Getty Images

Rapid Threat Evolution Spurs Crucial Healthcare Cybersecurity Needs

Ransomware, phishing, and human weaknesses are serious cyber risks to health IT infrastructure amid COVID-19, which makes it crucial to improve security to combat evolving threats.

It’s no secret healthcare has remained highly targeted by cybercriminals given its troves of valuable data and the high likelihood of paying ransom demands. As COVID-19 surged, hackers rapidly evolved their threats and tactics to prey on those weaknesses, spurring the need to bolster cybersecurity best practices to keep pace with evolving threats. 

From March to May, cybercriminals reframed phishing attempts to prey on COVID-19 fears in targeted spear-phishing and fraud attempts on organizations, consumers, and government entities. Those working on the response were prime targets, even the World Health Organization and research firms developing vaccines and treatments for the coronavirus. 

Microsoft’s recent report on how the threat landscape has shifted amid the initial pandemic response and through the summer found ransomware attacks were the most common attack method, while hackers have drastically increased both the frequency and sophistication of their attack methods. 

As it’s clear the pandemic will continue into the foreseeable future and healthcare organizations are burdened with the response and defending against threat actors with no scruples, understanding the threats and key vulnerabilities will be crucial in the coming months to prevent greater EHR outages and further care interruptions. 

HealthITSecurity.com spoke with key leaders from the Department of Homeland Security Cybersecurity and Infrastructure Agency, the National Cybersecurity Alliance, Blackberry, and Expel to better understand the most pressing threats, how the CISO role has evolved amid the crisis, and where healthcare leadership must improve as hackers continue their onslaught of targeted attacks. 

Ransomware Attacks Dominate 

Double extortion attempts on the healthcare sector are one of the most troubling attack methods, as it spotlights the lack of scruples of ransomware hacking groups. 

Conti threat actors, in particular, have repeatedly attacked, exfiltrated sensitive information, and leaked the records from behavioral health, providers for individuals with disabilities, and even nonprofit organizations. While some hacking groups have vowed to avoid attacks on the healthcare sector, it has not stopped amid the COVID-19 crisis. 

Eric Milam, VP Research Operations at BlackBerry, explained that ransomware attacks have increased in efficacy and frequency against the healthcare sector, in part due to ransomware affiliate programs that will often require attackers to prove the hacker has gained a foothold onto an organization’s network before they’re supplied with ransomware. 

“Whereas, in the past, ransomware was largely distributed via phishing emails and malicious websites, now, attackers who've established a foothold within an organization can maximize commercial gain by signing up to a ransomware affiliate program, and after performing highly targeted and destructive attacks will share a portion of any ransom profit with the original developers,” Milam explained. 

“From what we noticed, a very small percentage of the attacks rely on an exploit to penetrate the defenses of the victim,” he added. “From the recent ransomware families, only Sodinokibi had an exploit for Oracle WebLogic embedded, the rest rely on either the cooperation of the end-user or leverage leaked credentials.” 

Emotet ransomware has also proved problematic: about 24 percent of the most important hospitals have been targeted with phishing emails that download Emotet. On October 6, DHS CISA warned of an Emotet resurgence, calling it one of the most prevalent ongoing threats. 

The variant is an advanced trojan that typically functions as a downloader for other malware and typically spread through malicious phishing email attachments. Once downloaded, Emotet attempts to proliferate across the network by brute-forcing user credentials and writing the malware to shared drives, enabling network-wide infections that are difficult to defend against. 

To Bruce Potter, Expel CISO, ransomware is also being used for intelligence gathering. As noted, in double extortion attempts, hackers gain a foothold onto a network, proliferating onto other connected, vulnerable devices, gathering intel and exfiltrating valuable data, and often lying in wait on the network for days and even months before the ransomware payload is deployed. 

“The shit is not buttoned up, and it’s only going to pose a more tempting target for more adversarial activity,” Potter said. “Everything from protecting healthcare data and making sure endpoints are secured -- in the network and facility, patch management, as well.” 

“If you don’t make any headway on that and become proactive on patching, it will be problematic,” he added. 

Threat Landscape for COVID-19 and Beyond

Cybercriminals have been actively taking advantage of the global pandemic, with an increase in cyberattacks, phishing, spear-phishing, and business email compromise (BEC) attempts. And on the healthcare side of things, NSCA Executive Director, Kelvin Coleman, said it’s not a huge surprise. 

Even in the early 1900s during the Spanish flu pandemic, folks would put articles in newspapers to take advantage of the crisis with hoaxes and scams, Coleman explained. 

“Bad actors take advantage of crises,” he said. “Hackers are being aggressive, leveraging targeted emails and phishing attempts. 

Josh Corman, cofounder of IAmTheCalvary.org and DHS CISA Visiting Researcher, stressed that when a provider is forced into EHR downtime and to divert patient care, it’s even more nightmarish during a pandemic. In Germany, a patient died earlier this month after a ransomware attack shut down operations at a hospital, and she was diverted to another hospital. 

These are criminals without scruples, Corman explained. The attacks were happening before the pandemic, but there’s been no cease- fire amid the crisis. 

