthcare and pharmaceutical organizations are already overstretched. It is best to address the most critical vulnerabilities first to avoid being overwhelmed. 

Here are some recommendations for the industry: 

• A prioritized asset inventory, which ranks devices and data sets according to their respective levels of risk, can help organizations allocate resources to wherever the need is greatest. 

• Certain devices and data sets in this industry are clearly of greater interest to attackers and should thus receive extra protection. These assets include: medical devices, which are common entry points or persistence mechanisms for network intrusions; patient data, which criminals can use for fraud and ransomware extortion and foreign governments can use for intelligence operations; intellectual property, which criminals can sell and foreign governments can use for their national economic goals; and non-clinical business records that criminals can use for fraud, such as HR and payroll records, employees’ PII, accounting and tax records, etc. 

• Additional layers of defence for these key assets can include network segmentation for sensitive devices or servers storing key data sets, the encryption of files containing these key data sets, and heightened levels of scrutiny and security hygiene for medical devices. 

• Establishing Priority Intelligence Requirements (PIR) helps determine the scope of an organization’s cyber threat intelligence needs and set priorities, based on its specific risk profiles. Healthcare organizations should prioritize the collection of cyber threat intelligence on both ransomware attacks and the theft of patient records, which are top threats to such organizations. In contrast, a pharmaceutical company should prioritize the collection of intelligence on intellectual property theft. 

• A prioritized asset inventory can complement and help to refine a PIR list, as organizations can tailor their PIRs based on an assessment of which attackers are most likely to target their organizations to gain access to their most valuable assets.

This post is sponsored