The healthcare sector faces a growing storm on the digital front. Recent high-profile incidents, like the ransomware attacks on Change Healthcare and Ascension, have exposed critical vulnerabilities and caused significant disruptions in patient care.
The attack on Change Healthcare, attributed to the notorious BlackCat (aka ALPHV) group, highlights the crippling impact of these incidents. The disruption caused by the attack and the organization’s difficult decision to pay a hefty ransom ($22 million) underscores just how vulnerable the sector is to cybercrime.
Similarly, the ransomware attack on Ascension by Black Basta crippled its vast network of 140 hospitals, leaving medical professionals strained and having to rely on manual record-keeping for weeks on end. An online petition by Ascension Providence Rochester Hospital staff reveals the human cost of these attacks – patient care suffers as staff struggles with limited access to electronic medical records (EMRs). More than a month after the attack, the fallout continues, demonstrating the long-term consequences for both patients and healthcare professionals.
In this post, we’ll explore the complex web of cybersecurity challenges plaguing the healthcare sector. We’ll then examine potential solutions and, finally, the important role of information sharing and collective defense in building a more secure future for healthcare.
The Roadblocks to Cyber Risk Reduction in Healthcare
ARPA-H, a US government agency focused on health research, is investing $50 million to develop an autonomous cybersecurity solution for hospitals. In its announcement of the program, called “Universal Patching and Remediation for Autonomous Defense” or UPGRADE, ARPA-H describes the challenge faced by the healthcare cybersecurity professionals as follows:
“Deploying security updates in hospitals is difficult because of the sheer number of internet-connected devices, limitations in health care IT resources, and low tolerance for device downtime needed to test and patch. Despite the size of the cybersecurity industry, health care sector challenges remain under addressed, even as more pieces of equipment are network-connected than ever before.”
The vulnerability of the healthcare sector to cybercrime was made evident by Change Healthcare’s massive ransom payout to ALPHV. Because of the critical nature of the services they provide and the lives that depend of them, hospitals cannot afford downtime. The bad actors have no hesitation exploiting this. In his testimony before the Senate Finance Committee, UnitedHealth (Change Healthcare parent company) CEO Andrew Witty said, “Our company alone repels an attempted intrusion every 70 seconds – thwarting more than 450,000 intrusions per year. These criminals… have increasingly targeted critical infrastructure, including schools, government agencies and the health care sector. (They) are willing to attack everything from community hospitals to pharmacies to networks like ours that enable the information exchange necessary to provide care.”
The Cybersecurity and Infrastructure Security Agency (CISA) identifies the following as the primary cybersecurity challenges facing the healthcare sector:
Large Number of Connected Devices Ripe for Exploitation
The rapid development and deployment of internet-connected medical devices often overlooks critical security considerations. These devices can create new attack vectors for malicious actors, potentially compromising patient privacy and safety. The rise of unregulated mobile health applications, too, can leave sensitive patient health information (PHI) and personal identifiable information (PII) inadequately secured.
Strained and Underprepared Hospital Staff
Healthcare personnel are often overburdened and may lack comprehensive cybersecurity training. While training is essential, environmental pressures in busy healthcare settings can undermine even well-intentioned security practices. Balancing operational efficiency with strong information security remains a significant challenge.
Balancing Speed, Efficiency and Security
The daily demands of patient care can sometimes prioritize speed and information sharing over data security. Additionally, compliance requirements and business needs often necessitate large-scale data portability, creating a complex web of access points that require careful management.
Supply-Chain Risks and Unprotected Legacy Systems
The digitalization and integration of previously standalone technologies creates a multitude of cybersecurity challenges. Interoperability dependencies, supply-chain risks, and vulnerabilities in legacy systems – those no longer supported by their manufacturers – introduce significant security gaps. The interconnectedness of systems creates complex supply chain risks. Added to these are legacy systems that cannot be patched with the latest updates, leaving them permanently vulnerable to attacks, and in-turn exposing other connected systems.
Inadequate Cybersecurity Budgets and Resources
Hospitals often allocate a significant portion of their limited IT budgets to acquiring, implementing, and adopting new technologies. This leaves few resources for securing data, networks and devices. Furthermore, smaller healthcare organizations may lack dedicated internal IT or security teams, making the situation worse.
The High Value of Healthcare and Research Data
Patient Health Information (PHI) is a highly valuable commodity on the dark web. By some estimates, PHI is far more valuable to criminals than even credit card data. This data attracts not only financially-motivated criminals, but also nation-states seeking a strategic advantage. Compromised credentials can provide continued access to systems, allowing attackers to inflict widespread damage. Another enticing target is biomedical and pharmaceutical research and development data – worth hundreds of billions of dollars in total.
The good news is that there are concrete steps healthcare institutions can take to overcome these challenges and mitigate risks.
Building Cyber Resilience in the Healthcare Sector
Hospitals and other healthcare institutions need to prioritize strong cybersecurity measures to protect patients, staff, and sensitive medical data. This requires ongoing investments in staff education, and the development and implementation of strong and resilient security programs.
In January 2024, the Healthcare and Public Health (HPH) Sector of the HHS released a set of Cybersecurity Performance Goals (CPGs) specifically for healthcare. These include both Essential (Foundational) and Enhanced (Advanced) Goals.
