Getty Images/iStockphoto

Critical Infrastructure Attacks: Threat Landscape Forces Security to Evolve

Ongoing and recent outages at critical infrastructure entities highlight the sophistication and evolution of the threat landscape, driving the need for improved security posture in healthcare.

Over the last year, there’s been a decided shift in the threat landscape in terms of impact and frequency. From crippling outages at Colonial Pipeline and Scripps Health, to the rise in double and triple extortion, security standbys are no longer enough to protect critical infrastructure entities.

The attacks are drawing throngs of public attention, decrying cybercriminals and warning of continued outages. The heightened awareness has its place but the real question is how to stymie the impact of these attacks on critical infrastructure entities, like healthcare.

And what’s really at stake?

These recent cyberattacks, combined with the global attacks on SolarWinds and Accellion’s File Transfer Appliance, provide real-world examples of how one simple exploit can result in catastrophic business disruptions or even the compromise of multiple entities.

The increase in attack sophistication means healthcare must follow suit, coupling traditional security measures with new processes to strengthen overall cybersecurity posture and better protect the enterprise.

“Supply chain attacks like we saw with SolarWinds have forever changed the landscape of software providers and customer’s due diligence on software packages,” said Mike Garzone, the vice president of Impact Advisors. 

“Supply chain threats have also increased dramatically,” he added. “While this is not a new entry point, sophisticated hackers are embedding themselves in software and third-party environments waiting for the opportunity to infiltrate a provider environment.” 

The rise in attack sophistication and frequency is creating a series of challenges and impacting several crucial areas, he explained. For one, cybersecurity insurance premiums have been dramatically impacted, as insurance providers are being hit hard with the rise and the skill behind the attacks.

In fact, Garzone said they’ve seen cybersecurity insurance providers notifying customers of premium increases exceeding 75 percent and another 150 percent or more increases in premiums where providers failed to adopt the insurer’s “preferred technology.”

Impact Advisors has also seen an emerging trend of “insurance providers requesting due diligence from the customer to ensure their ‘investment’ is sound. 

“This introduced additional scrutiny: Use of particular technologies alone, like multi-factor authentication, pinned BIOS boot, et al. will not always satisfy insurance providers,” said Garzone.

In response to this rapidly evolving and impactful threat landscape, the healthcare sector must implement tighter software release controls and programs focused on inventory supply-chain relationships.

“The key is constant vigilance coupled with continuous improvement. As business and the threat landscape change, providers must adapt.” 

Garzone stressed that this will allow entities to gauge the actual risk and perform required due diligence with these necessary partners, as well as assess the security posture of all vendor relationships.

Business Impact Analysis Basics and Impact

For Garzone, a crucial component to a mature cybersecurity posture is to perform a business impact analysis. A BIA provides entities with an understanding of risks to the enterprise and the needed steps for prioritizing risks, which will allow business continuity during a security event.

Business continuity differs from disaster recovery plans, but the pair work hand-in-hand.

“The continuation of business must be thought of as the most basic of activities that are required to maintain customers, protect the company assets (and in turn the customers) and perform the core business critical functions,” Garzone explained.

“Many business impact analyses stop short of the real goal,” he added. “Filling out forms specifying which functions are business critical by the business unit is only the beginning. Each business unit is important unto itself; however, there are different priorities of business unit function when compared with the critical nature of the core business performance.”

Garzone explained the concept within the context of the passenger airline industry. While cargo is a crucial component of the business, it’s not a critical element of business performance. It’s a revenue stream that must continue after an event, but the critical element for the industry is to serve airline passengers.

The concept is similar in healthcare: serving the community and patient safety is the most important business component in healthcare -- some are more critical than others. Amid the national COVID-19 emergency, many providers prioritized essential services and deferred many elective services, he explained.

For ambulatory providers, there was a rise in telehealth deployment. And in back-office positions, those employees were sent to work from home. Garzone explained that these are all examples of how entities adapted to restore and maintain business continuity during a crisis.

Each shift during the pandemic, and the added technology, forced providers to mitigate key business concerns and risks through workflow changes and the like. In some instances, the shift included manual workarounds.

“It is important when assessing business continuity to identify and consider manual processes options that can be implemented to maintain operation while technology components are recovered or adapted to address the issue,” said Garzone.

