Cybersecurity Risks to the Healthcare Sector Continue to Evolve

My thanks to Liz Mann, EY Americas Life Sciences and Health Cybersecurity Leader, Geoff Fisher, Senior Manager, and Kevin Kirst, Senior Manager, Ernst & Young LLP.

Cyber criminals are opportunistically attacking healthcare networks under real or perceived pressure with a variety of direct and indirect attacks, including distributed denial of service (DDoS),[1] ransomware and patient health information (PHI) theft. These attacks are impacting healthcare providers of varying sizes and locations, including hospitals, clinical labs, health agencies, and COVID-19 vaccine test centers.[2]

The current paradigm shift to a mostly remote workforce across all industries poses a disturbing long-term risk. In the healthcare industry, technology and business leaders need to begin actively addressing these risks to protect the industry from harm while taking a long-term perspective to ensure this critical industry is resilient to information security threats.

Now: current cyber threats to healthcare industry

Cyber criminals are adapting operations to exploit widespread fear and uncertainty related to the COVID-19 pandemic.[3]

A large number of health institutions report an increase in network traffic as they continue to respond to the COVID-19 pandemic. Recently, the U.S. Department of Health and Human Services (HHS) experienced an attempted DDoS attack; due to its large, resilient infrastructure, this had minimal impact on the agency’s operations[4]. DDoS attacks could severely impact a mid-sized hospital with lesser defensive capabilities, halting or diminishing its operations. The ramifications of such an attack during the current pandemic could be catastrophic.

Even though some prominent cybercrime groups have “promised” not to target healthcare entities[5], ransomware attacks on hospitals and labs working on COVID-19 vaccines have continued.[6] These actors conduct widespread scans of the internet for vulnerable enterprise assets, such as unpatched Virtual Private Network (VPN) servers or assets with Remote Desktop Protocol (RDP) exposed. If found, the actors may use publicly available exploits or credentials from third-party leaks to gain access to the network, ultimately finding sensitive information, stealing it and encrypting it with ransomware. This could prevent providers from accessing information about their patients’ medical histories and other critical information until the ransom is paid – or until the actors decide to punish the providers by publicly leaking the information.

Given the publicity around COVID-19, EY teams have observed increased interest in healthcare-nexus credentials. Multiple underground forum members have begun offering “healthcare cred bundles” for sale; although many of these are likely repackaged from prior third-party breaches, actors will likely incorporate these credential bundles into password-spraying and brute-forcing operations. Interest in healthcare credentials are expected to remain high and these types of operations to continue in high-volume for the foreseeable future as the crisis continues to unfold.

Cyber criminals continue to launch online attacks – phishing for enterprise credentials, data theft malware, and ransomware – that attempt to leverage on COVID-19 pandemic fears.

Much like other ongoing attacks, the credentials harvested during this time of increased activity may not be used for weeks or months to launch an attack on the organization. As a result, technology leaders need to be ever vigilant in their efforts to educate and protect users and their enterprise credentials in the current state and even more so in the future.

Next and beyond: future cyber threats

As many health systems have halted elective/non-essential surgeries to conserve capacity and supplies to treat COVID-19 patients, a significant number of health systems have lost or project to lose a large percentage of their annual revenues.[7]

The projected losses have resulted in temporary furloughs of many health system employees, pay cuts and adjustments of working hours. The sweeping pay cuts and furloughs across the health sector could result in disgruntled employees becoming insider threats that may compromise the confidentiality and integrity of sensitive health information.

Another potential area of concern is the prescription drug supply and the medical supply chain serving healthcare organizations. Experts are questioning whether the current supply of certain prescription drugs is adequate for the potential expansion of demand due to the COVID-19 pandemic.[8] The Federal Bureau of Investigation (FBI) is warning consumers and potential purchasers to be vigilant and on the lookout for fraudulent medical sales of personal protective equipment (PPE).[9] To enhance network and IT security, healthcare sector organizations can proactively review and implement best practices by Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients.[10]

Healthcare sector enterprises must employ multi-faceted risk mitigations

Organizations should take a multi-pronged approach to managing risks over the short and long term.

Recommendations and considerations:

Now:

·       Evaluate your enterprise remote connectivity and authentication (i.e. Remote Desktop, VPN, WebEx, etc.) capabilities.

·       With increased threat actor activity, apply all available security updates for VPN and firewall configurations.

·       Encourage remote workers to update and patch their personal devices that share the same network with their enterprise assets.

·       Advise employees to control access to home Wi-Fi networks by using strong passwords and avoid default factory passwords.

·       Review current email security controls with consideration of current remote work force posture. 

·       Set group policies to allow enterprise assets deployed remotely to only access PHI without the ability of saving it locally or ensure that encryption is enabled first

·       Provide official resources for pandemic-related information to avoid the spread of disinformation.

·       Establish formal and transparent channels for corporate messaging to highlight what the enterprise is doing to address this pandemic.

·       Assume each VPN connection (or reconnection) is potentially “compromised”, as users’ home networks (or those of their neighbors) could contain compromised personal devices

Next:

·       Test the ability to recover from your backups  and ensure your organization is backing up all the data it needs in a format that is accessible yet secure to prevent both explicit or inadvertent tampering or corruption.

·       Assess and implement new security analytics models to account for privileged activity and use of new administrative tools and services that could reveal threat actor activity within the network.

·       Review your external Incident Response (IR) provider and consider an additional external provider if a more appropriate response time is needed.

·       Process HR changes as quickly as possible and reduce access to employees with status changes in prompt manner.

·       Create customized activity alerts for furloughed, pay reduced and terminated employees, which could indicate insider activity or threat actors with compromised credentials

·       For protection against DDoS attacks, consider using behavioral detection-based tools that learn normal users’ behavior, and block network traffic that does not conform to the normal behavior.

[1] https://usa.kaspersky.com/resource-center/threats/ddos-attacks

[2] https://www.forbes.com/sites/daveywinder/2020/03/23/covid-19-vaccine-test-center-hit-by-cyber-attack-stolen-data-posted-online/#582a474c18e5

[3] https://cybersecurity.att.com/blogs/labs-research/a-surge-in-threat-activity-related-to-covid-19

[4] https://www.bloomberg.com/news/articles/2020-03-16/u-s-health-agency-suffers-cyber-attack-during-covid-19-response

[5] https://www.forbes.com/sites/daveywinder/2020/03/19/coronavirus-pandemic-self-preservation-not-altruism-behind-no-more-healthcare-cyber-attacks-during-covid-19-crisis-promise/#2d30ced5252b

[6] https://www.cyberscoop.com/covid-19-ransomware-10x-genomics-data-breach/

[7] https://www.beckershospitalreview.com/finance/49-hospitals-furloughing-workers-in-response-to-covid-19.html

[8] https://abcnews.go.com/Politics/us-faces-shortage-drugs-treatments-coronavirus-fda/story?id=69925874

[9] https://www.fbi.gov/news/pressrel/press-releases/fbi-warns-health-care-professionals-of-increased-potential-for-fraudulent-sales-of-covid-19-related-medical-equipment

[10] https://healthsectorcouncil.org/hhs-and-hscc-release-voluntary-cybersecurity-practices-for-the-health-industry/