The healthcare industry has a cybersecurity problem. In the first eight months of 2023 alone, 327 data breaches were reported and 40 million healthcare records were exposed. Those figures represented increases of 104% and 60% from the same period in 2022.
Cyberattacks don’t just harm an organization’s reputation and its patients — it also has a huge financial impact. The average cost of a healthcare data breach has risen to $11 million, money that most simply can’t afford.
Healthcare organizations must take their cybersecurity seriously, but it can be difficult to know where to start. That’s why we sat down with Jake Reynolds, Director of Offensive Security Services at All Covered — Konica Minolta's award winning I.T. services division and a Premier cybersecurity partner — for expert insight into cyber threats, vulnerabilities, and what healthcare organizations should and shouldn’t do.
CNECT: What are the most prevalent cybersecurity threats today?
Jake Reynolds (JR): The most serious cybersecurity threats are, first and foremost, monetizable by attackers. The last 10 years of cryptocurrency innovations have enabled the relatively easy and safe monetization of ransomware infections. Ransoms up to the seven- and eight-figure range have been demanded and paid by victims.
Other serious goals with direct monetary consequences are whaling, or business email compromise, whereby an attacker convinces someone with significant purchasing authority at a target to wire or transfer monies. This can occur by performing enough open-source intelligence (OSINT) on an organization such that an attacker can spoof an email believable enough to be acted on by the victim. It’s even easier if an attacker can compromise or purchase credentials by another actor. This way an attacker can craft a more believable attack by sending completely valid emails, responding convincingly to any replies, and staying aware of victims’ calendars (vacations, time off, etc).
Classic threats that simply aim at embarrassing or discrediting an organization by compromising their most sensitive data and publishing it are always a threat, too. The risk of this is enhanced by the sensitive nature of the personal Identifiable Information (PII) and the sheer volume of PII contained within targeted healthcare systems.
Avenues by which these goals are achieved are diverse. However, the most common attacks that help attackers manifest the goals above include social engineering, password spraying, misconfigurations, and vulnerabilities in cloud services, as well as classic server-side exploits — taking advantage of known or new vulnerabilities in exposed perimeter software such as web applications.
CNECT: Are there potential vulnerabilities and threats specific to healthcare organizations?
JR: Threats somewhat unique to healthcare organizations are, first and foremost, denials of service to life-critical software and systems, though this also applies to any system that could potentially affect human wellbeing, such as hydroelectric dams, nuclear weapons, emergency services, etc.
The fact that healthcare systems often have the requirement of mixing network access for sensitive systems with public physical premises is a unique challenge. What’s keeping a patient from unplugging an old infusion pump and connecting their laptop? Is every publicly accessible port in the premise secure? What’s stopping a nurse from configuring a device to join the insecure, patient wireless network? It might even be an easier task than configuring the secured wireless network.
Health systems often struggle to implement meaningful segmentation between internal services and patients, whether they know it or not. Very few organizations test this scenario meaningfully. Our experience simulating network threats from hospital patient rooms and finding direct access to domain controllers and internal systems has been illuminating to say the least.
CNECT: How can healthcare organizations secure their network infrastructure and prevent unauthorized access to sensitive patient information?
JR: Healthcare organizations are still not achieving cybersecurity basics. I’m talking about simple things we talked about in the ‘90s, before we quickly abandoned them for technologies with much more alluring vernacular, such as zero-trust security and DevSecOps. Simply put, we’re still bad at the basics:
- Principal of least privilege.
- Regular and meaningful penetration tests.
- Fully baked inventories of externally exposed systems/services.
- Vulnerability management programs fully backed by leadership.
- Network segmentation of users and services.
- MFA deployed everywhere with no holes.
- Reduction of attack surface by decommissioning old systems and software.
If you think your organization has done all of this, I can probably poke some holes in your mindset. If I’m wrong, then your organization is certainly posed to defend itself from attack to a much greater degree than most I’ve encountered.
CNECT: How frequently should organizations conduct cybersecurity audits?
