With the global rollout of Covid-19 vaccines, a new wave of cyber attacks has hit health systems.
As early as November 2020, North Korean hackers allegedly attempted an attack on drugmaker AstraZeneca by lacing job description documents with malware. In January 2021, attackers stole and altered the European Medical Association’s regulatory data about the vaccine to fuel anti-vaxxer sentiments.
These new threats loom over the healthcare security landscape, adding on to perennial concerns about personal data leaks and disruptive software. Faced with these concerns, what steps can health providers take? CyberArk investigates.
Cyber risks in healthcare
Patients’ personal data is highly valuable to cyber thieves and nation-states. Indeed, health records may be up to ten times more expensive than credit card numbers on the dark web.
It is therefore unsurprising that attacks often take the form of ransomware. Ransomware is a type of malware that encrypts an organisation’s files. Victims then have to pay attackers to retrieve their data.
For instance in 2017, e-systems in at least 16 UK regional hospitals were paralysed by WannaCry Decryptor ransomware. Britain’s National Health Service was then forced to cancel surgeries, close critical healthcare facilities, and turn away patients for several days.
Ransomware is popular amongst attackers for two reasons. First, many organisations fail to thoroughly and frequently back up their data, meaning that encryption attacks are effective.
Second, many organisations rely on traditional anti-virus software, which keeps an inventory of known malware and blocks variants of them. Ransomware files change slightly with each new update, which happens by the minute. This leaves anti-virus solutions largely ineffective.
Yet, it seems that healthcare providers are still not doing enough to promote security. A 2018 CyberArk report found that more than half of healthcare respondents believed their organisation cannot prevent attackers from breaking into their internal network.
Given these risks, how can healthcare providers minimise danger?
Think like an attacker
To effectively preempt ransomware threats, it can pay to understand a hacker’s angle of attack. CyberArk takes us through the three typical stages of an identity-based breach.
First, attackers establish an initial entry point into the organisation by gaining a valid set of credentials — any identity will do. This is often done by phishing, where less-vigilant employees can be tricked into divulging their usernames and passwords.
Next, attackers move through the network to increase their access level. They may eventually reach critical business assets such as patient information and classified files.
Finally, hackers close in for the kill. With privileged access in hand, they can obtain sensitive data, threaten to paralyse systems, and more. The result: a costly and painful negotiation process, and complex fixes that stretch already taxed security teams.
With these steps in mind, organisations should take a hard look at their vulnerabilities — be it user access points, poor employee cybersecurity awareness, or more fundamental IT infrastructure lapses — and plug these gaps as soon as possible.
Balance speed and security
In our fast-paced digital world, healthcare providers have nearly limitless opportunities to power up. Security strategies will only work if they allow businesses to move fast and operate unencumbered.
On the user end, multiple layers of complex passwords and authentication apps slow organisations down. IT teams spend an unacceptable amount of time resetting passwords, resolving account lockouts, and rolling out software and tools. Workers may also find ways and means to skirt overcomplicated processes or avoid company systems, thwarting organisational efforts at security.
Many organisations have also embraced the agility of a DevOps team, where IT teams rely heavily on automation and cloud to accelerate innovation. However, teams often hard-code privileged credentials or put security on the backburner in the name of speed. This leads to vulnerabilities in the pipeline which hackers are prone to exploit.
The sheer capabilities of healthtech mean that embracing new software is a must, not a good-to-have. But health providers also need to invest in systems that do not compromise on iron-clad security.
Embracing Zero Trust
Gone are the days when health organisations can wholeheartedly believe that all that lies within their digital environment is secure. Rather, security teams must shift focus to a “Zero Trust” model. This entails demanding verification from anything and anyone trying to connect to an organisation’s systems, mitigating risk as attacks grow more insidious.
Zero Trust is not a single measure. Rather, it blends a mix of existing strategies, from multi-factor authentication to Privileged Access Management and network segmentation, to meet each organisation’s needs.
Health providers can start with a few universal principles. They should identify and safeguard the most important and vulnerable privileged accounts, secrets, and credentials. They should prioritise these points for access controls, then gradually extend these protections to other users and applications.
They should also implement the principle of least privilege. Organisations should ascertain the exact job-scope of each user (both human and non-human) and give them just enough clearance to ensure they can smoothly complete their assigned tasks.
Lastly, security teams should continuously monitor the system’s privileged access pathway to stop attacks from progressing. This can be done by controlling end-users’ access capabilities and creating isolation layers between endpoints, applications, systems, and users.
Such measures place health organisations on track towards higher vigilance and patient protection.
As tech gets more sophisticated and attackers stand to gain more from sensitive information, more frequent cyber threats are simply becoming our new reality. But with the right measures, healthcare providers can enjoy high productivity while maintaining quality assurance and patients’ trust.