In healthcare, hackers continue to rely on previously successful attack methods – especially phishing. It continues to be a successful attack method. Coleman mused that there’s no need for a more exciting technique, as healthcare continues to fall victim to these attacks, and it’s “why ransomware is doing as well as it is.” 

“The simplest answer? It works. Hackers are attacking a target-rich environment in terms of these vulnerabilities,” Coleman said. “And because of the pandemic many more employees are relying on these technologies to provide patient care.” 

“They’re not doing anything more exciting, it’s just more of the same,” he added. “They’re reverting back to old shenanigans because it works. 

But another big concern is the sector’s heavy reliance and use of legacy systems and an obsolete IT infrastructure to operate healthcare facilities. These were a massive issue prior to the pandemic, and COVID-19 has left many providers flat-footed as they still haven’t updated legacy technology, explained Coleman. 

These items have to be addressed, but he added that providers are strapped for funding and have yet to make those upgrades a priority. 

To Corman, there’s a delicate balance and perhaps healthcare organizations are putting more trust than they should in these technologies. The threats have been exacerbated with employee furloughs, working from home, and there are even fewer patches applied in the healthcare sector during this national crisis. 

Indeed, legacy technology continues to be a huge problem for the healthcare sector, particularly perimeter technology that hackers can easily find by scanning – as opposed to legacy technology within the network, Corman explained. 

“But when a compromise happens, it doesn’t stay on the perimeter: it can disrupt patient care,” he said. “As often the case, people get in with low hanging fruit and then decide how valuable the target is: they compromise the network first and then sort it out. Some customized attack might not be necessary.” 

On the one hand, many more hospitals are signing up for taxpayer-funded vulnerability checks. But Corman stressed there’s been a marked drop-off in diligence for patching, with some delaying patches or not patching at all over the summer. 

DHS CISA has repeatedly warned that hackers are actively exploiting known vulnerabilities that organizations have failed to patch. 

“It’s a concerning observation,” said Corman. “If a cyberattack can affect patient care and people aren’t keeping up with patching, there will be more outages and a greater patient impact.” 

“There are plenty of empathic reasons as to why hospitals haven’t updated software and are tightening the belt: employees are at risk... they want to take fewer risks, there are lots of good business tradeoffs,” he added. “But I urge the public to apply due diligence for at least the most exploited vulnerabilities... There’s a tough tradeoff in equity.” 

Evolving Role of the CISO

In speaking with different CISOs during the initial crisis, Potter found that many CISOs are making decisions within hours in what would have normally taken months or years to impart, as many organizations made the decision to shift into a more remote workforce. 

And that includes implementing technology in a matter of weeks, in what would have normally taken months. CISOs are working with business leaders and employees to determine what’s appropriate, when it comes to enabling business functions and regulatory issues, including HIPAA and the EU General Data Protection Regulation (GDPR). 

Further, the CISO has also become an enabler of keeping businesses functional during the crisis, explained Potter. They’re being viewed as support and overhead, as many hospital organizations are crushed for budgets and aren’t seeing revenue. The activities going on are tripling those effects. 

“Budget pressures are immense. CISOs are being asked to do more with decision makers, but are being told to reduce staff and money. It’s never a fun message,” said Potter. “For healthcare CISOs, those budget cuts directly impacted future plans, forcing leaders to rethink planning with direct impacts on staffing.” 

“At the same token, pressure on them is not optional,” he continued. “When plans meet reality, people are having to do whatever they can with what they have, rather than leveraging approved security from overall perspective... In healthcare, the demand and needs are so great, CISOs had to go in and fix that. And the longer the pandemic goes on, the greater that responsibility becomes.” 

To Coleman, one of the greatest challenges is that these threats continue to get through the enterprise network via human interaction, which increases the need for leadership to continue to drive awareness throughout the organization. 

But sometimes it’s not just budgets or priorities where the challenges are seen, Coleman explained. It needs to be a top priority in terms of recognition, training, and awareness, as well. It’s not just one or two attacks a day against healthcare systems these days, it’s thousands, if not millions. 

CISOs and boards must prioritize cybersecurity, because, as Coleman stressed, “we’re not going to put the genie back into the bottle.” 

“We’re not going to go back to the way it was pre-COVID-19,” he added. “Telehealth and telemedicine is here to stay, and we’re only going to get more connected. We must find better ways to do that: it has to be priority.” 

“They're getting better. Several years ago, it just wasn’t on the list of things to consider. But CISOs are doing their best to raise awareness,” Coleman concluded. “It wasn’t getting recognition. But they’re doing it now, making a business case that patients and clients are not only asking who can provide the best healthcare, but who protects patient data the best.” 

Best Practice Cybersecurity

All healthcare organizations take a varying approach to cybersecurity, but several concerning reports in recent months have shown there is still much work to be done in the sector. As CynergisTek data shows just 44 percent of healthcare providers meet NIST Cybersecurity Framework standards, progress appears to be at a standstill in the industry. Hackers, however, are rapidly increasing the impact of their attacks.  

