No business is out of danger of cyberattacks today. However, specific industries are particularly at risk and a favorite of attackers. For years, the healthcare industry has taken the brunt of ransomware attacks, data breaches, and other cyberattacks.
Why is the healthcare industry particularly at risk for a cyberattack? What are the unique challenges to cybersecurity in healthcare, and how can healthcare organizations address these?
Healthcare at risk
Attackers are targeting various industries across the board. However, attackers seem to have a particular affinity for healthcare organizations. For eleven consecutive years, in the IBM Cost of a Data Breach Report 2021, healthcare had the highest industry cost of a breach. Additionally, Healthcare data breach costs increased from an average total cost of $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase.
However, the tremendous cost sustained by healthcare organizations for data breach events is not only due to the number of incidents. It is also due to the type and sensitivity of data related to healthcare organizations. Generally, the more sensitive and confidential the information, it is worth more on the dark web. It has been noted that healthcare data is more valuable on the dark web than credit card data.
Healthcare organizations have particularly been a target of ransomware attacks, which have prompted several special warnings from the FBI and others to help protect healthcare organizations, including hospitals, from attacks. Note the following:
- October 28, 2020 - A joint cybersecurity advisory coauthored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS), issued a warning to healthcare providers to protect against TrickBot malware leading to ransomware attacks using the Ryuk ransomware.
- May 20, 2021 - The FBI released a bulletin warning of Conti ransomware attacks impacting healthcare and first responder networks. The FBI had identified at least 16 Conti ransomware attacks targeting US healthcare and first responder networks in the bulletin.
- August 25, 2021 - The FBI warned healthcare organizations of the threat of the Hive ransomware, first observed in June 2021, and likely operating as affiliate-based ransomware that both encrypts and exfiltrates data.
Ransomware poses an extremely dangerous risk for healthcare organizations. Due to the sensitive nature of the data maintained by healthcare organizations, ransomware provides a perfect storm of "worst case" outcomes for hospitals and other healthcare-related businesses. Not only does modern ransomware encrypt the victim's data, often it leaks the data to the dark web, the worst possible outcome for sensitive patient records.
Factors leading up to the compromise of healthcare organizations
So, what other factors lead to the high risk of attack on healthcare institutions? Let's consider the following:
- High-risk networked medical devices
- Insecure interconnected medical networks
- Lack of cybersecurity training
- Weak or breached passwords
- Outdated legacy technologies
1 — High-risk networked medical devices
Often, we hear about the risks of IoT devices. These are essentially simple networked devices that perform a specific function. For example, many networked medical devices in healthcare organizations such as hospitals transmit health statistics, data, charting, records, and many other data types. The sheer number of devices used in a hospital setting dramatically increases the attack surface.
Medical devices may not be patched with the latest security devices for the underlying operating systems, firmware, drivers, etc. In addition, medical devices may be logged in and left unattended. All of these factors and others lead to an increased cybersecurity risk for healthcare organizations.
Organizations must ensure they have a proper inventory of any connected medical devices and adequate monitoring and patching schedules as needed to remediate security vulnerabilities.
2 — Insecure interconnected medical networks
The networks of large hospitals may be connected with smaller and less secure physician's offices. While interconnected networks allow information to be exchanged quickly and easily, it can provide an easier way for hackers to compromise the target they generally are after, hospital networks, and the data these contain.
Doctor's offices may use legacy and antiquated network and end-user devices running old and outdated security protocols. Endpoints may not be patched appropriately and regularly logged into using administrator credentials. Visiting a single malicious website could provide the door for malware, ransomware, or another compromise to first infiltrate the smaller network and then pivot to the connected hospital network via open ports and other allowed communications.
Implementing zero-trust network connectivity between all connected networks and ensuring least privilege access to resources across the board will help bolster the security of sensitive patient records.
3 — Lack of cybersecurity training
While medical professionals have some of the most extensive training globally, unfortunately, cybersecurity training is not one of them. As a result, many medical professionals, like other business professionals, are not adequately trained to recognize phishing emails, malicious websites, or other malicious software. On top of the risks associated with medical devices and interconnected medical networks, this adds to the threat to healthcare organizations.
Healthcare organizations must mandate regular and systematic cybersecurity training for all healthcare employees to ensure the end-users are trained in scrutinizing all network communications, emails, and other tactics attackers use for social engineering and phishing attacks.
4 — Weak or breached passwords
According to the IBM Cost of a Data Breach Report 2021, several alarming statistics are related to compromised credentials. These include:
- Compromised credentials account for 20% of total breach events
- Breaches caused by stolen/compromised credentials took the longest number of days to identify
- The average cost of a data breach caused by compromised credentials - $4.37 million
Healthcare organizations can undoubtedly fall victim to attacks resulting from compromised credentials as they can be challenging to detect and allow an attacker to masquerade as someone with legitimate credentials. Additionally, even if passwords are complex, they are known to an attacker if they are on a breached password list. It can give quick entry to attackers who use the breached lists in password spraying or other credential attacks.
Organizations must implement strong password policies to prevent weak passwords and use breached password protection to protect against breached passwords in the environment.
5 — Lack of investment in cybersecurity
Healthcare cybersecurity is also weakened due to the lack of investment in proper cybersecurity solutions and technologies to protect sensitive healthcare environments. A study noted that, on average, healthcare organizations spend only around 5% of their IT budget on cybersecurity while the rest is devoted to the adoption of new technologies.
As a result, it leads to a less than desirable outcome of expanding attack surfaces and lacking the tools needed to secure the environment from cyberattacks properly.
A heavy burden of responsibility falls to the CIO and other business stakeholders to evangelize the need to prioritize cybersecurity spending. Risk assessments need to carefully consider the impact of a ransomware attack on sensitive patient data and the repercussions to the organization if data is leaked.
Bolstering password security in healthcare
As stated earlier, password security is a tremendous concern. Attackers often use compromised credentials to gain easy access to business networks, including those of healthcare institutions. As a result, poor password policies and a lack of breached password protection can lead to tremendous vulnerabilities across the board for accounts.
Healthcare organizations using Microsoft's Active Directory password policies as part of Group Policy lack robust tools to implement industry best practice standards of effective password filtering, protecting against incremental passwords, and breached password protection.
Specops Password Policy is a robust password policy solution that adds key features to existing Active Directory password policies, including industry-leading breached password protection. With Specops Password Policy, healthcare organizations can provide continuous breached password protection for user accounts with a push-button approach.
Specops Complete API Breached Password Protection
In addition to the robust breached password protection functionality provided by Specops Password Policy, it provides the following:
- Easy implementation of multiple password dictionary lists to block specific passwords customized for your organization
- Over 2 billion breached passwords and growing are protected by Breached Password Protection which includes passwords found on known breached lists as well as passwords being used in attacks happening right now
- Find and remove breached passwords in your Active Directory environment
- Informative client messaging
- Real-time, dynamic feedback at password change
- Customize password expiration based on password length, known as length-based password expiration
- Block usernames, display names, specific words, consecutive characters, incremental passwords, and reusing a part of the current password
- Granular, GPO-driven targeting for any GPO level, computer, user, or group population
- Passphrase support
- Supports over 25 languages
- Use Regular Expressions to customize password filtering further
Test it out for yourself with a free trial of Specops Password Policy.