CSO
By Ladi Adefala | MARCH 06, 2018
Healthcare has become the second largest sector of the U.S. economy, accounting for 18% of gross domestic product (GDP) in 2017, and is rivaled only by U.S. Federal Government’s 20% share of GDP in the same year. Not surprisingly, IT spending in healthcare is keeping pace, reaching $100 billion in 2017.
As healthcare sector technology spending grows, so does the sector’s cybersecurity attack surface. Healthcare networks not only include clinics and doctor’s offices, but things like Internet-based consulting with remote healthcare providers or patients, multi-cloud IaaS and SaaS environments, and connected medical devices both inside hospitals and deployed with patients. Increasingly, distributed healthcare organizations heavily rely on information sharing across disparate users and departments. Patients and guests demand instant access to medical information and scheduling. And it’s not showing any signs of slowing down. An increase in merger and acquisition (M&A) activity and a 26.2% compound annual growth rate for Internet of Medical Things (IoMT) devices exacerbate this problem.
Reasons Why Healthcare Is a Target of Cyber Attacks
All this adds up to an expanding attack surface that is increasingly difficult to address using traditional security devices and strategies. The challenge is that this is happening just as cybercriminals are redoubling their efforts to target the valuable data that healthcare networks contain. FortiGuard Labs recently assessed healthcare threats based on our threat telemetry data, and found healthcare organizations experience more than twice the number of attacks on average as compared to organizations in other vertical market categories. The cybersecurity maladies afflicting healthcare manifest themselves in several ways:
M&A Activity Creates Vulnerabilities. M&A activity in the healthcare sector is speeding up, and is expected to gain further momentum in 2018. IT integration challenges, including different medical technologies, combined with the need to share information between newly merged organizations creates new vulnerabilities. These have not gone unnoticed by cybercriminals seeking to access and exploit the data being shared.
Threat Volume. The proliferation of polymorphic attack vectors is afflicting healthcare at higher rates than other verticals. For example, FortiGuard Labs reports that in 2017 healthcare saw an average of almost 32,000 intrusion attacks per day on average per organization as compared to over 14,300 per organization in other industries. There are a number of factors behind this higher number:
- Cybersecurity maturity is still at an early state in healthcare
- Healthcare data tends to be richer in both volume and value than financial services or retail data
- Medical identity fraud usually takes longer to detect than other types of fraud
- Cybercriminals are becoming increasingly sophisticated in their attack approaches and use of malware
Threat Velocity and Variety. Rising attack volumes are partially driven by increasing threat velocity. In fact, according to Fortinet’s Q4 2017 Global Threat Landscape Report, organizations experienced a staggering 82% increase in attacks. And we are also seeing an increased focus on innovation, with the number of malware families increasing by an alarming 25% in Q4, and unique malware variants growing at 19%. This combination of rapid development combined with the increased propagation of new variants is successfully catching organizations unprepared.
New Challenges Arising from IoMT. FortiGuard Labs also found that almost half of the top 10 threats were triggered by botnets, some of which leveraged compromised IoT devices. IoT exploits now comprise two of the top 10 application vulnerability exploits in healthcare. New attacks span malware families and swarm to target multiple attack vectors simultaneously, making them harder to combat. This trend towards multiple, simultaneous attacks is likely to spread to IoMT devices as well.
Encryption and the Need for Inspection. Healthcare is slightly ahead of the curve on encrypting communications. While this protects sensitive data moving across the network, it also increases the need to inspect encrypted data – both inbound and outbound –Because cybercriminals are using encryption to hide malware and exploits as well as to mask stolen data being exfiltrated from the network. But inspecting encrypted traffic carries a high processing cost, and many firewalls suffer degraded performance as a result.
Steps Towards Treatment
To protect themselves from these cyber threats, healthcare organizations can take several courses of action. But a one-size-fits-all approach doesn’t apply to every healthcare organization. Rather, security requirements and implementations vary based on how the organization has deployed its technology resources, and what is considered critical to the business and patient care. Even still, there are some foundational activities that healthcare organizations can take to ensure they are protected:
- Practice Diligent Cyber Hygiene. Among other cyber hygiene best practices, healthcare organizations need to improve the speed and thoroughness of software patching and update processes. Where possible, organizations need to prioritize patching using threat intelligence and automation and institute cyber-awareness training programs to protect against social engineering and other attack vectors. This also needs to include keeping an inventory of all devices, especially IoMT, in order to track and cross-reference them against announced vulnerabilities and/or exploits.
- Reinforce Network Segmentation. With the proliferation of IoMT devices, which are often “headless” and cannot be updated to protect against new vulnerabilities and multi-vector attacks, organizations need to more strongly segment and even micro-segment their networks, applications, users, and data. This requires the kind of network segmentation where Next Generation Firewalls (NGFW) are not only placed to handle north-south segmentation, but to inspect traffic moving laterally across the network as well, between network zones, or across different domains such as cloud or remote offices. A segmented strategy enables organizations to institute checks and policies at various points of the network to control users, applications, and data flow. Network segmentation also gives organizations the ability to identify and isolate a threat before it spreads to additional segments of the network. These techniques help organizations stop or minimize intrusions, especially ransomware, before they have a broader impact.
- Achieve Transparent Visibility and Control. Due to the elasticity and complexity of today’s modern healthcare networks, the need for collaborative information sharing across internally and externally situated users and departments, and the number of regulatory requirements that need to be complied with, healthcare organizations must have transparent visibility across the entire attack surface, especially into the multi-cloud, to understand their threat posture and quickly respond to new vulnerabilities and attacks, while simultaneously demonstrating compliance. A fabric-based cybersecurity architecture breaks down network, data, application, and user silos, and enables security to adapt and respond as an integrated system to detected changes in the network or threat landscape.
- Use Advanced Threat Intelligence. The time available to organizations to patch vulnerabilities, identify threats, and remediate intrusions and breaches is shrinking. Traditional security approaches, such as signature-based detection, static, perimeter-based security, or isolated security devices, cannot keep pace with the speed and intensity of the current threats or even the rate of change occurring within the network itself. This is where advanced threat intelligence is a requisite. Threat intelligence can identify tactics and techniques being used to exploit vulnerabilities, and offer effective options for such things as prioritizing patching, accelerating remediation efforts, or broadening forensic analysis after a cyber event. Furthermore, rapidly advancing artificial intelligence and machine learning capabilities can self-detect anomalies and communicate information about them across all points of the network in real time, shrinking attack, intrusion, and breach windows.
Getting the Right Healthcare Cybersecurity Strategy in Place
Healthcare cybersecurity is a serious undertaking. Attacks can compromise not only networks and data, but also threaten those applications and services supporting critical patient care systems.