The COVID-19 pandemic created a vastly different working paradigm in healthcare, with huge numbers of employees moving from the office environment to working from home.
This, in turn, opened up all sorts of new avenues for hackers to launch attacks against provider organizations and their vital health information and systems. At the same time, the sophistication of cyberattacks was continuing to increase.
Healthcare IT News interviewed Christophe Doré, cybersecurity manager at Capsule Technologies, a vendor of medical data technologies for healthcare organizations. He described the state of cybersecurity in healthcare during the pandemic, and what provider organizations should expect this year.
Q: Why, since the onset of the pandemic, has cyber criminality increased along with the sophistication of cyberattacks?
A: Hospitals transformed overnight in how they operated as a result of the pandemic. Many of them were unprepared for the vast numbers of employees working at home because this was a scenario nobody really anticipated. This created new opportunities for bad actors to penetrate hospital networks.
With respect to the other issue, the increase in sophistication of cyberattacks is not something I would ascribe specifically to COVID-19; rather, it’s been building over the last few years. Criminal organizations are better organized and have greater access to resources to invest in the tools to ply their trade. The dark web affords them a marketplace to select the components they need to be successful.
Their successes in previous nefarious attacks provide the financial resources to fuel the next ones. The increased efficiency of this black market is driving malicious business success, and various bad actors are not going it alone but working together like business partners, much as you would see in a legitimate business enterprise.
“Because these funds fuel criminal organizations, hospitals also may be fined for having done business unwittingly with organizations on the government watch list.”
Christophe Dore, Capsule Technologies
Furthermore, nation-states and their vast resources are ramping up the pressure. In the SolarWinds attack last fall, for example, Microsoft deduced that the attack required the mobilization of 1,000 developers to deliver the sophisticated and persistent attack that resulted.
Q: Should healthcare CIOs and CISOs in 2021 expect an increase in advanced persistent threats and targeted ransomware?
A: Of the many things we have learned from COVID-19, the importance of logistics to the supply chain is near the top from my perspective. The fact that many hospitals could not obtain masks and other personal protective equipment (PPE) early in the pandemic demonstrated the fragility of the entire supply chain. The supply chain has grown even more acute in the public mindset now that COVID-19 vaccines are available.
When we talk about ransomware, its goal is to injure an entire business operation, and an effective way to attack a business is via its supply chain, only as good as its weakest link. Every point in that supply chain depends on the point just before it. Criminal organizations or nation-states have tried to find the weakest element of a supply chain to attack and disrupt it. If they are successful, the chain breaks.
There has been an increase in advanced persistent threats because of the sheer money-making opportunities for bad actors. Plus, they’re getting more efficient and experienced at this technique.
Targeted ransomware has proven to be the most efficient way to monetize unauthorized access to business assets.
In the past, bad actors who stole data had to find a buyer on the dark web to get paid for it. Now, ransomware not only blocks the business assets, but cybercriminals also steal the data. Their immediate goal is not to sell it (although this remains a secondary option) but to threaten hospitals directly with exposure of that data. By pursuing this strategy, bad actors deal with a single entity – the hospital – in their schemes as they do not need to find a buyer for the stolen data.
Furthermore, they get their money more quickly, which again, they can reinvest sooner in their next attack. Healthcare organizations end up paying two-fold: to get their operations back online and to prevent their data from being exposed on the dark web. On top of this, because these funds fuel criminal organizations, hospitals also may be fined for having done business unwittingly with organizations on the government watch list.
Q: You say that to respond appropriately, hospitals need to deploy enterprise solutions in lieu of numerous local cybersecurity solutions. Why?
A: Driving efficiency and keeping things simple are key business goals. From an IT perspective, it’s better to employ an enterprise strategy for a network instead of a patchwork of firewalls and gateways. Criminal organizations often remind us through their actions that they just need to find one “crack” in a network foundation to reach important assets and propagate malware, for example – whereas a healthcare network needs to be secure and efficient everywhere.
The question for healthcare IT executives to ask themselves is, “How can we monitor and protect interior and exterior IT systems if they’re in a patchwork quilt?” It’s almost impossible. The SolarWinds example showed bad actors can stay under the radar for a long time. You do not want to make their lives easier by not being able to correlate unexpected behaviors from different parts of your network while they are exploring it, for instance.
Therefore, it is imperative to have a holistic approach, which is more efficient if the different areas of the network behave and report activity consistently – a reason why IT can’t monitor things effectively if those things are connected in a piecemeal way.
Another simple reason is: If you have a patchwork, or systems doing more or less the same things departmentally on your network, you actually increase the surface of attack, each solution introducing its own vulnerabilities to your infrastructure. Being consistent allows a better control of the third-party solution exposure risks.
At Capsule, we take this to heart. One of the reasons we are comprehensive in our medical device integration is to empower customers with a single solution to protect and monitor.
Q: You also say that hospitals need to segment information systems, limit gateways or even isolate them. Why do you advise this?
A: Here’s an example from outside healthcare. In 2014, cybercriminals breached the HVAC systems in each of Target’s stores. Target’s ATMs and credit card readers resided on the same network as the HVAC systems. The bad actors, in turn, injected their code on the point-of-sale devices in almost all of the more than 1,700 Target stores, and stole more than 40 million credit and debit card details from their magnetic stripes. They cloned the cards and made expensive purchases.
Of course, certain Target executives had to resign because there was no reason for HVAC systems and credit card readers to be on the same network – which was against the requirements of the Payment Card Industry Data Security standards. Tens of millions of dollars were spent by Target in settlements and remediations.
The main question becomes, “Why make the life of a criminal organization that easy?” Segmentation makes sense where you have two digital assets that don’t need to talk to one another. Don’t make it easy for bad guys to jump from one to the other. Isolate important assets from other types of assets. If they do need to talk to each other, make certain they cross through a point that can be easily monitored and controlled.