Cybersecurity in Healthcare - A Matter of Life and Death?

Nearly 10 years ago, I worked for a deception cybersecurity vendor, advocating the deployment of honeypots to act as the so-called canary in the coal mine to detect indicators of attack and harvest malware strains. These could then be dynamically analyzed to provide rich intelligence on the techniques and tactics that threat actor groups were utilizing to attack organizations, including those in healthcare. ?

We undertook a study with several hospitals to deploy honeypots with the characteristics of medical devices to understand the extent to which they were under attack. The results were both enlightening and worrying. We found that attackers were able to infect these medical device honeypots with malware. Then move laterally through hospital networks – probably with the objective of stealing confidential patient data or personal identifiable information. We termed this MEDJACK and released a report to warn the healthcare industry of this threat.?

Given that we had emulated devices like blood gas analyzers, we speculated it was only a matter of time before a ransomware or malware incident caused an outage of critical care equipment, potentially resulting in loss of life. In 2020, an incident in a German hospital was widely reported after a ransomware attack led to the death of a critically ill patient. The investigation into charging the threat actor group for murder was dropped due to the patient’s frailty, but the incident remains a powerful reminder of the criticality of system resilience in healthcare. Cybersecurity in healthcare is truly a matter of life and death.??

So, 10 years on from our MEDJACK report and four years from that German hospital attack, the healthcare sector continues to be the subject of attacks. Recent incidents include ransomware attacks on NHS hospitals in London, an attack on the healthcare supply chain with the ransomware attack at NRS, and a data leak at Dumfries and Galloway Royal Infirmary. This issue isn't confined to the UK; a hospital in Zagreb, Croatia, was also recently attacked.??

This leads me to ask: why is the healthcare sector still vulnerable to cyberattacks? Is it worse off, the same, or better than other sectors when it comes to the frequency and severity of cyberattacks? Is the healthcare sector vulnerable due to:??

1. High dependence on technology and IoT medical devices, increasing the attack surface???
2. The sensitivity and value of patient records to threat actors???
3. Potential insider threats from employees or third parties? ?
4. The criticality of systems making hospitals sensitive to outages, thus attractive targets for ransom? ?
5. Skills shortages or funding levels???
6. A combination of these factors or others??

The Verizon Data Breach Investigations Report 2024 highlights that the top three patterns for breaches in healthcare are Miscellaneous Errors, Privilege Misuse, and System Intrusion, representing 83% of all breaches involving personal data compromise. The Red Canary 2024 Threat Detection Report highlights PowerShell, cloud account access, and Windows commands as the most popular techniques to break into a system. ?

If most breaches are caused by internal factors, are perimeter controls now good enough? Or are breaches inevitable due to human error or insider threats, given the pressures healthcare providers face? Is the real issue that there is not enough time to manage cybersecurity effectively? ?

Time is a challenge for everyone in cybersecurity. We need time to convince management of the need for investment, to hire and upskill professionals, to detect vulnerabilities, investigate anomalies, and respond to incidents. The clock looms large in everything we do from a cybersecurity standpoint. Therefore, technology is essential to reduce the time to detect and respond to potential issues, ultimately reducing the risk of a damaging cyberattack on a healthcare institution. People and processes are vital, but technology forms the foundation of cybersecurity in healthcare. ?

Log monitoring and SIEM are critical. DORA, NIS2, HIPAA, and the NHS England Data Security and Protection Toolkit 2023/24 emphasize the importance of log management and SIEM for compliance and security. For example, Standard 4 Assertion 3 requires monitoring and recording staff activities on IT systems for security purposes, with logs retained for a sufficient period for threat hunting. Standard 4 Assertion 4 mandates a documented log retention policy. ?

At LogRhythm,?we helped a UK healthcare organization adopt a cost-efficient security solution, enabling threat hunting and automatic detection without adding operational complexity. Monitoring key log sources like firewall logs, EDR, AD, and Windows servers, we detected and mitigated brute force attacks and credential stuffing. The system was operational in under a day, delivering immediate value. ?

The fundamentals of log management remain as sound today as they were 10 years ago. Machine learning can provide additional context on abnormalities, and Generative AI promises to increase security team efficiency; however, the risk?to healthcare organizations remains high as threat actors continue to evolve with more sophisticated methods of attack. Ensuring robust cybersecurity measures in healthcare is not just a technical necessity but a crucial aspect of safeguarding patient lives, while maintaining trust in today’s healthcare systems.??

Here are five further thoughts: ?

1. Attacks on healthcare will continue. ?
2. Government funding is needed to support cyber initiatives in public healthcare. ?
3. Prescriptive guidance like DSPT is valuable but only records at a point in time. ?
4. Effective monitoring is essential to reduce the risks of outages impacting patient care. ?
5. Partnering with experienced SIEM providers can help reduce the risk of damaging cyberattacks.?