Our focus in this post is on explaining Essential CPGs, designed “to help healthcare organizations address common vulnerabilities by setting a floor of safeguards that will better protect them from cyberattacks, improve response when events occur, and minimize residual risk.”
Mitigate Known Vulnerabilities: Healthcare organizations must constantly identify and address weaknesses within their IT infrastructure. This involves discovering, assessing, prioritizing the patching known vulnerabilities, particularly those affecting externally facing systems, before malicious actors can exploit them. Patching these vulnerabilities ensuring that healthcare institutions are minimizing the attack surface and not leaving easy entry points for threat actors to exploit.
Email Security: Phishing attacks and email spoofing remain major threats, particularly for healthcare professionals who haven’t received any phishing awareness training. Implementing robust email security measures, such as advanced filtering and user education, is crucial to prevent these breach attempts from being successful. In a defense-in-depth security model, good email security makes up an important layer to keep attackers out of the network.
Multifactor Authentication: Multi-factor authentication (MFA) acts as another critical barrier, requiring an additional verification step beyond passwords to access sensitive resources. Some of the most high-profile breaches in recent months, including the Change Healthcare breach, started because applications or users didn’t have MFA.
Basic Cybersecurity Training: A well-trained workforce can be a very effective first line of defense. Healthcare institutions must invest in ongoing cybersecurity training to ensure staff understand potential threats and can identify and report suspicious activity. This could include phishing awareness, knowledge of cybersecurity best practices and data privacy policies and regulations.
Strong Encryption: Strong encryption safeguards the confidentiality of sensitive patient data, both at rest and in transit. This ensures that even if intercepted, this critical information remains unreadable, protecting patient privacy during breaches and transmissions. Encryption also supports compliance with regulations and builds trust with patients concerned about their digital medical records.
Revoke Credentials for Departing Workforce Members: When employees, contractors, or volunteers leave an organization, their access privileges should be promptly revoked to prevent unauthorized access to sensitive data or systems. This ensures only authorized personnel can access protected information, safeguarding patient privacy and institutional security.
Basic Incident Planning and Preparedness: Being prepared for a cyberattack is critical. Healthcare institutions should invest in incident response planning, ensuring a swift and coordinated reaction to minimize damage and restore operations as quickly as possible. This involves pre-planning emergency protocols and knowing the sequence of steps and the people to notify or involve to respond quickly to a breach.
Unique Credentials: Assigning unique credentials within an organization’s network allows for better detection of anomalous activity. This can prevent attackers from gaining access to multiple systems or moving laterally across the network, especially between IT and OT systems. Lateral movement prevention can be further bolstered by network segmentation.
Least Privilege Access: Separate User and Privileged Accounts: The principle of least privilege dictates that users should only have the access level necessary to perform their job functions. This significantly reduces the potential damage caused if a user account is compromised.
Vendor/Supplier Cybersecurity Requirements: Healthcare organizations rely heavily on third-party vendors and suppliers. Implementing robust cybersecurity requirements for these partners and factoring them in when creating incident response plans reduces risks associated with these external connections. This involves thoroughly vetting any partners, vendors or third-party applications used by the healthcare organization.
To narrow down the list even further, CISA’s top three recommendations for healthcare sector cybersecurity are – timely patching of critical vulnerabilities; strong multi-factor authentication; and phishing awareness training.
For healthcare institutions looking to strengthen security and unsure of where to begin (particularly those with budgetary or resource constraints) CISA’s three recommendations and the Essential CPGs are the place to start.
Information Sharing for Stronger Collective Defense within the Healthcare Sector
Finally, it’s important for healthcare institutions of all sizes to cultivate a culture of information sharing about cybercrime and leverage entities like ISACs and ISAOs for strengthening resilience and improved attack preparedness. This exchange should occur amongst themselves (within the healthcare sector), with private sector security entities, and with government agencies that can help coordinate a comprehensive response and provide other assistance.
Here’s why such collaboration is vital:
- Collective Defense: Healthcare organizations are often targeted by similar cyber threats. Sharing information about these threats, attack methods, and vulnerabilities allows them to learn from each other and implement preventative measures.
- Identifying Trends: By sharing details of cyberattacks, healthcare institutions can identify emerging trends and adapt their defenses accordingly. This allows the sector to stay ahead of evolving cyber threats.
- Improved Threat Intelligence: Shared information allows healthcare institutions and security experts to build a more comprehensive picture of the cyber threat landscape. This intelligence can be used to develop more effective detection and prevention strategies.
- Collaboration on Solutions: Sharing information fosters collaboration between healthcare institutions and security researchers. This collaboration can lead to the development of new security solutions specifically tailored to the needs of the healthcare sector.
- Benchmarking and Best Practices: Learning from the experiences of others is invaluable. Information sharing allows healthcare institutions to benchmark their own cybersecurity practices against those of others and identify areas for improvement.
- Improved Incident Response: Sharing information about cyberattacks can help healthcare institutions improve their incident response capabilities. By learning from the mistakes of others, they can develop more efficient and effective ways to respond to cyberattacks and minimize the damage.
Overall, information sharing creates a more informed healthcare sector, better equipped to defend itself against cyber threats. It allows institutions to leverage the collective knowledge and experience of the entire industry, ultimately leading to a more secure environment for patient data and healthcare operations.