The healthcare industry is under siege. Cyber attacks are exposing personal health data, ransomware is disrupting essential health services and shutting down emergency rooms, and fraudulent emails are defrauding partners, patients and staff.
Clinical staff, health consumers and business associates are all increasingly targeted due to the intrinsic value of healthcare records, as well as the susceptibility of the industry to malicious attacks. The industry’s complex, expansive supply chain provides gaping holes for criminals to use phishing emails to cause disruption and steal important data. Add to this the fact that techniques used by perpetrators today are more sophisticated than ever before, exploiting healthcare workers’ natural curiosity, acute time constraints and desire to serve, and you have a recipe for disaster.
Proofpoint’s 2018 Healthcare Threat Report revealed 40mn attacks against hospitals, clinics and health insurers in the third quarter of 2017 alone, illustrating the true extent of the threat facing the industry. Above all, an effective cybersecurity defence starts with a better understanding of the threats in today’s climate, and security teams as well as employees need to be as security savvy as possible. The age-old saying still holds true: an ounce of prevention is worth a pound of cure.
Rise of ransomware
Many healthcare organisations learned about ransomware the hard way during last year’s WannaCry attack, which hit 200,000 victims in over 99 countries. Given the devastation of the attack, it may come as little surprise that ransomware accelerated from 4mn attacks in the second quarter of 2017 to over 17kmn attacks one quarter later. This explosion in activity secured ransomware’s position as the biggest threat facing the industry by far in 2017.
Ransomware can infect entire systems with just one click on a malicious URL or a single download of a seemingly benign attachment, and it only takes one slip for an overstretched employee to turn a normal day into a crippling cybersecurity incident. Ransomware is particularly detrimental for healthcare organisations as it has an instantaneous effect, locking down vital systems required for patient care and operational continuity.
Unfortunately, the need to get back up and running quickly means that these organisations are far more susceptible to caving in to criminals’ demands for ransom, and making these payments can tax already tight budgets. Good preventative measures can help ensure that the situation never reaches this point.
Surge in spoofing
One of the most effective techniques in an attacker’s arsenal is the ability to disguise malicious emails, making them appear to come from a trusted source. Fraudulent emails use social engineering tactics to lure victims into wiring funds, sending sensitive data or divulging system credentials. These attacks are incredibly effective because they prey on people who are time poor and are trying to fulfil requests as quickly and efficiently as possible.
Proofpoint research highlights that a staggering one in five emails purporting to be from a healthcare organisation in 2017 was in fact fraudulent. Furthermore, of three billion emails observed to use the domain of a known healthcare brand, about 8.3% of these were in fact from sources that were either unauthorised or malicious. The ratio might seem small, but it amounts to 262mn malicious emails appearing to come from a trusted domain and requiring other indicators to raise a red flag. With healthcare staff rushed off their feet, their behaviour needs to be conditioned so they can identify phishing emails based on a range of factors (for example, by checking that URLs and attachments are legitimate, in addition to looking at the sender). Proper authentication, threat intelligence, and cybersecurity training tools can help prevent successful phishing attacks.
Prevention is better than cure
As we see time and time again, the human factor is the weakest security link within any organisation. Small or large, nearly every cyberattack starts the same way, by targeting a person, via an email. Turns out cybersecurity, like healthcare, is about people.
Healthcare organisations must prioritise improving their defences against modern threats and modifying their security controls to address how people work today. As such, when it comes to bolstering cybersecurity defences, organisations need to look at both technology and people to map out a multi-layer strategy and consider employees to be the last line of defence.
Incidentally, the healthcare industry has been relatively proactive in implementing security awareness training. In a recent survey of healthcare IT providers by HIMSS, 73.5% said they conduct security awareness training for end users. What’s troubling, however, is that half of these organisations rely on once-a-year training.
Considering the speed at which threats evolve, such infrequent training might be just enough to comply with regulatory requirements, but it fails to produce satisfactory knowledge retention. Continuous awareness training aimed at the most targeted people within an organisation needs to be prioritised.
In few other industries can cyber-attacks pose such a direct threat to life. Healthcare organisations have a duty of care, and we are in an age when a successful attack can take essential systems and services offline for hours, if not days or even weeks at a time. Part of the modern commitment to patient care is having a robust cybersecurity strategy in place in order to prevent these disruptions from taking place. Below are some key recommendations to consider:
Train your people to spot attacks that target them. Your security awareness training should include phishing simulations that use real-world tactics and allow you to identify the people and departments that are most at risk. In addition, staff members should be taught to recognise attacks across email, cloud apps, mobile apps and social media.
Get advanced threat analysis that learns and adapts to changing threats. Today’s fast-moving, people-centered attacks are immune to conventional signature- and reputation-based defences. Be sure you can adapt as quickly as attackers do.
Secure your email channel – cybercriminals’ attack vector of choice. Deploy email authentication protocols such as DMARC and lookalike domain defences. These technologies stop many attacks that use your trusted brand to trick employees, partners, vendors and customers.
Get visibility into the cloud apps, services and add-ons your employees use. Deploy tools to detect unsafe files and content, credential theft, data loss, third-party data access and abuse by cloud scripting apps.