Getty Images/iStockphoto

Adopting Defense In Depth Strategies to Combat Healthcare Cyberattacks

The AHA’s John Riggi and Attivo Networks' Carolyn Crandall share insights on how organizations can navigate current healthcare cyber threats by using defense in depth strategies.

The current cyber threat landscape calls for sophisticated defense in depth strategies that allow organizations to adapt and respond to healthcare cyberattacks and vulnerabilities.

The National Institute of Standards and Technology (NIST) defines defense in depth as “[t]he application of multiple countermeasures in a layered or stepwise manner to achieve security objectives.”

The method ensures that if one technical, administrative, or physical safeguard fails to detect or protect against an intrusion, other tools will be at the ready.

John Riggi, senior advisor for cybersecurity and risk at the American Hospital Association (AHA), posited that healthcare organizations will have to adopt defense in depth security measures in order to keep pace with emerging threats.

“Healthcare is moving towards increased digital transformation to improve patient outcomes and to improve business efficiencies. With the increase in digital transformation and connected devices, we will have a proportional increase in cyber risk as well,” Riggi said in an interview with HealthITSecurity.

“Cyber risk isn't going to go away. It's going to continue to increase, and we need to be prepared with all available solutions, both human, technical, and on the policy level.”

Assessing the Current Cyber Threat Landscape

Although organizations are moving in the right direction by prioritizing cybersecurity and adopting new security practices, healthcare cyberattacks have not decreased.

“It seems like it’s a never-ending battle against the ‘threat of the day’,” Carolyn Crandall, chief security advocate at Attivo Networks, also remarked in the interview with HealthITSecurity.

“There have been a lot of challenges with remote workers, and with everything being interconnected. There are new devices, new networks, and trying to keep track of all devices and when and where they are getting plugged in is another challenge.”

Along with the pandemic-driven shift to remote work and the subsequent increase in connected devices, medical device security has become a top priority. In 2021, researchers found vulnerabilities in infusion pumps that could allow malicious threat actors to target the devices and potentially administer deadly doses of medications.

“To date, we haven't seen ransomware attackers target a medical device purposely to inflict harm,” Riggi noted. “The harm is more of a byproduct of the unavailability of the devices as a result of a ransomware attack.”

However, threat actors may look to medical devices as an easy target in the future since many are legacy devices without the proper security controls to defend against attacks.

“The stakes are high,” Crandall continued. “You wouldn't want anybody tampering with the medical imaging system or other devices that are in practice. There are a lot of pressures in this industry to defend things on multiple fronts.”

In addition to medical device security challenges, the healthcare industry has been shaken up by the recently discovered Apache Log4j vulnerability. The severe vulnerability stems from an open-source and extremely common Java framework used to enable logging features in applications.

If exploited, threat actors can use a compromised system to execute arbitrary code and escalate to ransomware or data exfiltration. There is a patch available, but exploitation and testing attempts are still increasing.

“Many intrusions have likely already occurred because this vulnerability is so widespread and so easy to exploit,” Riggi explained.

The healthcare sector is currently facing aggressive cyber threats from all sides. To combat these threats and protect patient safety and privacy, organizations must adopt defensive security measures.

Exploring Defense in Depth Strategies

Riggi and Crandall stressed the need for intrusion detection systems, access management, and identity verification systems. As the attack surface and scope continue to expand, organizations will need to employ a variety of security measures that can combat a variety of threats.

“Because there are so many potential attackers with such a wide variety of attack methods available, there is no single method for successfully protecting a computer network,” a SANS Institute paper explained.

“Utilizing the strategy of defense in depth will reduce the risk of having a successful and likely very costly attack on a network.”

Riggi encouraged healthcare organizations to focus on readiness, recovery, response, and resiliency. It is crucial to have a business continuity plan in place that allows an organization to function even in the middle of a ransomware attack.

Riggi and Crandall also noted the prevalence of active directory attacks and advanced persistent threat (APT) tactics that may be able to sneak past conventional security measures.

“A lot of the traditional defenses were just never designed to be able to detect those things,” Crandall said.

“I don't think I've seen one cyberattack which does not include an attack on active directory as part of that attack cycle for privileged escalation, and then to move laterally throughout the organization,” Riggi added.

Today’s increasingly sophisticated threat actors may use one attack vector to gain access to a network but can branch out into other methods once inside. Defense in depth strategies combat this issue by requiring security solutions that address vulnerabilities and intrusions across the entire life cycle of the system.

“The change that people need to start to prepare for is attack surface management,” Crandall continued.

Through attack surface management, healthcare organizations can focus on disrupting attack paths while protecting credentials and privileges from potential attackers. However, attack surface management is just one layer in a comprehensive defensive security strategy.

Securing the organization on multiple levels through proper cyber hygiene and a network of security solutions that work in tandem to mitigate threats is critical to sustaining a cyberattack and protecting both network assets and patients.  

Defense is Only One Part of the Solution

“In healthcare, we say that staff need to understand that cyber hygiene is just as important as medical hygiene to protect the patients from harm,” Riggi emphasized.

“Ultimately, the solution to cyber risk is a human solution as well.”

Cyber hygiene, a comprehensive incident response plan, and a continued focus on cyber resiliency are just as important as employing technological solutions.

Riggi also stressed the need for help from the government when it comes to tackling ransomware.

“We need the government to go after these bad guys, quite frankly,” Riggi asserted.

“Anything we do defensively has to be coupled with an offensive strategy by the US government and our allies.”

Following the Colonial Pipeline cyberattack in May 2021, which disrupted thousands of miles of the US fuel supply chain, President Biden issued an executive order aimed at improving the nation’s cybersecurity.

The Department of Justice also launched the Ransomware and Digital Extortion Task Force, which led to two individuals being charged in connection to REvil/Sodinokibi ransomware.

More government action, threat sharing, and collaboration across critical infrastructure will be critical to successfully fending off cybercriminals.

“You need the combination of a culture of cybersecurity with very effective technological solutions, but then we need the government also to complement what we're doing on the defensive side with an offensive strategy,” Riggi reiterated. “We can't solve this problem on our own.”

Next Steps

Dig Deeper on Cybersecurity strategies