By Jack Chapman, VP of Threat Intelligence, Egress Software
Regardless of where you are, local hospitals are a vital part of every community. More so than at any point in our lifetime, the past three years have tested these institutions. Thankfully, the widespread resilience of doctors, nurses, and staff has provided the rest of us with a benchmark for human capabilities and important glimmers of hope for the future.
But just as we have learned to live with one crisis, a new threat has presented itself.
Most hospitals operate from a complex, technical ecosystem that supports important machinery alongside a range of legacy solutions. In order to operate, connect, and communicate these ecosystems are increasingly reliant on WiFi.
Indeed, hospitals are a treasure trove of the Internet of Things (IoT), which is both a blessing and a curse. While there are significant technical benefits to the IoT approach it must also be understood that these systems may be attracting unwanted attention.
The truth is that wireless networks are one of the biggest vulnerabilities in healthcare, and one that is regularly taken advantage of by cybercriminals. In most cases, hospitals are public places that readily allow anyone – including cybercriminals – to walk in, connect and gain access and compromise unsecured devices.
There’s an obvious irony that the same devices that save patient lives can also be the weak link for an entire hospital’s network. In the face of cyber threats, devices connected to wireless networks – like MRI machines – are necessary to a hospital’s capabilities. The idea of having them rendered unusable is not negotiable – or is it?
Knowing this, threat actors seek to gain access to hospital networks with the purpose of hijacking vital machines in order to hold them to ransom. Due to the fact that healthcare technology is incredibly expensive, cybercriminals are counting on the added pressure to pay because it’s often felt to be a cheaper and faster solution than replacing a machine. Despite this, decryption keys, supplied by attackers, only work around 20% of the time.
For cybercriminals, gaining control of these machines is just the beginning. It’s not just ransom payments that hackers are interested in – it’s also data. Once they’ve accessed a machine, they can access patient data stored on the device or move laterally through the network to access protected health information (PHI) on other systems.
So, in addition to holding devices ransom, gangs are increasingly using so-called double extortion schemes to turn up the pressure on victims by threatening to expose or sell this data. Some criminals go even further through a method of triple extortion that uses hacked patient data to turn the screws on hospitals and further increases the chance of being paid a ransom.
Three Steps Hospitals Can Take to Protect from Cyber Attacks
Teams responsible for the technical ecosystems operating within hospitals should be following these
three steps.
- Understand Your Ecosystem
Healthcare organizations rely on a vast network of legacy and IoT devices to carry out day-to-day operations, which makes it incredibly difficult to protect without full visibility of its scope and assets.
As more connected devices are added to the network, it can be hard for healthcare Chief Information Security Officers (CISO) – if the hospital employs one – to have full visibility of the devices in use, despite their best efforts.
Regardless of the makeup of the personnel, a hospital’s security teams must regularly carry out a full audit of all IoT devices to assess their level of risk to the organization. Further to this are risk assessments that must be performed and subsequent action is taken before new devices are connected to the network.
With a more comprehensive understanding of the landscape, healthcare CISOs and/or security teams can take important steps toward mitigating risks and identifying vulnerabilities.
- Segment Your Networks
Healthcare CISOs must adopt a strategy of segmentation and isolation of vulnerable devices – particularly those that don’t have endpoint security. If a device doesn’t require access to the internet in order to carry out its main function, then turn off its access. Build an allowlist to ensure devices can only connect to the networks and other devices that they need to, and isolate public networks from the rest of the network.
Doing this will enable security teams to prevent threat actors from gaining access via devices before they move laterally through the organization’s networks. However, it’s important to find a balance between effective segmentation and the smooth running of operations. To do this ensure that devices and information are still accessible to those who need them.
- Patch, validate, and Test!
Healthcare organizations are increasingly appealing targets for cybercriminals. Because of this, it’s a necessity that good security fundamentals are applied across not only technology but also people and processes throughout the organization.
These measures include patching, training, risk assessments, back-ups, disaster recovery, and prevention and protection software. However, often this is not enough.
Too often have organizations believed that they were properly protected when they were not. Due to the often complex and evolving nature of these organizations, it is also important to validate and test that the security that is in place achieves the objective.
About the Author
Jack Chapman, VP of Threat Intelligence at Egress Software. He is an experienced cybersecurity expert and serves as VP of Threat Intelligence at Egress, where he is tasked with deeply understanding the evolving cyber-threat landscape to remain one step ahead of cybercriminals. Leveraging these insights and his extensive R&D skillset, Jack oversees the product development for Egress Defend, an inbound threat detection, and prevention solution that mitigates all zero-day phishing attacks. Jack can be reached online at LinkedIn and at our company website https://www.egress.com/