Cybersecurity Best Practices for Healthcare 
This past year saw many unprecedented events. First and foremost, the COVID-19 global pandemic affected lives everywhere. It changed how people socialized, went to school, and worked. Organizations also saw a paradigm shift in the way they did business. Most businesses shifted a majority of their workforce to remote office locations to follow shelter in place mandates. Now in 2021, many are still working from home.
Another global “pandemic” businesses are experiencing is a tremendous uptick in cyberattacks and ransomware in particular. Cybercriminals are placing laser-focus on business and specific industries to capitalize on the increased turmoil facing businesses today. Healthcare has remained a favorite target of attackers. What types of attacks have targeted healthcare and hospitals in particular?
Unprecedented threats against healthcare
At the end of October 2020, the Federal Bureau of Investigation (FBI), in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA and the Department of Health and Human Services (HHS), issued a cybersecurity advisory of the potential for imminent cybersecurity attacks. The advisory warned of imminent ransomware activity targeting the healthcare and public health sector.
The advisory noted the following findings:
- CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
- These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.
Attackers are using Ryuk ransomware in conjunction with the Trickbot toolset. Trickbot is a dangerous set of attack tools cybercriminals are using to compromise enterprise networks. Ryuk ransomware seems to be the favorite among attackers targeting healthcare facilities. Ryuk laterally moves across networks and even uses commercial products such as Cobal Strike and PowerShell Empire to dump credentials. Attackers like to map out the network and enumerate the environment to understand network topologies. Attackers can make use of Trickbot to leverage built-in networking tools. These include ping, PowerShell, net view, and others. Using standard tools and utilities helps avoid detection by cybersecurity solutions as these everyday tools pass as normal executables without suspicion in most cases.
Ryuk uses AES-256 bit encryption and an RSA public key to encrypt the AES key to hold the victim’s files hostage when it comes to encryption. Backups are targeted, such as Windows ShadowCopies, system restore points, and others to make it more likely to pay the ransom.
Was the FBI, CISA, and HHS warning for healthcare organizations and public services warranted? Many healthcare facilities were indeed hit with ransomware in the months following the advisory. Note the following ransomware attacks carried out on healthcare organizations after the advisory was issued:
- Derby’s Griffin Hospital website was taken down indirectly as a result of a major ransomware attack. com was hit with ransomware, which resulted in the hospital website going offline, among others.
- A ransomware attack was carried out on Maryland’s GBMC Health, spurring EHR downtime. The malware infected IT systems across the board.
- Transform Hospital Group, a cosmetic and weight loss surgery provider in the U.K., was hit with ransomware that left hundreds of gigabytes of data stolen. It included personal data of customers as well as intimate photos of customers.
- Agency for Community Treatment Services (ACTS), a Tampa, FL-based company, alerted patients that protected health information was potentially compromised in a late October 2020 cyberattack.
- Fergus Falls, Minnesota health system was hit by ransomware in a December 2020 ransomware attack. The health system instituted downtime processes to care for patients.
Healthcare continues to lead trends in cyberattacks. In the 2020 IBM Cost of a Data Breach report, notice the following statistics regarding healthcare and cyberattacks.
- For the tenth year in a row, healthcare continued to incur the highest average breach costs at $7.13 million. This was a 10% increase over 2019.
- Healthcare has the highest lifecycle of a breach time at 329 days
- A malicious attack was listed as the leading cause of data breach root causes in healthcare
Why do cybercriminals target healthcare organizations?
With many other business sectors and other large-scale corporations that can serve as targets, why do cybercriminals target healthcare organizations? One thing to consider. No one is immune to cyberattacks. No matter what industry or even business size, cyberattacks, including ransomware, can happen to any organization in any business sector. However, there are certain features or characteristics of healthcare that make it a prime target for cybercriminals. Let’s consider the following reasons:
- Personally Identifiable Information (PII) and Electronic Protected Health Information (ePHI) including any patient information, is valuable
- Healthcare medical devices are often easily compromised
- The sheer number of network-connected devices makes securing them difficult
- Healthcare information must be shared between medical systems, making them vulnerable
- Many healthcare IT systems are outdated and lack proper cybersecurity systems
1. Personally Identifiable Information (PII), and especially patient information, is valuable
Personal health information and other types of private data are extremely valuable on the black market. These types of confidential information are easy for hackers to sell and represent some of the most sensitive types of information. Healthcare organizations risk tremendous financial impacts from cybersecurity breaches due to potential lawsuits as well as regulatory compliance violations from the likes of HIPAA and GDPR.
2. Healthcare medical devices are often easily compromised
Hospitals use a large number of network-connected devices. These include Computers on Wheels (COWs) to medical test equipment, monitors, scanners, and many other equipment types. Many of these devices may be antiquated or have limited security built-in. Medical devices are purpose-built for a particular purpose. Cybersecurity is not one of those.
While the devices themselves don’t generally contain sensitive patient data, they connect to the backend systems that do. Attackers attempt to compromise these devices to attack the backend systems they connect to and extract data once the system is compromised.
3. The sheer number of network-connected devices makes securing them difficult
Related to the point above, the sheer number of network-connected devices makes securing these extremely difficult. It only takes one compromised device for an attacker to infiltrate a healthcare network. The more of these types of devices on the network, the attack surface can grow tremendously large.
