In New York state, the healthcare industry was the most targeted critical infrastructure sector in 2022 and attacks in the first half of 2023 have more than doubled. The HHS’ Office for Civil Rights reports that hacking incidents now account for 77% of all healthcare data breaches of 500 or more records nationwide and there has been a 278% increase in ransomware attacks in the past 4 years. So far in 2023, more than 102 million healthcare records have been breached.
These cyberattacks not only expose healthcare data and cost the healthcare industry billions, they also disrupt patient care. Ransomware attacks prevent access to critical systems such as electronic medical records and patients are often diverted to more distant facilities. Appointments are often canceled, and there are delays in diagnosis and treatment. Various studies have shown there is an increase in mortality rates and medical complications after a cyberattack.
Healthcare organizations are attractive targets for cyber threat actors as they are reliant on IT systems for ensuring patient safety and providing care and need constant access to medical records. They also store vast amounts of easily monetized data which can also be used as leverage for extortion. Healthcare organizations will always be attractive targets for cyber actors who see them as low-hanging fruit, as they have large attack surfaces, rely on outdated operating systems and software, and often lack the necessary investment in cybersecurity. More needs to be done to improve cybersecurity and make it harder for cyber actors to breach networks and gain access to critical IT systems and sensitive data.
This month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has offered guidance for organizations in the healthcare and public health sector (HPH) and has offered mitigation strategies for dealing with common threats to the sector. The guidance includes cybersecurity best practices that can be implemented to improve cybersecurity and ensure that common vulnerabilities and misconfigurations are addressed before they can be exploited by cyber actors.
CISA explains in its guidance – The Mitigation Guide: Healthcare and Public Health (HPH) Sector – that it has identified several vulnerabilities and weaknesses across the HPH sector that are commonly exploited to gain initial access to healthcare networks. By addressing these vulnerabilities, many cyberattacks can be thwarted.
- Web application vulnerabilities
- Encryption weaknesses
- Unsupported software
- Unsupported Windows operating systems (OS)
- Known exploited vulnerabilities (KEVs)
- Vulnerable services
The guidance includes three mitigation strategies for addressing these vulnerabilities. The first strategy concerns asset management and security. In order to address vulnerabilities, HPH sector organizations must have a complete inventory of all their assets. One of the most fundamental concepts in cybersecurity is that it is only possible to secure what you can see. The guidance provides recommendations on creating and maintaining a complete asset inventory and securing all identified assets.
The second mitigation strategy – identity management and device security – is concerned with improving security against the most common initial access vectors and covers email security and phishing prevention, access management and monitoring, password policies, and data protection practices. The third mitigation strategy covers vulnerability, patch, and configuration management, and describes the processes required for identifying vulnerabilities quickly, prioritizing them, and addressing them in a timely manner before they can be exploited by malicious actors. CISA also highlights the importance of implementing processes for configuration and change management, to ensure that common misconfigurations and default settings with weak security are identified and corrected.
Healthcare organizations now use many third-party technology products and cloud services, and vulnerabilities in these products are often exploited. Technology companies also have a role to play in cybersecurity and must ensure that their products are developed using secure-by-design principles, are secure in their default settings, and that cybersecurity protections are applied for the full lifespan of the products.