Navigating the Constantly Evolving Cybersecurity Threat Landscape

With cyberattacks on health systems and medical practices omnipresent in the headlines, it can be tempting for overextended administrators and executives to reach a point in which the gravity of the situation feels overwhelming. The never-ending onslaught of breaches, malware attacks, ransomware, and data theft has left many administrators numb.

That is why it has never been more important for leaders to remain fully engaged in their practice’s cybersecurity efforts. Like a harbor pilot who knows the channel before them, repetition, practice, and commitment are required to safely navigate the troubled waters all organizations face—even if there is no guarantee of safe passage.

The Course Ahead is Hazardous

In its Healthcare Breach Report for July-December 2021, Critical Insight found that more than 45 million people were affected by healthcare breaches in 2021. The number of breaches from 2018 to 2021 skyrocketed 84%.¹

Attack patterns are also changing. In its annual Data Breach Investigation Report for 2022, researchers at Verizon counted 849 breaches at healthcare organizations last year, 571 of which included confirmed data disclosure.²

Verizon’s researchers went on to note that while internal threat actors historically featured prominently in most healthcare breaches, that too is changing. Basic web application attacks, miscellaneous errors, and system intrusion now represent 76% of breaches.² In the researchers’ words, “With the rise of the Basic Web Application Attacks pattern in this vertical, those insider actors no longer hold sway. Move over insiders, the big dogs are here.”²

Indeed, they are. On April 18, 2022, the US Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center issued an analyst note warning of a financially motivated ransomware group “known to maintain sophisticated capabilities who have historically targeted healthcare organizations frequently.”³ The group, called Hive, even developed a new way of Internet protocol version 4 obfuscation that makes them “more stealthy” in the words of the department.

But the increasing number of attacks and the sophistication of attackers is not the only problem. Many of the pivotal trends associated with the digital-first transformation shaping healthcare expose more attack surfaces and opportunities for bad actors to inflict damage and make money.

The Hazards Are Not Isolated

Few industries reveal the transformative impact of technology like healthcare. From electronic health records to new imaging innovations and increasingly intelligent medical devices, today’s integrated systems have made healthcare organizations more efficient while dramatically impacting patient outcomes for the better. The applications and tools available to doctors and administrators today are game changers.

By default, greater usage of information technology (IT) also means that breaches and cyberattacks have the potential to create more damage. If proper cybersecurity protocols are not followed, more opportunities to compromise data and systems will arise. For this reason, several significant IT trends are worth exploring to determine the risk they pose to your organization:

• Remote access. In its Q1 2022 ransomware trends report, the HHS Cybersecurity Program Office of Information Security noted that the “COVID-19 pandemic drove organizations to accelerate adoption of remote access and cloud applications, often without implementing basic security features.”⁴ Given the unrelenting demands placed on providers, it absolutely warrants looking into whether your practice is using systems that were rushed into use. Business and care models that use remote, virtual, or hybrid technologies—particularly those that encompass the Internet of Things—require a comprehensive security framework.
• The cloud and software-as-a-service (SaaS). There is no denying the transformative power of the cloud and the SaaS it enables. Many healthcare use cases would not be possible without the computer power and storage capacity the cloud makes possible, accessible, and affordable. However, there are risks. The sometimes contradictory regulations covering personal data at the state and federal level include strict rules about where data resides and how it must be protected. All clouds and SaaS applications should be thoroughly vetted for their applicability to healthcare and include the most stringent security safeguards.
• Increased use of open-source software. The benefits of open source, including fast implementations and low cost, are extensive and why it can be found across the healthcare IT ecosystem today. Unfortunately, many open-source projects are led and maintained by small teams, often volunteers. Expecting them to guarantee the resilience of every line of code is unrealistic and unfair. In its 2021 “State of Software Security: Open Source Edition,” Veracode analyzed the open source libraries in 85,000 applications.⁵ The result? When first scanned, 71% of applications were found to have a security flaw in an open-source library.⁵
• Greater integration and APIs. The integration of healthcare systems is crucial as numerous systems must be connected through application programming interfaces (APIs). Unfortunately, APIs are often an open door for hackers. Over the past 6 months, API traffic increased 141%, and malicious traffic increased by 348%. It is crucial to know which APIs in your system are outdated and make sure features and security are updated.

Chart a Safe Course

There is no silver bullet to ensure cybersecurity. Only 2 things are certain: patient data is valuable and any organization that possesses it is a target. The more difficult you can make it for bad actors to compromise your systems, the more tempted they will be to look somewhere else. All practice leaders should keep several general recommendations in mind to ensure that their organization is as strong as possible.

Recommendations

• Implement a zero-trust architecture. Assume that no person, device, or application can be trusted. Consult your IT department.
• Make sure that IT is at the executive table. We all know that the ramifications of a cyberattack or breach can be devastating. Ransomware costs are exorbitant, entire systems can be forced to cease their operations—sometimes for weeks—and most importantly, patient care can be greatly diminished. It is imperative for IT leaders to be in constant dialogue with administrative and clinical leaders.
• Make sure that employees are trained and retrained on a regular basis. Ransomware remains the greatest threat to healthcare organizations and phishing attacks are the most common attack vector, due to their simplicity and effectiveness. It is important that all staff members be trained and continually reminded of the risks involved and best practices to reduce them. Human error remains a significant cause of failure.
• Move beyond HIPAA compliance. Consider HITRUST and other certifications to strengthen your defenses.
• Stay informed. While it can be tempting to shut down in the face of the barrage of IT security-related news and guidance, resist the temptation. Keeping abreast of new threats and attack techniques is crucial.
• Accept the need for constant improvement. Cybersecurity requires constant improvement in solutions and approaches. For example, artificial intelligence and machine learning systems are evolving and can be tricked into falsely categorizing malicious software as safe. Remember that with every innovation comes risks that must be mitigated.

Cybersecurity will continue to be a pivotal issue for medical groups and practices for the foreseeable future. The best defense begins with the acknowledgment that we all have a role to play in safeguarding our practices.

References

1. Critical Insight. Healthcare breach report July-Dec 2021. January 31, 2022. https://cybersecurity.criticalinsight.com/2021_H2_HealthcareDataBreachReport. Accessed July 31, 2022.
2. Verizon. 2022 data breach investigation report. www.verizon.com/business/resources/reports/2022/dbir/2022-data-breach-investigations-report-dbir.pdf. Accessed July 31, 2022.
3. US Department of Health and Human Services Health Sector Cybersecurity Coordination Center. HC3: analyst note. April 18, 2022. www.hhs.gov/sites/default/files/hive-ransomware-analyst-note-tlpwhite.pdf. Accessed July 31, 2022.
4. US Department of Health and Human Services Health Sector Cybersecurity Program. Ransomware trends in the HPH section (Q1 2022). May 5, 2022. www.hhs.gov/sites/default/files/ransomware-trends-q1-2022.pdf. Accessed July 31, 2022.
5. Veracode. State of software security: open source edition. www.veracode.com/sites/default/files/pdf/resources/reports/state-of-software-security-open-source-edition-veracode-report.pdf. Accessed July 31, 2022.