JR: Any audit is a process, not a one-time event. Frequency depends on your goals for testing. If you just want to check a box, you’re essentially unconcerned with risk and a bare minimum testing frequency is fine. If you want proper due diligence, to verify that the systems and services you host are secure, then it’s more complicated.
For penetration testing, it’s common to test networks and applications once a year, or when significant changes are made to infrastructure or code. The results of your audits should also dictate their frequency. For instance, if you conduct an external penetration test and the tester is able to breach your perimeter and demonstrate significant compromise, your next test should probably be relatively soon. If the results of your test are not significant, then maybe your perimeter security posture is not as much of a concern. This also assumes you trust your penetration testing provider to be efficacious in their testing, which is a different can of worms.
CNECT: How can organizations educate their staff about cybersecurity best practices and create a culture of security awareness?
JR: You’re likely already educating your staff about cybersecurity best practices. Education has limits and some individuals are not swayed by appealing to security or simply don’t understand the risk. We’ve found making security slightly personal brings better results.
For instance, if you tell your employees, “always set secure passwords; avoid predictable passwords like Hospital123! and Summer2023$,” some will abide by this, but you will inevitably get users setting exactly the passwords you warned them about. They will do this forever until they are confronted about it.
However, let’s say an organization follows up on this education by performing an active directory password security audit. They dump domain password hashes, crack them, and analyze them, or pay a consultant to do so. The organization then communicates to everyone with the worst, predictable, known-weak passwords. The organization explains to these problematic users that their passwords are unacceptably weak and asks them to change them. We have found that this type of activity makes individuals much more accountable to an organization’s security goals.
This works across the board. For example, you send your developers to secure software development lifecycle (SDLC) and secure coding classes. Rather than leave it at that, you also mandatorily penetration test any custom-developed, externally exposed applications. When the penetration test identifies SQL injection and dumps all PII records from an application’s database, it’s apparent to the development team, who wrote the insecure code, that they need to do better about applying the lessons learned from SDLC.
It’s not at all a witch hunt, and it’s not about being punitive; it’s about cementing the education you provide your employees by making its importance known in a practical sense.
CNECT: What common mistakes do organizations make when setting up their own cybersecurity measures or training, rather than working with experts?
JR: The number-one mistake healthcare organizations make is excluding sensitive areas from penetration testing. It’s very common to have “no-go” address space during such penetration tests. The idea is that any disruption to certain areas of the network may affect patient health.
However, this is never an excuse to completely avoid testing an environment. In fact, it’s logical that the opposite is true. A real attacker will not avoid certain areas of your network unless it suits them. They will think nothing of holding life-critical services at ransom. Just because an organization ignores it, does not make risk go away.
It may be that the organization needs to dedicate much more time and budget to doing the test correctly. It may require building out test or staging environments that contain the same systems, services, and configurations, and then testing this environment.
CNECT: What are the potential future cybersecurity challenges and risks organizations must be prepared for?
JR: I could try and predict the specific future threat trends and encourage healthcare organizations to continue to play information security (InfoSec) whack-a-mole; I could envision some buzzword-laden threat and do everything I can to scare everyone; but I’d like to stick with what we know.
With offensive security, what was difficult yesterday becomes easy today. What took a large degree of skill previously can be accomplished by anyone with a heartbeat now. What used to take a team is now individually achievable. This is the way we need to think about threats. AI, social media, modern cloud technologies, and better software repositories than we’ve ever had access to are simply going to exaggerate this property.
CNECT: What is the best way to stay updated on the latest cybersecurity threats and trends, especially those relevant to the healthcare sector?
JR: X, formerly known as Twitter, continues to be one of the best ways to aggregate any news, and cybersecurity trends are no different. There are many X accounts that focus on healthcare-specific cybersecurity topics.
All Covered is a leading nationwide I.T. services company and trusted Premier partner (contract number PP-IT-296). As a managed service provider, they deliver many end-to-end I.T. services to CNECT members, including expert cybersecurity consultancy and support.
If your organization’s cyber defense is weak, you’re vulnerable to an attack. Contact your CNECT representative now to connect with All Covered and protect your organization against costly breaches.