Photo credit: Depositphotos
An Active Defense Posture is Needed for Thwarting Sophisticated Attacks and Saving Lives
By Andrew Homer
For many reasons, the impact of COVID-19 on the healthcare industry has been historic. Tasked with keeping the public safe amid a global health crisis and caring for the infected (of which there have been over 16M cases in the U.S. and counting), healthcare professionals have undoubtedly experienced more significant turmoil this year than at any other stage of their careers.
But while healthcare providers are busy on the front lines of a deadly pandemic, Cybercriminals, have found a new favorite industry to target. These attacks are growing more severe and even fatal. In September, the first known fatality related to a ransomware attack occurred in Duesseldorf, Germany, when an IT system failure forced a critically ill patient to be routed to a hospital in another city. The fatal incident happened just before another attack hobbled 250 U.S. facilities of the hospital chain Universal Health Services, forcing doctors and nurses to rely on paper and pencil for record-keeping and slowing lab work.
Indeed, it’s fair to say that while the healthcare space continues to manage this unprecedented health emergency, they’re dealing with a cybersecurity one, too. Even more worrisome is the fact that cybercriminals are now taking the targeted approaches they’ve used to go after “big name” organizations and are turning these methods to target hospitals in more rural communities that are understaffed and less secure.
So why has healthcare become the top target for cybercriminals as they look to boost their own revenues? Here’s a look at the reasons why healthcare will remain cybercriminals’ top target in 2021 and how only an active defense posture can protect healthcare providers and their patients.
Attacking an Industry That’s Critical 24/7
We know that hospitals have been operating on incredibly tight resources this year. While in ordinary times, packed emergency rooms and inpatient bed shortages are the norm, the pandemic has amplified pre-existing deficiencies and inequities of not only the United States’ healthcare system, but of other countries around the world.
While much has been written about the effects of workers going remote on their tech employers — and how WFH has challenged productivity and inhibited collaboration — the reality is that healthcare is perhaps the only industry with an immediate operational 24/7 need. Cybercriminals understand this, which is why taking down healthcare’s capabilities has become many bad actors’ priority in 2020. They know that any breach has a direct impact on services and operations. Therefore, it often leads to disclosing the violation and the hospital determining that paying the ransom is their best option from a business standpoint.
For these reasons, cybercriminals aren’t holding back on healthcare. They’re using the same sophisticated campaigns that posed a threat the integrity of the U.S. election (Trickbot), that recently cost French IT services giant Sopra Steria some $60M (Ryuk), and one that has reportedly racked up $100M in just one year from extorting large businesses (REvil).
For example, in November, a wave of Ryuk ransomware attacks hit the University of Vermont Health Network, the Sky Lakes Medical Center in Oregon, the St. Lawrence Health System in New York, and the Dickinson County Healthcare System in Michigan and Wisconsin. The attacks brought warnings from several federal agencies of “an increased and imminent cybercrime threat” to the nation’s healthcare providers.
Federal agencies like the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) don’t recommend that victims pay the ransom when they’re attacked, but as the Duesseldorf case illustrates, it’s not only data and money that’s on the line but patients’ lives, too. Making healthcare providers that are eager to get back online quickly prime targets.
Exploiting an Overreliance on Outdated Infrastructures
We’ve already discussed how COVID-19 has magnified healthcare’s scarcities, but it includes their gaps in IT infrastructures and security systems, too. Over reliant on Internet Explorer, providers are commonly targeted by browser-based attacks, perhaps more so than any other industry. Even Microsoft calls IE a “compatibility solution” rather than a browser, in large part because it doesn’t support new web standards for things like security. Therefore, by choosing to use something woefully inadequate, healthcare organizations make browser security unattainable and expose themselves to attacks like drive by downloads and Adobe Flash exploits.
Phishing attacks pose similar challenges. These types of attacks constituted 30% of cyberattacks in healthcare in 2019. Meanwhile, recent data from IRONSCALES found that healthcare recipients are the biggest target for credential theft attempts through social engineering attempts and spoofed login pages. While Microsoft has said that across the board, it has blocked 13 billion malicious and suspicious emails, of which 1 billion were URLs set up with the explicit purpose of phishing credential attacks.
It’s clear that these vulnerabilities aren’t hidden. Morphisec research even found that nearly a quarter of consumers believe their healthcare provider lacks adequate security against web browser attacks and healthcare phishing schemes. And their concerns are warranted.
Browser-based and phishing attacks can both unleash the worst attacks in a hacker’s arsenal (trojans, downloaders, ransomware, etc.) and when successful, can lead to severe data loss or critical applications going offline at a time when healthcare requires effective IT. 2020 has taught us a lot of things. One is that cybersecurity is an urgent requirement in healthcare right now. Choosing to neglect it will — and has — cause unrecoverable harm.
Thwarting Hackers’ Sophisticated Attacks with Active Defense
With ransomware attacks becoming more sophisticated and more frequent (a new Black Book report says that they’re expected to triple next year), healthcare providers must upgrade their easily bypassable legacy antivirus tools. If they don’t, their security protocols (or lack thereof) risk becoming a choke point in their ability to treat their patients.
Of course, we understand that their bandwidth is stretched. Which is why they need to utilize active defense. Active defense approaches range from cyber deception to adversary engagement tactics. These approaches allow organizations to automate and preempt the counter to an attack, while also learning more about that adversary and their planned attack chain.
Moving target defense is one active defense method that does all these things. It morphs the application memory so that when hackers think they’re tapping into critical data or controls, they’re actually targeting a trap that neutralizes the attack. It works like a second (or last) line of defense behind traditional antivirus monitors and spam email filters. Should one of those defenses fail – which becomes vastly more likely when, like now, hackers increase the frequency and sophistication of attacks on human targets who are too distracted to be alert – moving target defense essentially shuts down the attack before it has any negative consequences.
Crucially, it also does this without requiring extensive or ongoing input from the IT team, freeing them up to focus on whatever else the pandemic response requires. Many hospitals today do not have security specialists on staff. They cannot be analyzing reems of alert data, and cannot afford to outsource to a 3rd party Managed Detection and Response firm.
Although COVID-19 has turned healthcare upside down — as well as people’s lives in general — it has also perhaps acted as a wake-up call for an industry that’s increasingly targeted by hackers and increasingly reliant on tools unable to stop them. After all, it’s fair to say that 2020 has been a historic year for ransomware attacks in almost every industry. But as we move towards a vaccine rollout, the public’s dependency on healthcare’s efficiencies is set to skyrocket, as millions turn to front line doctors, nurses, and administrators, to get life back to some sense of normalcy. Meaning the importance of healthcare providers to cybercriminals business models is set to rise, too.
While moving target defense may not decrease the number of attacks, it can make them irrelevant. Implementing this technology has become mission-critical for organizations to preserve their data and money during a global pandemic — and importantly, safeguard their patients’ lives, too.
Andrew Homer is VP of Security Strategy for Morphisec.