Thank you for subscribing to the free edition of the twice-weekly Parallax View newsletter. All issues are free through March 22. After that, you’ll receive one issue per week. If you’d like to support our independent journalism on the intersection of health care and cybersecurity with a paid subscription, you can do so here. If you'd like a subscription option not available, please email: email@example.com.
Health care organizations have been on the receiving end of an unprecedented number of cyberattacks in the past year, according to two new reports, costing them millions of dollars. Yet the advice on how to make their systems more resilient hasn’t changed in years. What makes shoring up their cybersecurity so difficult?
The facts paint a brutal picture of malicious hacking against health care organizations in reports published in February from CrowdStrike and the Cyber Threat Intelligence (CTI) League. In CrowdStrike’s annual global threat report, the cybersecurity provider and research company concluded that the health care industry faces “significant threats from criminal groups.”
"These ransomware families target verticals that have an operational mandate because they know that they have to be up and running. Every second that goes by, it weighs in their favor that they’re going to get paid." —Adam Meyers, senior vice president of Intelligence, CrowdStrike
Malicious hackers, often sponsored or otherwise supported by nation-states, used 18 enterprise ransomware families designed to target large organizations for high-ransom returns to infect 104 health care organizations in 2020. The targeted organizations include not just hospitals but also biomedical and pharmaceutical companies, a trend that the report’s authors say will continue this year.
Adam Meyers, CrowdStrike’s senior vice president of Intelligence, says health care organizations, including biomedical and pharmaceutical companies, will continue to face an ongoing barrage of cyberattacks because the attackers know that they stand a good chance of succeeding.
“These ransomware families target verticals that have an operational mandate because they know that they have to be up and running. Every second that goes by, it weighs in their favor that they’re going to get paid,” he says. “The No. 1 escalation of these threat actors has been data theft—and leaking the data on a data leak site. In some cases, they leak, if they don’t get paid. In other cases, they charge the victim more to not leak the data. Others auction the data off.”
Add in the regulatory pressure from HIPAA compliance, Meyers says, and health care organizations face a proverbial perfect storm of highly motivated attacks that are likely to succeed.
The CTI-League’s 2021 Darknet Report, which catalogued cybercrime activity on the Dark Web related to the Covid-19 pandemic, found that while nearly two-thirds of health care cybercrime victims were in North America and Europe, “every populated continent” suffered notable attacks against health care.
"Health care is a transaction industry. We’re sending data, images, [and] currency back and forth every day. If you close your doors, everybody will know." —Aaron Miri, chief information officer, Dell Medical School, University of Texas at Austin, and UT Health Austin
Part of the reason for the spike in attacks came from “significantly” increased demand from cybercriminals for illicit access to health care networks. The report also found that small- and midsize health care organizations were targeted by cybercriminals much more than in previous years, “some of which disrupted patient care.”
“We need to make sure that health care organizations know how to protect themselves,” says Ohad Zaidenberg, lead cyberintelligence researcher at Israeli firm ClearSky Security and a co-founder of the CTI League. Installing end-point detection and response security software and instructing health care professionals to not open attachments from unknown or suspicious sources are “simple acts” that can stop attacks.
"The League wants to create three layers of protection for the medical sector, hospitals in particular, and other life-saving organizations. In some cases, even small and simple acts can make a huge change for them," Zaidenberg says. Within various organizations, he adds, “People that have no experience in cybersecurity need someone to guide them, work with them, answer their questions.
In addition to adding EDR to their antivirus software, Meyers says health care IT departments that want to avoid becoming the next ransomware victim should implement best practices:
- Apply software security update patches as soon as possible
- Segregate data
- Give access to networks and systems only to those who need it
- At hospitals, run drills like table-top exercises to train IT and health care staff to better respond to situations when computer systems have been hacked
While he says these tips are “very basic,” he acknowledges that health care organizations “haven’t been able to embrace and implement them in a meaningful way.”
Health care IT experts we spoke with agree with Meyers’ advice but say complicated computer systems and networks, as well as complex IT requirements of health care professionals, make applying best practices difficult. To determine whether external IT vendors or internal IT staff should be tasked with regular patching responsibilities, they say health care organizations need to consider their use of legacy software systems that take significant capital investment to upgrade and that use confusing cybersecurity interface designs.
Cybersecurity is too often an afterthought, says Aaron Miri, chief information officer at the Dell Medical School, University of Texas at Austin, and UT Health Austin.
"[P]rivate health care in more rural areas are struggling to keep their patients alive, let alone move forward with up-to-date security. They could use more collaboration and cooperation with tech companies to help them." —Rebecca Herold, CEO, Privacy and Security Brainiacs
Miri cites three challenges that compound improving health care cybersecurity. He blames the U.S. Food and Drug Administration for not mandating technical cybersecurity controls, the relatively recent shift to electronic medical records, and “highly advanced threats” from ransomware that encrypts and exfiltrates data.
“When somebody says, ‘Just use zero trust,’ or ‘Put in a defense-in-depth stack,’ I wish it were that easy. You’re not making a pizza,” Miri says. “Health care is a transaction industry. We’re sending data, images, [and] currency back and forth every day. If you close your doors, everybody will know.”
Budgets are a concern for every industry, but health care has been seeing an especially sharp tightening of the purse strings, as resources are focused on the clinical fight against the pandemic, says Rebecca Herold, CEO of training and risk assessment company Privacy and Security Brainiacs.
“Government budget cuts put public hospitals in a bind. They can’t cut prices to the bare bones for health care and cover these next-gen types of defense. It’s an easy statement to say that you just need to raise awareness of ransomware, but it’s hard to get government leaders to understand that,” she says. “And private health care in more rural areas are struggling to keep their patients alive, let alone move forward with up-to-date security. They could use more collaboration and cooperation with tech companies to help them.”
The Gordian Knot of interconnected problems facing health care IT means that there are no easy answers, says CrowdStrike’s Meyers. But leaving health care exposed to cyberattacks is not an option, either.
“A lot of things are done in health care environments for ease of use. You don’t want to unlock a crash cart with a 24-character password,” he says. “But they need to figure out what resources they have, and prioritize cybersecurity based on their unique needs.”
Update on March 15 at 4:00 p.m. PST: Clarified a quote from Ohad Zaidenberg.
A Tweet to live by:
What do you know that we don't?
Thank you for subscribing to the free edition of The Parallax View! Learn more about our paid subscription options here.