The healthcare industry is under attack like never before! What started as an increase in criminal activity during the early days of the COVID-19 Pandemic, has now evolved into a full-scale crisis in the global healthcare industry. The recent destructive ransomware attacks in San Diego against Scripps Health, the national health service of Ireland, and Waikato hospitals from New Zealand show the global nature of the threat and the general level of risk in the industry.
Cybercriminals targeted healthcare for a long time ago, because of its valuable personal and financial information. However, shifting to more dangerous and destructive strategies (such as ransomware extortion and double-extortion) puts an incredible weight on this critical service sector.
Although it is proved that these attacks have increased a lot since last year, with a 123% increase in ransomware and 25% in data breaches, they did not come out of anywhere.
While COVID-19 has put tremendous pressure on the healthcare system, pushing employees and budgets to the limit, in most cases, attackers have been exploiting the same security flaws that have plagued the industry for a long time.
Electronic Health Records seen as an expanding attack surface
Over the last twenty years, healthcare’s attack surface has increased considerably, specifically with the adoption of electronic health records (EHRs), wireless medical devices, and the appearance of telemedicine and remote work, both of which were sped up by the pandemic.
Due to the transition to EHRs, ransomware, and data theft attacks have become far more expensive and damaging for healthcare institutions. With that, the likelihood that a cyberattack would be destructive to a hospital’s basic operational ability has also increased. New connectivity features in medical devices mean critical equipment is more directly exposed to cyber criminals now.
The necessity and rush to enable remote work has allowed the hackers to backdoor healthcare networks through the employees.
A particular concern is the extensive use of Remote Desktop Protocols (RDPs) and remote access VPNs by hospital staff. If software vulnerabilities are exploited or attackers directly target end-users, these two technologies can pose huge risks to the organization.
According to some researchers, Ryuk ransomware is increasingly targeting RDPs, especially in the healthcare system. In the year 2020, hackers increased their targeting of RDPs by 768%, and also with remote-access VPNs too. TrueFighter, a hacker, was documented in an attempt to sell admin-level access to one hospital for $3.000.
To get access to hospital networks, ransomware criminals exploited VPN vulnerabilities in Citrix ADC controller and Pulse Connect Secure.
Another problem in the healthcare industry: Unpatched Systems and old devices
The use of outdated and/or unpatched systems and devices is a long-running problem in the medical industry. This problem can largely be attributed to budgetary pressures, both for fielding a well-equipped IT security operation and in terms of the cost of the equipment.
An example could be medical equipment like MRI machines, which are expensive. And for that, hospitals usually hold onto these devices for years and years, or even decades past their prime. Therefore, this medical hardware often relies on outdated and unsupported versions of Windows to manage systems like MRIs, X-rays, and CT scanners.
As a fact, due to some research last year, it has found that 83% of medical imaging equipment in hospitals, like for example MRI and mammography machines, were running unsupported Windows operating systems and remained unpatched against well-known vulnerabilities.
Still, the problem started a long time ago. HIPAA Journal reported on three hospitals infected with malware through old medical devices (the hackers used “ancient exploits” of Windows XP), despite having modern cybersecurity defenses installed on the larger network.
Along with medical devices, hospitals also struggle to patch other software and devices. Researchers found in 2014 that one big healthcare company was exposing information about 68.000 systems connected to its network. These same systems have also failed to patch a six-year-old vulnerability in their version of Windows XP.
Lack of proper network
To worsen everything, hospitals also often lack adequate network segmentation, which in fact increases the overall attack surface of the company and the risk of lateral movement by a cybercriminal. The exposure of medical devices is also a particular concern because they are usually connected and reachable from the main network.
Since these networks maintain many old devices, the industry’s doubtful attitude toward segmentation illustrates a real problem! Hospitals should constantly use VLANs, subnets, firewalls, and Access Control Lists, but these are usually not thoroughly implemented.
A study made in 2019 found that 49% of segmentation deployments in healthcare used less than 10 VLANs in these networks to support all medical systems. Almost half of the healthcare companies in this group only used one VLAN. In the following study in 2020, 60% of healthcare companies were found to be bundling their IT devices (printers and computers) with medical devices in the same VLANs.
Third-party security risk in IT
Hospitals have an extremely diverse third-party ecosystem, which brings many security challenges. These third parties range from external doctors, medical clinics, and diagnostics laboratories to software providers, insurance, billing services, equipment providers, service providers, and other contractors.
A compromise of any of these third parties can directly affect the hospital, as these outside companies either have direct access to patient information or some type of “special” access on the hospital’s network. In recent years, this has happened so many times that it is difficult to count. If we were to mention some more remarkable cases in the last two years, we remember the AMCA, Dominion National Dental Care Alliance, and Central files data breaches, as well as the ransomware attack at the Blackbaud.
Uptime is essential for any other company, but it’s critical when it comes to hospitals as they rely heavily on digital technologies like EHRs and, CIS (clinical information systems), and point-of-care terminals to operate safely and effectively. Any breaking of these services will affect patient care and even may put lives at risk.
This complicates, even more, the incident response and remediation efforts. The decision to take systems offline to isolate the threat and prevent lateral spread must be weighed against the larger impact this will have on critical medical services and the needs of patients.
Putting security on the first place
These cyberattacks on healthcare won’t stop, even after the pandemic is past gone. Hospitals must take more aggressive actions to strengthen themselves against these attacks. They also need to invest more in cybersecurity.
Essential parts of a defense-in-depth strategy include:
- network segmentation
- timely patching
- software/firmware updates
- secure data backups and sever access controls
As the world was reeling from the pandemic, in March of 2020, volunteer groups like CTI League and COVID-19 Cyber Threat Coalition were formed by information security professionals to provide free cyber-threat intelligence to healthcare and hospitals security teams.
While these groups were successful and demonstrated the impact which security awareness can have against threat actors, they were only a stopgap measure to a bigger problem.
Healthcare is a critical area to any country and keeping it safe from malicious activity is possible only through common efforts by both the public and private sectors. Advanced defensive tools should be more accessible to the healthcare sector, information sharing across companies must be encouraged and collaboration across all sectors to help protect these life-saving industries should be the norm, not the exception!