The healthcare industry is under attack like never before.
What started as a surge in criminal activity during the early days of the coronavirus pandemic has now metastasized into a full-blown crisis within the healthcare industry worldwide. The recent disruptive ransomware attacks on Scripps Health in San Diego, Ireland’s national health service and Waikato hospitals in New Zealand demonstrate the global nature of the threat, and the pervasive level of risk within this industry.
Healthcare has long been a target of cybercriminals, due to its valuable personal and financial data. However, the shift to more aggressive and destructive tactics – like ransomware extortion and double-extortion – is putting an incredible burden on this critical service sector.
Although these attacks have surged dramatically since last year (a 123-percent increase in ransomware and 25-percent jump in data breaches), they did not appear out of thin air.
While COVID-19 put a tremendous strain on the healthcare system, stretching staff and budgets to the breaking point, in most cases the attackers have been exploiting the same security shortcomings that have long plagued this industry.
Electronic Health Records: An Expanding Attack Surface
Healthcare’s attack surface has grown considerably over the last two decades, particularly with the adoption of electronic health records (EHRs), wireless medical devices and the advent of telemedicine and remote work, both of which were sped up by the pandemic.
The transition to EHRs has made ransomware and data-theft attacks far more costly and damaging for healthcare institutions. It has also increased the likelihood that a cyberattack will be disruptive to a hospital’s basic operational ability.
New connectivity features in medical devices means critical equipment is now more directly exposed to attackers.
The rush to enable remote work has made it easier for hackers to backdoor healthcare networks through the employees. Of particular concern is the widespread use of remote desktop protocols (RDPs) and remote access VPNs by hospital staff. Both technologies pose substantial risks to organizations if software vulnerabilities are exploited or the attackers target end users directly.
Researchers have found that Ryuk ransomware is increasingly targeting RDPs, particularly in the healthcare sector. Throughout 2020, hackers increased their targeting of RDPs by 768 percent, along with remote access VPNs. The hacker TrueFighter was documented in an attempt to sell admin level access to one hospital for $3,000.
Ransomware criminals have also been exploiting VPN vulnerabilities in Citrix ADC controller and Pulse Connect Secure to get access to hospital networks.
Unpatched Systems, Legacy Devices
A long-running problem in the healthcare industry is the use of outdated and/or unpatched systems and devices. This is a problem that can largely be attributed to budgetary pressures, both in terms of the cost of equipment and for fielding a well-equipped IT security operation.
Medical equipment like MRI machines is expensive, which is why hospitals frequently hold onto these devices for many years or even decades past their prime. Consequently, this medical hardware often relies on outdated and unsupported versions of Windows to manage systems like X-rays, MRIs and CT scanners.
Last year researchers found that 83 percent of medical imaging equipment in hospitals, such as MRI and mammography machines, were running unsupported Windows operating systems and remained unpatched against well-known vulnerabilities. However, the problem goes back much further. In 2016, HIPAA Journal reported on three hospitals that were infected with malware through legacy medical devices (the attackers used “ancient exploits” of Windows XP), in spite of having modern cybersecurity defenses installed on the broader network.
In addition to medical devices, hospitals also struggle to patch other devices and software. In 2014, researchers found that one large healthcare organization was exposing information about 68,000 systems connected to its network. These same systems had also failed to patch a six-year-old vulnerability in their version of Windows XP.
To make matters worse, hospitals also frequently lack proper network segmentation, which increases the overall attack surface of the organization and the risk of lateral movement by an attacker. Of particular concern is the exposure of medical devices, which are usually connected and reachable from the main network.
The industry’s lax attitude toward segmentation poses a real problem, particularly since these networks maintain many legacy devices. Hospitals should be aggressively using VLANs, subnets, Access Control Lists and firewalls, but these are often not thoroughly implemented.
A 2019 study found that 49 percent of segmentation deployments in healthcare used fewer than 10 VLANs in these networks to support all medical devices. And nearly half of healthcare companies in this group only used one VLAN. In a subsequent study in 2020, 60 percent of healthcare organizations were found to be bundling their IT devices (such as computers and printers) with medical devices within the same VLANs.
Third-Party Security Risk in Healthcare IT
Hospitals have an incredibly diverse third-party ecosystem which poses numerous security challenges. These third parties range from outside doctors, medical clinics and diagnostics labs to software providers, billing services, insurance, equipment providers, service providers and other contractors.
A compromise of any one of these third parties can directly impact the hospital, as many of these outside organizations either have direct access to patient information or some type of privileged access on the hospital’s network. This has happened so many times in recent years that it’s difficult to count. A few of the more notable cases in the last two years are the AMCA, Dominion National, Dental Care Alliance and Central Files data breaches, as well as the Blackbaud ransomware attack.
While uptime is essential for any modern business, it is especially critical for hospitals as they rely heavily on digital technologies like EHRs, clinical information systems (CIS) and point-of-care terminals to operate safely and effectively.
Any disruption of these services will impact patient care – and may put lives at risk.
This further complicates incident response and remediation efforts. The decision to take systems offline to isolate the threat and prevent lateral spread must be weighed against the broader impact this will have on critical medical services and the needs of patients.
Cyber-threats to healthcare won’t slow down, even after the pandemic is over. Hospitals need to take more aggressive action to fortify themselves against these attacks. They also need to increase their investments in cybersecurity.
Network segmentation, timely patching, software/firmware updates, secure data backups and rigorous access controls are all essential parts of a defense-in-depth strategy, as is a large and well-resourced IT security team that can manage it all.
However, the healthcare industry can’t do it alone.
In March of 2020, as the world was reeling from the COVID-19 pandemic, volunteer groups like CTI League and COVID-19 Cyber Threat Coalition were formed by infosec professionals to provide free cyber-threat intelligence to healthcare and hospital security teams. While these groups were successful and demonstrated the impact which freely shared threat intelligence can have against bad actors, they were only a stopgap measure to a larger problem.
Healthcare is a critical sector to any country and keeping it safe from malicious activity is only possible through joint efforts by both the public and private sectors. Advanced defensive tools need to be more accessible to the healthcare sector, information sharing across organizations must be encouraged and collaboration across all sectors to help defend these life-saving industries should be the norm, not the exception.
Nate Warfield is CTO of Prevailion and former senior security program manager for Microsoft Security Response Team.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.