“Disaster recovery is the recovery of technology. Business continuity is the larger concept that requires DR within the established timeframes arrived at within a business impact analysis, he added. “Quantification of economic impact is certainly important but not the sole objective of a BIA.”

As such, BIAs need to include all potential risk scenarios. Garzone’s seen entities approach the process with too narrow a scope by emphasizing the outage of one singular location for one specific reason, such as a natural disaster.

To Garzone, pandemics, cyberattacks, and other new disaster vectors serve as a reminder that “natural disasters” are just one vulnerability perspective. A narrow focus is a good starting place, but entities will need to expand their assessment to identify other areas that could impact an organization.

Best Practice Security Needs

Garzone recommends covered entities and healthcare business associates use the NIST Cybersecurity Standard Framework as a foundation for a strong cybersecurity program, which will also satisfy HIPAA and other regulations.

However, people and processes are also a crucial component of a mature cybersecurity posture and should be routinely reviewed, educated, and updated on the latest threats and preventative measures.

“The key is constant vigilance coupled with continuous improvement,” Garzone said. “As business and the threat landscape change, providers must adapt.” 

“People are generally the largest vulnerability, and we are adamant about making people aware of the risks associated with poor passwords, the need for multi-factor authentication, phishing, vishing, impersonations, etc. Awareness is the first step,” he added.

The next focus area is empowering the workforce with the needed personal skills to identify and avoid risks. Garzone stressed that the effort won’t completely eliminate threats; rather, healthcare entities need a multi-faceted approach that leans on compensating controls to align the organization’s risk tolerance with industry-standard best practices.

Garzone also provided other key security recommendations for healthcare delivery organizations: 

  • Swift quarantine and rollback processes to isolate components when “Trojan horse” infiltration is detected
  • Inventory processes for supply-chain partners and impact assessments for potential risks
  • Enable dialogues for each supply-chain partner for due diligence into verifying the security posture of each vendor. A questionnaire can be an effective starting point.
  • Review contract language with each partner to ensure security standards are upheld and to accept appropriate liability.
  • Evaluate or revise disaster recovery procedures to address potential infiltration and encryption threat, crucial for understanding organizational and business impacts caused by ransomware attacks. 
  • Prepare isolated immutable backups to mitigate these threats.

Healthcare providers should always be thinking one step ahead and identifying new security methods to add to traditional skills. For example, AI in collaboration with “keenly managed machine learning” can be a wholly effective partnership.

“Certainly, there is value in the foundational elements steeped in traditional information security best practices. However, cybercriminals are no longer bored teenagers in their parents’ basement/garage,” he mused. “They are sophisticated, organized, smart and lethal.”

“Technology without human context is code without an architecture,” Garzone added. “False negatives and alert lethargy can lull an organization into a sense of safety that is unwarranted. Providers must implement tighter software release controls to thoroughly vet components introduced to their environment.”

Security Must-Haves for Employees and Vendors

Previous data found that effective, routine employee security education can drastically reduce the risk to the enterprise. But to ensure its effectiveness, Garzone explained that administrators must couple vigilance with continuous improvement.

But awareness is only the first step of the process.

“You must focus on giving people the personal skills to identify and avoid risks,” he explained. “A single training presentation annually will not provide the organization with the awareness needed. It must be followed with subsequent bulletins, newsletters, blogs, etc. on a regular basis.” 

“You also must test the knowledge retained from the awareness sessions,” Garzone continued. “You need to actively evaluate the knowledge retention and provide incentive (positive – more preferred – OR negative – less preferred).”

Securing vendor relationships will be a far less simple project. Building a program to evaluate and manage vendors requires due diligence. However, Garzone noted that many entities fail to follow-through with the needed processes. 

Security questionnaires are commonly used when forging a contractual agreement with vendors. While it’s a good start, it’s not a true test of programmatic diligence. 

For Garzone, entities should instead rely on third-party attestation, which is most efficient for all involved parties. But the vendor management program will need to be formally driven by controls and processes outlined by industry-standard frameworks, like NIST.

Previous guidance from NIST and the Healthcare and Public Health Sector Coordinating Council can provide step-by-step instructions for workforce development and cybersecurity partnerships.

Next Steps

Dig Deeper on Cybersecurity strategies