Expert Q&A: How Can Healthcare Prepare for Increasing Cyber Threats?

Senior Content Marketing Specialist

March 22, 2023

23 min. read

This Q&A was originally published in Healthcare Global. Interview conducted by Ella Thompson.

Ransomware attacks in healthcare increased by 328% in the first half of 2022, according to the HIPAA Journal. And the average cost of a breach in healthcare is $10.1m compared to an average of $4.35m in other industries, according to the IBM Cost of a Breach Report 2022.

The healthcare industry is a major target for cyberattacks – so how can organizations prepare?

We sat down with Trevor Dearing, Illumio's Industry Solutions Marketing Director, to discuss how healthcare organizations can be proactive against cyber threats.

Join Illumio at HIMSS 2023 in Chicago April 17-21 at booth 2678. Register today.

Why is the healthcare sector at the top of cyberattackers' target lists?

Healthcare is a prime target for cyberattacks because an attack can put the welfare – and even lives – of patients in jeopardy.

Cybercriminals will always target those that offer the greatest chance of reward. They know that healthcare providers cannot afford any downtime with patient safety on the line and are more likely to pay out and do so quickly. That’s why the sector has become a leading victim of ransomware attacks – particularly in the past few years.

But it’s not just ransomware attacks that organizations need to look out for. Healthcare providers hold large volumes of personal data about patients which is a commodity on dark web markets. This data fuels more targeted attacks, blackmail, and fraud.

The industry has also become a more attractive target thanks to the rise of connected medical devices which have expanded the attack surface. Economic instability and public spending pressures also mean that many healthcare providers lack the budget to match other sectors' more robust cyber strategies.

Exactly how do ransomware attacks unfold?

Most ransomware attacks follow a similar pattern. Ransomware actors gain initial access to an organization and hide inside networks (for up to months at a time) before striking. They will move stealthily across the organization’s network, gaining higher-level access privileges to access valuable files and mission-critical systems before deploying their ransomware, effectively locking down files and applications. Unless the organizations can stop the spread, it will quickly find all activity grinding to a halt.

For healthcare providers, a worst-case scenario could be the disconnection of medical devices, such as sensors for monitoring patient vitals and automatically administering treatment. Or it could lock critical patient records and systems for managing appointments, effectively paralyzing the organization.

We are also seeing more attacks using a 'double extortion' tactic combining data encryption with exfiltration. The attacker will make copies of data and encrypt it, and then threaten to leak or sell confidential information even if the victim pays the ransom.

How can healthcare organizations stay safe from cyber threats?

Organizations need to stop investing so many resources into trying to prevent attacks from happening and invest instead in managing the impact. This means accepting that attacks will happen and mitigating the impact through breach containment.

One of the best security models for improving cyber resilience is Zero Trust. This strategy is based on the mantra of “never trust, always verify” which means no user is automatically trusted to access files and applications simply because they have the proper credentials.

Typically, Zero Trust consists of three pillars: Zero Trust Network Access (ZTNA), Zero Trust Data Security (ZTDS), and Zero Trust Segmentation (ZTS). The latter of which is critical for breach containment, dividing the network into multiple sealed sections, with Zero Trust principles governing movement between zones.

Research from Enterprise Strategy Group (ESG) found that organizations that have adopted Zero Trust strategies avert an average of five cyber disasters annually and save an average of $20 million in application downtime. And an attack emulation conducted by Bishop Fox found that Illumio ZTS can render attackers ineffective in less than 10 minutes, four times faster than endpoint detection and response (EDR) alone.

Why should the healthcare industry shift its mindset to working on isolating attacks, not preventing them?

We’ve seen a huge shift in attack motives in recent years, from a focus on stealing data to impacting availability. This means cybersecurity is no longer just a security issue; it is an operational issue with impacts including extended operational downtime, financial and reputational damages, and for healthcare, potential loss of life.

Attacks are now geared around causing maximum disruption with threat actors counting on being able to reach critical systems and data before defenses detect them. Attacks are also rising in numbers and cybercriminals are using increasingly sophisticated tactics to meet their aims. This means prevention alone is no longer a viable strategy.

No matter how well-secured the network may be, compromise is inevitable. This is what we call the "assume breach" mentality. This might seem like a very defeatist attitude for a security specialist to take; however, it is this mentality that will stop a breach from becoming a serious disaster. If organizations accept that an attacker will breach their defences, they can put in place measures to contain the threat and minimize the impact.

Tell us about the steps that any healthcare organizations, regardless of size and budget, can take to strengthen their security posture immediately.

The first step organizations should take is to map the communications of all systems. Once an attacker has infiltrated an organization, they will try to move to the highest value assets. This could be patient data or medical devices. Organizations need to identify which systems can communicate and how to inform which restrictions to put in place.

Next, organizations should use this knowledge to identify and quantify the risks faced by any asset or application. This can be based on the vulnerability of each system and the exposure it faces in connecting to other systems and devices.

The final step is to apply controls based on least privilege to govern and restrict access between resources. Stopping unauthorized communication enables an attack to be contained in a single location and prevents attackers from reaching critical assets and services. This approach is equally applicable for medical devices, data centers, the cloud, and endpoints.

Following these steps will make medical infrastructure breach tolerant and ensure organizations can maintain services even while under attack, without the need to shut down services or move patients.

Read more about how Illumio ZTS can help secure your healthcare organization.