Why healthcare security needs urgent care

Increased ransomware incidents in health care require stringent protection of critical systems and data.

Australia’s healthcare sector has been the target of increased cybersecurity incidents since COVID-19 forced digital care into the spotlight. Sensitive data collected by healthcare providers, as well as their increased reliance on cloud-based services and telehealth, make the industry a prime target.

The Australian Cyber Security Centre (ACSC) announced earlier this year that reported cybersecurity incidents relating to the Australian healthcare sector increased by an eye-watering 85% in 2020. In fact, outside of government and individuals, the health sector reported the highest number of cybercrime incidents to the ACSC in 2020.

This should act as a wake-up call for all healthcare organisations to review their cybersecurity hygiene levels before they fall victim to the kind of ransomware attack that has already paralysed Eastern Health, Regis Healthcare and UnitingCare over the last 12 months.

The increase in ransomware attacks on the healthcare sector is being driven by two key factors — it’s a high-value target, and healthcare access points as potential target areas have expanded.

There is no doubt that healthcare data is an attractive target for attackers as it holds highly sensitive personal identifiable information and routinely carries valuable intellectual property on technology and research. This, combined with the critical nature of most healthcare operations, means attackers understand that, in the business of life and death, healthcare organisations simply cannot afford to negotiate for days or weeks while their systems are held hostage by ransomware attacks. For example, in the US, it’s estimated that ransoms totalling $15.6 million were demanded of healthcare organisations last year, over $2 million of which was paid, although in reality the total is likely much higher than what has been publicly reported.

Similarly, it’s of critical importance to maintain public trust in health organisations, particularly those linked to government services.

The impact of digital transformation (accelerated by COVID-19) also needs to be considered, as well as the quest for efficiency that has resulted in many third-party companies entering the healthcare sector — for example, in the areas of supply chains or medical transport. This, particularly when combined with the pandemic-related shift to home working and BYOD devices, means cybercriminals have an increased surface area to attack.

Additionally, the sheer volume of devices also adds to the healthcare sector risk factor. For example, in many medical practices, computers are stationed in every room, giving practitioners fast access to records and allowing for communication among team members while in operating theatres. Computers play a critical role in pre-surgery planning, image visualisation, patient monitoring and even robotic-assisted procedures. Each of these represents a potential vulnerability.

Attackers don’t just stop at commandeering these critical computers and servers — now they are also targeting medical IoT devices with increasing frequency. Take for example the WannaCry ransomware attack that infected 1200 diagnostic devices, with many more devices taken offline to stop the spread of the attack.

Ransomware attacks getting more sophisticated

Ransomware attacks begin by exploiting configuration gaps and access vulnerabilities to deliver malware. These are often accomplished by using ransomware-as-a-service kits (ready to use and easy to find on the dark web) to infect unpatched systems using common phishing techniques, drive-by malware downloads, known public exploits or brute-force credential theft.

Yet over the past several months, my own company’s CyberArk Labs team has tracked a significant rise in operator-based ransomware attacks, which look a lot different to these opportunistic ‘spray and pray’ attempts.

Operator-based ransomware attacks are executed by highly skilled threat actors who can target — and react to — the specific attack surfaces of a specific organisation. Often, these attackers operate in stealth mode for extended periods of time whilst trying to find and steal credentials for both cloud and on-premises infrastructure.

Unfortunately, it’s no secret that in the healthcare industry, working as a privileged user (for example, a doctor making their rounds with a tablet that can access numerous patients’ medical records) or allowing a third-party vendor (for example, an insurance company or medical equipment supplier) to access a privileged system is all too common.

The attackers’ next objective is to harvest credentials for even higher-privilege escalation and lateral movement, looking for more machines and more valuable data to extort. And once in, the demands are getting bigger. In many virtual hostage situations, attackers will not only demand a ransom payment for decrypting target data but also threaten to leak it unless additional payment is made. According to F-Secure research, nearly 40% of ransomware families discovered in 2020 utilised such double-extortion methods.

How healthcare can stay ahead of ransomware attacks

As ransomware attacks become more sophisticated and highly targeted, healthcare organisations must ramp up their security posture to protect critical infrastructure and preserve patient care and trust. This must start and finish with the deployment of robust identity-centric controls. Put simply, if healthcare organisations limit the number of people who have access to privileged assets and know exactly who has access to what and can swiftly lock down privileges, then the opportunities for ransomware attack are immediately diminished.

In a perfect world, each identity should be configured to have only the privileges and permissions needed to perform its intended functions — nothing more, nothing less. This is the crux of the principle of least privilege and a core tenet of zero trust — never trust, always verify.

A comprehensive identity security solution can do this. It authenticates every identity accurately, authorises them with proper permissions and provides access to privileged assets in a structured manner — all of which can be audited or accounted for. It’s the ultimate gatekeeper for who gets access to what, where and for how long, and provides complete protection, control and visibility of privileged access across critical networks, systems and applications.

As the guardians of sensitive personal, financial and medical data for Australians, addressing who has control and access to this critical information must form part of good governance for all Australian healthcare providers.

Image credit: ©stock.adobe.com/au/zefart