Thus, unless more drastic measures are taken among providers, the sector will continue to be easy prey, or the perpetual low-hanging fruit. As noted in nearly every DHS CISA alert and commonly in research reports, one of the key ways healthcare can fix some of its greatest vulnerabilities is by implementing multi-factor authentication on all applicable endpoints across the enterprise network. 

Microsoft data shows MFA blocks 99.9 percent of all automated cyberattacks. And while that 0.1 percent leaves the door open for attackers, the tool can at least give providers a fighting chances given the number of stolen credentials posted on the dark web are in billions. 

“Companies should put mechanisms in place to scan for known vulnerabilities and exploits of external facing systems,” said Milam. “To protect against ransomware attacks, companies should employ a proactive approach by ensuring that all backups are stored offsite, either physical or cloud solutions to add an extra layer of security.” 

"It's important that healthcare industry and other verticals update their policies and either bring on top talent to secure and monitor their critical infrastructure or outsource these tasks to companies that offer these expert services: MSSPs (Managed Security Services Providers) or MDR (Managed Response & Detection) solutions,” he added. 

  • Vulnerability Management 

As with any security program, standard cyber hygiene and enterprise best practices apply when considering how to strengthen defenses across the enterprise, explained Milam. Those items should include, Operating System and application patching, endpoint protection technology, auditing, logging and monitoring of endpoint and network activity and auditing of credential use. 

Milam also noted that in financially motivated crimes, hackers attack the most vulnerable victims and disregard the criticality of the infrastructure in their attacks. 

“In the case of the unfortunate ransomware attack on the hospital in Dusseldorf, the threat actor leveraged an unpatched vulnerability in Citrix NetScaler application which the hospital IT should have patched months beforehand,” said Milam. “In other cases, the threat actors, leverage leaked credentials received from associates in exchange for a percentage of the ransom.” 

“Due to the COVID related lockdown, companies had to quickly migrate to remote work environments and some services, in particular VPN, web conferencing and file sharing services, were not configured properly for secure use,” he added. “[Most attacks] were because of misconfigurations (such as using default settings) and not some inherent vulnerabilities.” 

As a result, Milam stressed that enterprises must consider the security of their endpoint vendor, when they’re no longer protected by enterprise- grade firewalls. The need will become even more pressing as more entities adapt to hybrid remote work environments. 

  • Driving Awareness

Coleman said he believes the healthcare sector is not doing enough in terms of prevention. Training and awareness are very effective in meeting these challenges. A study published in JAMA reported that phishing training and staff education drastically reduce the cyber risk to the healthcare sector. 

Many of these threats get through the network by leveraging attacks on employees, and through human action, allow credentials to be compromised. However, Coleman explained that for some reason, healthcare organizations aren’t doing enough drills on these threats, as they would a natural disaster. 

"Why isn't training as urgent here?” mused Coleman. “Enterprises really must train on recovery and response, as well as prevention.  We can really deal with a significant percentage of these attacks just by having people more aware of these threats.” 

  • Backup Storage and Restoration 

For Corman, the best advice to give healthcare organizations is to employ backup, offline storage and restoration. 

“When you’re an impoverished hospital, you’re unlikely to be able to defend against new technological attacks,” said Corman. “The question then becomes, how fast can you get the network back online after falling victim to an attack?” 

The option is to either prevent the attack from occurring in the first place, or to ensure the organization has a reliable offline storage and restoration option. Corman stressed that it may be the most practical option during the COVID-19 pandemic. 

Corman added that it’s not just about cybersecurity: a hospital is responsible for caring for patients during this crisis and going offline should not be an option. Employing an effective offline backup system should thus be a business imperative, as well as ensuring it’s routinely tested. 

A healthcare organization should also consider employing a team tasked with this responsibility. 

“But it’s important to note backup storage and restoration is a discipline, not a product,” he added. 

  • Stop Ransom Demand Payments

The healthcare sector, in general, is not correctly looking at the ransomware problem. Corman explained that it’s not a technology problem. Rather, the issue is that organizations continue to hand over massive ransomware payments to cybercriminals. 

“We don’t have a technology problem,” Corman said. “We’re rewarding ransomware. When organizations pay ransom, they’re fueling and funding ransomware to come back harder and better. We should not be surprised that the volume and impact is increasing.” 

“The pricing is proportional to the market cap,” he added. “I’m not surprised by the number of local municipalities and hospitals falling victim to ransomware. But it’s not a victimless crime. When we look at these cybercriminals closely, they’re involved with human and child exploitation. 

Ransomware is a pervasive threat, and many organizations are just relying on their insurance company to cover these costs, explained Corman. Ransomware isn’t considered a big deal. But instead of considering ransomware payments, entities should be investing in offline backup and restoration tools. 

Further, insurers are becoming furious at the threat, and feel they’re paying too much. As a result, premiums are spiking on coverage. Further, as seen with NotPetya, sometimes companies won’t pay up, claiming some attacks as an act of war. 

“We need a better strategy to prevent paying criminals. At this current course, we’re going to see more attacks and worse ransomware threats,” Corman concluded. “We’re hoping these events will renew focus and attention on bolstering cybersecurity.” 

Next Steps

Dig Deeper on Cybersecurity strategies