Cyber Threats and Mitigation Strategies for the Healthcare Sector

The Australian healthcare sector will need to take urgent steps to counter the growing threat of cyber-attacks, which are growing in number and sophistication. Healthcare players can no longer afford to delay taking decisive steps to protect themselves.  These steps include leadership augmentation, increased budgets and policy enhancements, amongst others. The time to act is now.

Current cyber threat trends in healthcare

Cyber threat actors generally find the healthcare sector as an attractive target because:

• The potential impact of disruption to front-line services can be significant and includes:

• Negative impact to patients wellbeing,
• Revenue loss,
• Recovery costs,
• Reputational damage,
• Litigation, and
• Stock price erosion.

• They could gain access to sensitive personal information that is valuable in the black market and could be sold on the dark web.
• They could steal valuable intellectual property related to Research and Development (R&D) activities.
• There is an increased adoption of digital services within the healthcare ecosystem, without a commensurate cyber strategy.
• There are a large number of people and connected devices that frequently move around the business and change locations, which introduces complexity.
• The cyber security capability maturity in this sector is the lowest compared to other sectors¹.

Fig 1: Why it makes sense for cyber threat actors to attack Healthcare

Fragile Cyber Security In Healthcare In Australia:

Last year was a highly active year for cyber threat actors who operate within the health sector. In the US, healthcare breaches increased 55.1% in 2020 with hacking and IT incidents representing 67.3% of compromises².

The Office of the Australian Information Commissioner (OAIC) noted that health was the highest reporting sector (22%) with 518 notified breaches³. During the 2020 reporting period, the Australian Cyber Security Centre (ACSC) experienced an 84.4% increase in the number of security incident reports relating to the health sector⁴. 

Although we have seen numerous attacks targeting vaccine developers and sensitive personal information, the most disruptive and growing threat for the health sector is “ransomware”. 

Ransomware is a type of malicious software designed to block access to a computer system (via encryption) until a sum of money is paid. In August 2020, the ACSC released an advisory of ransomware campaigns targeting aged care and health care sectors after a spate of high profile publicly disclosed breaches disrupted operations at these providers⁵.

We anticipate a continued threat of ransomware attacks in the health sector in 2021 albeit with a few changes to their tactics and techniques.

Double Extortion: Steal Data

Recently, we found ransomware operators exfiltrating sensitive data before they started disabling victim systems. The threat actors then threaten the disclosure of this sensitive data in an attempt to coerce victims to pay the ransom in what is now referred as “double extortion” schemes⁶.

Inherent cyber challenges in the healthcare sector

The health sector has several inherent challenges to improve their cyber maturity to a level that is commensurate to the threats faced. These challenges include: 

• Limited cyber leadership: Most organizations do not have a leader with the right authority, resources, and access to senior executives and the board to drive outcomes. The other issue is conflict of interest in reporting structures. It is common to find the cyber risk function sitting within the Information Technology (IT) organization reporting to the Chief Information Officer (CIO) or Chief Technology Officer (CTO). The typical charter for a Chief Information Security Officer (CISO) and a CIO or CTO is generally in conflict especially as it relates to user experience, cost of controls, and expected velocity of IT changes. Not for profit organizations also struggle to acquire the right cyber leadership talent (CISOs) as these roles are in high demand and are expensive.
   
• Consistent under investment: The sector is known for its consistent under investment in digital and cyber technologies⁷. It is not uncommon to find ‘out of support’ systems used in production without appropriate basic hygiene like patch management, end point security controls, and user access management.
   
• Specialist systems: Specialist clinical and R&D systems have longer lifespans than traditional IT systems and vendors are inconsistent with the timely release of patches for known vulnerabilities. A number of these systems (e.g. radiological imaging system using the DICOM standard) also have technical constraints for the application of effective end point security and user access management controls⁸.
   
• High Performance Computing (HPC) environments: HPC is the ability to process data and perform complex calculations at high speeds⁹. HPC environments are typically used for medical research (e.g. modelling proteins and genomics to accelerate drug discovery for diseases) and they have their unique constraints. Traditional security technologies typically are not able to operate in environments with bandwidth characteristics required for HPC environments.

Boards are generally not comfortable with unmitigated issues that pose a medium to high risk. Even with the right investment and control environment in place at a point in time, this will require active management and continued investment as the cyber threat environment keeps evolving along with the business.

The threats posed require the healthcare sector to prioritize cyber security as an enterprise issue and have the right leadership with adequate resources in place. These inherent challenges also require organizations to think outside the box to effectively manage cyber threats while being a business enabler.

Mitigation strategies to consider

Our significant global experience managing healthcare environments and responding to cyber threats gives us the confidence to present to you a summary of mitigation strategies to consider: 

• Robust cyber risk management: Develop a cyber security capability aligned to the organization’s threat landscape and risk appetite using an industry accepted framework (e.g. NIST CSF or ISO 27001) and “secure by design” principles¹⁰.
  This capability needs to be led by leader with authority to influence across the enterprise, and access to resources required to achieve objectives of the organization’s cyber program. The leader should also have at least a biannual or quarterly access to the Board to provide updates on how the organization’s cyber program is enabling strategic business objectives. One of the first steps you can take now is to perform a ransomware readiness assessment to understand your gaps and prioritise remediation.
   
