Prevention of Cybercrime in the Healthcare Industry

Cyber-attacks are up 125 percent since 2010 and are the leading cause of health data security breaches. What makes the healthcare industry such an attractive target for cybercrime and are healthcare providers equipped with quality IT security infrastructure to defend against these attacks?

Cyberattacks are in many ways a hostage situation, where the hostage is digital, valuable data to an organisation. Healthcare systems are mission-critical environments, where quick access to data and devices has a direct impact on people’s lives. Uninterrupted critical services are vital for patients relying on them for treatment (cancer, dialysis etc), surgery (e.g. a heart transplant) or pre/post care (scans, intravenous therapy, monitoring devices etc). Not to mention patient records and treatment plans.

This makes the health care facilities key targets for cybercriminals as they can’t afford to lose that vital, continuous access to extremely valuable information.

Another element that makes them appealing targets is the extremely complex infrastructure – we’re talking hundreds or thousands of PCs in multiple locations, with patients’ personal and medical data, emails and applications, as well as phone lines, a huge variety of medical devices connected to the internet and unique network infrastructure. When we look at large and complex environments, we also recognise the increased number of potential vulnerabilities of the respective security systems – in other words, more opportunities for security breaches.

The massive increase in attacks over the last few years has made a strong case for organisations in both the public and private sectors to invest more in security solutions but cybercriminals are not idle either. Their attacks are becoming more and more sophisticated and effective each year and you may be familiar with the term for this: Social engineering. This is delivering malware through the manipulation of human emotions. Social engineering uses the so-called ‘’phishing’’ techniques via email, instant messages, social media, and more. The goal is to trick the user into downloading a file or clicking a link or image, which leads to compromising the information on a particular machine and eventually the entire network.

The recent attacks against health care systems and big corporations such as KP Snacks, Nvidia, OKTA, Microsoft and others have highlighted that security breaches can happen even to the best prepared. It’s not just about investing in the best security systems; it is also about people (staff, customers or business partners) who can be tricked into giving away credentials that then can be used to access the system.

The good news is we have effective and efficient tools combined with strong cyber security insights to deal with all these issues and we’re working very closely with our vendors to provide the best possible protection against the most complex and zero-day attacks. Our conversations with IT Administrators and C-level Managers cover their specific requirements (each environment is unique!): from pen-testing, health checks and patch management, secure MFA, backup and archiving (on-prem and cloud), disaster recovery plans, email protection, web and applications security, DLP (data leak prevention), to complex XDR, SIEM, SOAR solutions but also cyber security training designed for their staff.

Paying ransomware does not account for healthcare institutions’ loss of revenue while their systems were inaccessible or revert exposure of sensitive patient data. So, what are some modern-day threats and vulnerabilities that the healthcare sector needs to be aware of to prevent ransomware attacks?

Sadly, the most recent threat reports show that over 80% of the UK healthcare organisations suffered a ransomware attack in 2021. A survey of 100 cybersecurity managers in the health sector found that 38% of UK healthcare organisations chose to pay a ransom to get their data back while 44% of them admitted they had refused to pay a demand but lost their healthcare data as a result.

Top type of attacks reported from the healthcare system:

• No. 1 consists of phishing email attacks and impersonation that exploit human emotions as mentioned earlier. For example, during the pandemic, many cybercriminals took advantage of people’s fear, confusion and need for information, by signing as ‘NHS’ or ‘Your local GP’ and including malicious links in messages or emails that supposedly led to important information on stats in your area, vaccines information etc. In a similar way, the medical staff was being targeted with messages that invited them to click to see covid patients' reports, vaccine delivery status and so on.
  
  
• Secondly, zero-day or never-seen-before attacks essentially mean that hackers are constantly looking for bugs and vulnerabilities in software and will use their discoveries before anyone else notices to hack into a system or network. This is the reason why ‘patch’ management or keeping your system up to date is simply not enough as even the latest updates might fix the old issues but not necessarily cover new ones, still to be discovered.

Advanced threats we see quite often in the health care industry include polymorphic malware that can repeatedly change its underlying code to avoid detection from signature-based detection tools, anti-sandbox techniques that enable the malware to detect when it is being analysed and to delay execution until after it leaves the sandbox, and fileless malware that resides only in the system's RAM to avoid being discovered. In all cases, the end goal is to encrypt critical data and request a ransom to release access to that data.

Just like in a hostage negotiation, each situation is unique, and challenges are different but there are some tools and techniques that can minimise the impact of an attack and help you protect your most valuables without having to pay the ransom.

These should be part of any basic ISP (Information Security Plan) and cover different areas of a system from multiple angles: using the 1-2-3 backup strategy (having 3 copies of your data, across a minimum of 2 types of media storage – e.g. local drive, NAS, tape etc; and store 1 of these copies offsite – e.g. public or private cloud). Make sure the backup is immutable (cannot be tampered with) and use solutions from vendors like Barracuda, StorageCraft and Quantum. Next, we’re looking if the environment requires the implementation of a disaster & recovery solution to avoid any disruption to devices and services; a multi-factor authentication solution that ensures legitimate access to email and on-prem or cloud applications; a patch management solution to ensure all the software applications are up to date; comprehensive monitoring, detection, and response solution with forensics capabilities to keep an eye on the health of all the elements in the network but also investigate and analyse any unusual behaviour. We see a higher and higher demand for SOAR (Security Orchestration, Automation and Response) solutions that essentially encompass all the above: providing threat and vulnerability management, incident response and security operations automation by leveraging the latest AI capabilities and machine learning engines. We have a rich variety of vendors at CMS that provide these solutions (Acronis, Arcserve, Barracuda, Commvault, Crowdstrike, ESET, Opswat, Solarwinds, Webroot – to name a few) and our Solutions team is ready to advise customers on the right one for their environment.

All these measures are focused on protecting the data inside a network from multiple angles. What happens though with the information that is being shared with suppliers, staff, or patients’ devices? We always recommend a digital risk protection solution such as Skurio that will offer intelligence around any potential attacks being planned on the surface, deep or dark web.

Any clinician, healthcare worker or caregiver connected to the hospital network can threaten the cybersecurity of the institution- what relevant end-user training can be given to workers to mitigate inadvertent data leaks?

There’s a saying: you are only as strong as your weakest link. As many people know, Microsoft has recently confirmed that one of their employees was compromised by the Lapsus$ hacking group, allowing the threat actors to access 37GB of their source code. The reason I’m giving this example is that there’s a misconception that big IT corporations such as Microsoft, Google, IBM etc are completely secure because of the nature of their business.

The truth is, the wider the organisation, the more chances are there is at least one employee who might be used as that ’weak link’ through social engineering methods to break into a system.

This is why solutions like Barracuda’s Security Awareness Training are so important. Organising campaigns and having that conversation openly on a regular basis, keeps the information about cyber threats fresh and people more vigilant.

What are some factors healthcare providers ought to consider when investing in Disaster Recovery Plans?

As mentioned earlier, a backup and DR Plan is essential for mission-critical environments such as healthcare systems. It’s worth investing the time and budget to ensure the core services and operations’ continuity when it comes to saving peoples’ lives. It’s simply a risk/cost analysis and of course, choosing the right solution.

Natural disasters, accidents, malicious actions of disgruntled employees or sophisticated cyber-attacks can’t always be avoided but a DR solution will help protect ‘the crown jewels’ and quickly restore those core, vital services in any event.