In September 2020, cyberattackers achieved a grim milestone in history, being implicated for the first time in the death of a person because of a ransomware attack. A patient in Düsseldorf, Germany, was turned away from a hospital because its billing systems and network-connected medical devices were encrypted. She was diverted to a facility about an hour away, and the delay in treatment tragically cost her life.
This incident underscores some uncomfortable truths about healthcare systems.
- First, although major ransomware groups had publicly committed to a cease-fire in their campaign against healthcare providers during the COVID-19 pandemic, the goodwill of criminals is now over. Headlines from the past 6 months clearly show that hospitals, skilled nursing facilities, and medical research labs and prioritized ransomware targets for cybercriminals.
- Second, the attackers in this incident were able to exploit a vulnerability that had been known since January 2020. Attackers are often able to exploit unpatched vulnerabilities in hospital systems. Because patches often break application dependencies between hospital administration software and medical devices, hospitals are frequently many months behind the curve when it comes to patching and vulnerability management.
- Third, ongoing ransomware campaigns against healthcare and life sciences institutions have the potential to put many more people at risk. For example, a recent ransomware attack against software vendor eResearch Technology had the side effect of delaying critical clinical trials for a coronavirus vaccine.
In other words, attacks against the healthcare vertical have so far only claimed a single life—but the death toll can unfortunately be expected to rise. The ways that healthcare providers, insurance companies, and pharmaceutical researchers try to protect themselves against attackers are not suited to take on the sophisticated nature of the threats they face. The data on breaches and system impact shows that current security approaches are not working, but what specifically is not working and, more importantly, how can it be fixed?
Mapping the Attack Surface in the Healthcare Space
Hospitals are unlike other organizations in many respects. First, they must be staffed and ready to provide emergency care at any time of day. This means that network outages are particularly troublesome and must be addressed quickly, otherwise the organization will be unable to accept new patients, retrieve patient records, administer proper dosages and treatments, etc.
This urgency in terms of network outages means two things: first, when ransomware attacks cause network outages, hospitals are that much more likely to pay the ransom to decrypt their data. (For example, in 2019, three hospitals in Alabama’s DCH healthcare system paid a ransom so they could offer continuity of services.)
Second, the drive to avoid network outages means that hospitals can be leery about patching their systems to keep them up to date since, as mentioned above, a patch or update that improves security also has the potential to disrupt critical functionality. As a result, over 60 percent of medical devices are exposed to some level of elevated cyber-risk.
Lastly, many hospitals are exploring new methods of providing healthcare as the pandemic continues—and these methods may open providers to new vectors of attack.
Beyond ransomware, other types of malware can also present significant threats to the security of hospitals and other organizations. Trojans can be used to steal patient data from hospitals or exfiltrate proprietary information from life sciences firms. Phishing emails and websites can trick hospital employees into installing malware on their endpoints via their browsers. Attacks like these have been used to steal hundreds of millions of patient records over the years.
Now, attackers are beginning to explore a new attack surface for hospitals—telemedicine. As many of us have discovered over the past year, doctors can use telehealth to conduct limited exams and consultations over a video link. Insecure videoconferencing applications are a target for attackers who can either eavesdrop on these sessions to steal detailed patient information, or use misconfigured videoconferencing applications to infect endpoints at healthcare organizations.
Telehealth applications aren’t just another attack surface—they’re also yet another application that overstretched hospital IT staff need to patch and maintain. Adding purpose-built solutions to protect these applications is an additional expense in terms of time and budget. This summarizes the entire struggle facing information security in a healthcare context—adding more applications to protect the enterprise detracts from administrators’ ability to operate them securely.
Regaining Equilibrium in the Healthcare IT Space
Hospitals need to defend against attacks from multiple angles—unpatched vulnerabilities, phishing emails and sites, and novel telehealth attacks. Meanwhile, hospitals don’t have enough resources to defend against these attacks using tools that are specifically designed to defend against them, such as advanced behavioral antivirus or adaptive email filters.
As a result, hospitals need to be able to defend themselves using just a small number of solutions that have a large umbrella and high effectiveness. Zero-Trust security solutions including software defined perimeters to secure access to medical applications, browser isolation to deflect phishing attacks and drive-by-downloads from malicious websites, and application isolation cloaks applications to prevent hackers from doing reconnaissance and launching lateral movement attacks against them.
With just these three solutions, hospitals can prevent attackers from finding and exploiting vulnerabilities, prevent the delivery of ransomware and other malware via email and browsers, and defend remote patients. By narrowing down the number of solutions needed to defend the hospital environment, administrators won’t just prevent more cyberattacks—they’ll also have more time and budget to improve their environment, apply patches, and eliminate antiquated legacy technologies.
Gerry Grealish, Chief Marketing Officer at Ericom Software