How to Make Hospitals a Hard Target for Cybercriminals

By Hank Schless, Senior Manager of Security Solutions, Lookout

Amid a frustratingly regular cadence of ransomware attacks and data breaches, healthcare organizations find themselves a preferred target for cybercriminals. In 2020, 92 ransomware attacks affected over 600 healthcare organizations, exposing more than 18 million patient records. When this happens, it’s not simply data or dollars at risk – it’s patient health. So, why are hospitals becoming such a popular target? And, more importantly as a hospital or provider, how can you better protect your institution from cyberthreats? 

Why Healthcare Organizations?

Attackers target systems where they believe they have the highest chance of success. As a result of the pandemic, hospitals found themselves under immense pressure to provide care at unprecedented scale. Ransomware attackers often time their attacks to leverage external events against the target institution. This is because if a system cannot afford to go dark, that system’s operators are more likely to pay the ransom. 

Moreover, hospitals traditionally don’t have well-resourced security teams like government agencies and financial institutions do. This lack of resources, combined with increased pressure due to the pandemic,  make hospitals and other healthcare organizations a natural target for cybercriminals.

Moreover, the attack surface that healthcare organizations face is broad compared to institutions across other industries.. Hospital equipment can be among the most expensive technology on any market, but software on these machines is frequently outdated because of the massive cost of replacing this hardware. This means that software vulnerabilities go unpatched on machines throughout the network, a problem that metastasizes as we enter the age of 5G and connected devices. 

Digital transformation has been steadily altering the way health organizations operate and was put into overdrive during the pandemic. One of the clearest examples of this is telehealth, a critical innovation used to provide continuous  care from anywhere while minimizing contact and bringing care to those who might not be able to reach it due to their location of physical disabilities. . 

However, digital transformation has  brought with it new challenges, including securing a datapath among devices outside the traditional cybersecurity perimeter. Much like mobile banking or shopping, this involves securing communication and data access across both personal and managed devices, either one of which could be used to access sensitive data at any time, expanding the attack surface available to hackers. 

The information that hospitals hold is extremely valuable to cybercriminals. Patient health records, of course, immediately come to mind — the privacy implications here alone are staggering. But healthcare organizations hold far more than sensitive health information. This often includes. payment data, social security numbers, addresses, phone numbers, and other highly sensitive and personally identifiable information. 

Ransomware attackers often run themselves like small businesses these days. They will develop a repeatable model and deploy it where they believe it’s most effective. Once they’ve found a sweet spot, they’ll exploit it until they’re compelled to move on to something else. Recently, hospitals and healthcare organizations have been the sweet spot. The combination of valuable information, external pressure, and lack of cybersecurity sophistication compared to similar targets has drawn the attention and attacks of cybercriminal operators. So the vital question then becomes: how can these organizations protect themselves?

How Can Healthcare Organizations Defend Against Cyberthreats?

The first order of business for a hospital, or any organization, to harden its cybersecurity posture and update it for a modern network environment, is to regain the visibility they had when almost every user and device was inside the perimeter. Without that visibility, it’s nearly impossible to identify risks in a network, let alone confront them. Often, this means implementing a full endpoint-to-cloud security strategy. This starts with implementing a secure access server edge (SASE) to put IT and security teams back in control. SASE is based on the concept of Zero Trust, which means that devices and users are designated as risky by default until proven otherwise. SASE allows IT and security teams to dynamically dial in Zero Trust access controls and deploy continuous monitoring of user and entity behavior analytics, allowing them to detect and respond to insider threats and advanced cyberattacks. 

 There are several elements that constitute a highly effective SASE strategy. One element is a cloud access security broker (CASB). CASB provides full visibility into the interactions between users, endpoints, cloud apps, and data. As healthcare workers and organizations rely on cloud-based SaaS platforms and infrastructure to access sensitive data, they need to ensure the secure handling of that data, proper security configuration of cloud resources, and that entity behaviors align with HIPAA and other compliance standards. An effective CASB can help achieve this as a part of a broader SASE strategy. 

Another important element in a SASE strategy is Zero Trust Network Access (ZTNA), which extends the security benefits of cloud infrastructure to legacy apps. This is crucial, as it allows teams to create dynamic access policies that only grant users access to the specific resources they need to get their work done. Many organizations implement this in combination with a VPN to modernize the access process from any location. Moreover, as most ransomware attacks start with a threat actor compromising an employee’s credential before moving laterally to find target resources, ZTNA can mitigate this risk by implementing granular access policies that factor in contextual signals about a user including device and location, that could reveal a compromised account. 

Extending these to traditional endpoints as well as mobile devices through a mobile endpoint security (MES) provider is essential to establishing the basis for an effective, modern cybersecurity posture. Mobile devices are often overlooked by security teams, but not by cybercriminals. The data that our phones and tablets hold can represent a treasure trove for an attacker looking for leverage to gain access to an organization. 

Looking Ahead

Cyberattackers are constantly evolving their tactics to try to stay ahead of the latest security solutions and strategies. They also target organizations against which they believe they’ll have the most success. The challenge, therefore, is to harden the cybersecurity posture of healthcare organizations in general to both discourage future attacks and to defend against those that do come. With the proliferation of telehealth and other innovations that require connected devices and other such elements that broaden the attack surface of healthcare providers, it’s clear that organizations cannot retreat back behind the traditional perimeter to defend sensitive information from those who would steal and ransom or sell it to the highest bidder. The innovations have become too vital to too many people. Instead, healthcare organizations must think about data in a different way. Decision makers need to constantly assess the ways that data is stored, accessed, and transferred. Understanding these elements will help them make more informed decisions about how to secure access to that data and infrastructure in the first place. Visibility is also essential. Security teams must understand what happens outside the perimeter their enterprise network provides if they’re going to defend a network with access points mostly outside that traditional perimeter. 

The bottom line here is that while hospitals are to the public more important than ever, to cybercriminals, they’re more vulnerable than ever. And if they are exposed to the same threats as banks and companies and government entities, they must implement a cybersecurity posture with the same degree of sophistication. That starts with a secure access server edge strategy.