• Backup strategy: Backups are critical in an organization’s ability to quickly recover from ransomware attacks. In many cases, we found organizations who solely relied on online backups at an increased risk because online backups can be corrupted as part of the attack lifecycle. We recommend organizations adopt a 3-2-1 backup strategy, with three copies of data, two copies on different media, and one copy offsite which is air gapped between operational environments.
   
• End point security: Effective end point controls are critical to detect and prevent ransomware threats. We recommend leveraging artificial intelligence (AI) and / or machine learning (ML) algorithms in end point controls to detect and prevent known and unknown ransomware threats. Detected threats must be supported by an effective incident response to contain propagation of the threat and remediate in a timely manner. 
   
• Patch and vulnerability management: Patches should be identified and applied in a timely manner aligned with the organization’s risk appetite. Organizations should also consider vulnerability management controls to obtain visibility of the effectiveness of patch management controls and take corrective actions as required (e.g. upgrade of an out-of-support systems). 
   
• Network segmentation: A key tenant of effective risk management is the ability to contain risk exposure. Inherent challenges as it relates to specialist systems and HPC environments mean that healthcare organizations most likely are not able to enable effective end point security, access management or patch management controls consistently across their estate. To compensate, organizations need to consider network segmentation controls to help compartmentalize risk and think outside the box with virtual patching¹¹ and network detection, and response leveraging AI and / or ML capabilities¹². Key principles to consider when implementing network segmentation is the principle of zero trust (network layer)¹³. 
   
• Multifactor authentication: Initial access to a victim’s environment is typically obtained using legitimate credentials used on an Internet accessible service. Multifactor authentication requires the user to present two pieces of evidence in different forms (knowledge, possession, or inherence) before they are able to successfully authenticate¹⁴. We recommend at a minimum all Internet accessible services and the organization’s crown jewels be secured using multifactor authentication solutions. 
   
• Identity and privileged access management: In almost all instances of ransomware breaches, the scope of the breach was almost a function of the victim’s internal identity and privileged access management practices. Weak identity and privileged management practices allow threat actors to move laterally within the environment and disrupt more systems (including crown jewels). Besides strong password management controls, we recommend that organizations closely adhere to the principle of least privilege and zero trust (identity layer) before granting access to systems¹⁵.
   
• Threat detection and response: Given the volume and frequency of attacks in the health sector, it is important to have a robust threat detection and response capability. We recommend benchmarking your threat detection and response capabilities against the MITRE ATT&CK® framework¹⁶ to identity potential gaps and areas for improvement. We also recommend that you test your incident response plans and playbooks regularly by conducting breach simulations, red team, and tabletop exercises based on real life scenarios. When performing tabletop exercises or simulations, it is also important to consider the inclusion of senior executives and the Board.
   
• Cyber insurance: Cyber insurance is a key tool to mitigate financial losses emanating from a cyber breach. As a result, it is important to align cyber insurance policies with an organization’s risk appetite. To do so effectively, organizations need to consider scenario-based modelling to model both direct and indirect costs associated with potential cyber breaches.

Summary

Wipro Recommends

• Robust cyber risk management 
• Patch and vulnerability management
• Identity and privileged access management
• Effective threat detection and response
• Multifactor authentication
• Cyber insurance
• Backup strategy
• Endpoint security
• Network segmentation

References

1. Coventry, L., Branley-Bell, D., Sillence, E., Magalini, S., Mari, P., Magkanaraki, A., & Anastasopoulou, K. (2020, July). Cyber-risk in healthcare: Exploring facilitators and barriers to secure behaviour. In International Conference on Human-Computer Interaction (pp. 105-122). Springer, Cham2 
2. Bitglass Healthcare Breach Report 2021, Hacking and IT Incidents on the Risk
3. https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2020/
4. https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/2020-health-sector-snapshot
5. https://www.cyber.gov.au/acsc/view-all-content/advisories/2020-013-ransomware-targeting-australian-aged-care-and-healthcare-sectors
6. https://www.cybereason.com/blog/rise-of-double-extortion-shines-spotlight-on-ransomware-prevention
7. https://www.theage.com.au/national/victoria/improve-hospitals-cyber-security-before-a-life-is-lost-20191002-p52x49.html
8. https://www.cpomagazine.com/cyber-security/healthcare-cyber-attacks-rise-by-55-over-26-million-in-the-u-s-impacted/
9. https://www.netapp.com/data-storage/high-performance-computing/what-is-hpc/
10. https://en.wikipedia.org/wiki/Secure_by_design  https://owasp.org/www-community/Virtual_Patching_Best_Practices
11. https://owasp.org/www-community/Virtual_Patching_Best_Practices
12. https://www.vectra.ai/discover/how-to-apply-network-centric-approach-to-detection-and-response
13. https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture
14. https://en.wikipedia.org/wiki/Multi-factor_authentication
15. https://www.cyberark.com/what-is/least-privilege/
16. https://attack.mitre.org/