4. Healthcare information must be shared between medical systems, making them vulnerable
Today, healthcare systems are becoming more and more interconnected. Medical records are some of the most sensitive types of information. However, since this data is shared between healthcare organizations, this often means sensitive information must transit across public networks. Even if data is encrypted, there is always the possibility of data getting exposed.
5. Many healthcare IT systems are outdated and lack proper cybersecurity systems
Many hospitals today are still using legacy equipment and aging devices that have outdated security controls. The COVID-19 pandemic has wreaked havoc on hospitals worldwide as they struggle to keep afloat due to the pandemic’s financial impact. It creates a perfect storm of hospitals maintaining outdated systems, no budget for upgrades, heightened cybersecurity threats, and handling sensitive data.
Old, legacy equipment makes easy targets for hackers looking for legacy hardware devices running outdated operating systems or lacking current security patches. Once an attacker has compromised a network-connected device, they can then move laterally across the network.
How can hospitals protect against the imminent threat of ransomware
With the threat of ransomware growing more ominous, how can hospitals protect themselves from ransomware? Like any well-structured cybersecurity initiative, this needs to be a multi-layered approach that covers many different areas. Let’s consider the following:
- Develop a business continuity plan
- Protect the network
- Secure endpoints
- Protect cloud data
- Train end-users and make them aware of threats
1. Implement business-continuity plans and policies
Hospitals that do not have a business continuity plan or a business-contingency plan are headed for disaster. Formulating a business continuity plan is essential to ensure the organization is ready with the policies and procedures needed in a ransomware attack. No amount of cybersecurity measures are 100% effective against ransomware. Hospitals and other healthcare facilities need to plan on the disruption to processes and procedures in a ransomware attack. It will allow having the proper measures to continue to function and take care of patients if technology systems are down.
2. Protect the network
Attackers generally compromise systems with malware, including ransomware, through the network. Network-connected devices are especially vulnerable. Protecting the network includes all of the cybersecurity technology defenses and the people and processes that help reduce the attack surface. Business-critical assets that contain sensitive data should never be on the same network as other low-security devices. Network segmentation and the newer micro-segmentation approaches help to secure critical data servers from attack.
3. Secure endpoints
As mentioned earlier, endpoints are often the doorway for cybercriminals looking to steal sensitive data, including patient records. Hospital IT must put into place cybersecurity defenses for securing endpoints in the healthcare environment. It includes:
- Segmented networks
- Endpoint security solutions
- Ransomware protection
- Two-factor authentication
- Encrypted network communications and data
4. Protect cloud data
More businesses than ever, including hospitals and other healthcare organizations, are using cloud Software-as-a-Service (SaaS) environments. Cloud SaaS environments have become business-critical. Hospitals should ensure they have adequate data backups and other cybersecurity measures in place for cloud-housed data along with data that exists on-premises.
Cloud SaaS environments like Google Workspace and Microsoft Office 365 do not have actual enterprise backup functionality as part of their native tooling for cloud SaaS administrators. For healthcare organizations to effectively protect critical data housed in the cloud, a third-party cloud-to-cloud backup solution is needed.
SpinOne provides the features and capabilities that healthcare organizations need to backup and protects their data from the threat of a ransomware attack. Ransomware is often a data disaster scenario that organizations can only provide a reaction in response. Using a multi-layered, next-generation approach leveraging artificial intelligence (AI) and machine learning (ML),
Cyber Threat Detection and Response that SpinOne Offers for Healthcare Organizations
SpinOne allows organizations to take charge of their data in cloud SaaS environments proactively. It does this in several ways. It includes the following:
- Proactive multi-version restore points of cloud SaaS data – Take multiple restore points of data daily.
- Data sharing protection – Know when data is shared, both inside and outside the organization.
- Insider threat analytics – Gain visibility to employees who may be acting unscrupulously or whose accounts may be compromised.
- Third-party application control – Control which third-party marketplace applications users can integrate and use with the sanctioned cloud SaaS environment.
- Ransomware protection – SpinOne provides a unique, fully automated approach to ransomware protection that uses multi-version restore points and proactive ransomware protection through machine learning (ML).
SpinOne provides an automated response to a ransomware attack
SpinOne provides an automated response to a ransomware attack on your cloud SaaS environment. Using powerful machine learning (ML) algorithms, SpinOne provides real-time 24x7x365 “eyes” on your environment. It watches for potential ransomware attacks and eliminates these using the following process:
- Machine learning intelligence scans the environment for potential ransomware threats
- With discovered ransomware, SpinOne immediately terminates the process and blocks the source of the attack
- SpinOne scans all files in the environment for ransomware infection
- SpinOne restores the last good version in the available recovery points with files found to be encrypted by ransomware.
- Administrators are automatically alerted to the attack and notified of the details
Train end-users and make them aware of threats
Aside from technology solutions, an essential element of any effective cybersecurity plan is the people. Employees must be made aware of and adequately trained to recognize a cybersecurity threat. This training should include practical cybersecurity awareness training. What is this? It includes helping end-users to identify what specific threats look like, such as phishing attempts, malicious downloads, malicious links, and other dangerous file types.
Healthcare continues to be the focal point for cybercriminals. With precious personably identifiable information (PII) and medical records, many legacy medical devices connected to the network, and the requirement for data sharing, healthcare organizations have a lot at stake. Healthcare organizations must make a concerted effort to implement cybersecurity best practices and use next-generation cybersecurity solutions like SpinOne to secure business-critical data in the cloud.