Securing healthcare: An IT health check on the state of the sector

Even prior to Russia’s invasion of Ukraine, there was considerable fear that military escalation would bleed (further) into cyberspace and be followed by a rash of impactful digital assaults with international implications. Organizations worldwide have, therefore, been urged to batten down the cybersecurity hatches and prepare for and respond to highly disruptive cyberattacks, whether intentional or accidental.

One sector where the stakes couldn’t be higher is healthcare. Digital threats facing the sector and, indeed, the critical infrastructure as a whole have been escalating for years, and the Russian invasion of Ukraine has further increased the threat level. In response, the US Department of Health and Human Services, for example, has issued an alert for the sector, singling out HermeticWiper, a new data wiper discovered by ESET researchers, as an example of an acute risk.

Obviously, hospitals and other healthcare providers in Europe should also be aware of the risks, having been an increasingly popular target for bad actors in recent years. EU cybersecurity agency ENISA reported a few months ago that attacks on the sector rose by almost 50% year-on-year in 2020.

There’s far more than just money at stake: a 2019 study claimed that even data breaches can increase the 30-day mortality rate for heart attack victims. Indeed, while a now-infamous ransomware incident in Germany is not thought to have directly caused the death of a patient, it was one of the potent harbingers of the potential real-world impact of virtual attacks, when life-saving systems are taken offline.

As European healthcare organizations (HCOs) continue to digitalize in response to the pressures of COVID-19, an increasingly remote workforce and an ageing population, these risks will only grow. But by building cyber-resilience through improved IT hygiene and other best practices, and enhancing incident detection and response, there is a way forward for the sector.

Why healthcare is exposed to cyberattacks

The healthcare sector represents a major segment of critical national infrastructure (CNI) across Europe. According to the most recent estimates it employs nearly 15 million people, or 7% of the working population. Healthcare is also unique in the breadth of challenges it faces, making it arguably more exposed to cyber-threats than other sectors. These include:

• IT skills shortages, which are industry wide, but HCOs often can’t compete with the higher salaries offered in other sectors.
• COVID-19, which has put unprecedented pressure on staff, including IT security teams.
• Remote working, which can open HCOs up to risks presented by distracted workers, unsecured endpoints and vulnerable/misconfigured remote access infrastructure.
• Old IT infrastructure
• Vast amounts of personal data and a high burden to meet regulatory demands.
• Tool sprawl, which can overwhelm threat response teams with alerts.
• Cloud adoption, which may increase the attack surface. Many HCOs don’t have the in-house skills to securely manage and configure these environments and/or misunderstand their shared responsibility for security.
• Complexity of IT systems adopted over a long period of time.
• Connected devices, which include many legacy operational technology (OT) devices in hospitals, such as MRI scanners and X-ray machines. With connectivity comes the risk of remote attacks, and many such devices are too mission critical to take offline to patch, or else are past their support deadline.
• IoT devices, which are increasingly popular for things like dispensing medication and monitoring patients’ vital signs. Many are left unpatched and protected with only their factory default passwords, leaving them exposed to attacks.
• Professional cybercriminals who increasingly see HCOs as an easy target, as they struggle with high patient numbers from COVID-19. Patient data, which can include highly sensitive information and financial details, is a lucrative commodity on the cybercrime underground. And ransomware is more likely to force a payment as hospitals can’t afford to be offline for long. Research hospitals may also store highly sensitive IP on forthcoming treatments.

Real-world attacks and lessons learned

Over the years, we’ve seen multiple serious attacks on HCOs, which offer opportunities for the sector to learn and improve resilience going forward. These include:

The UK’s National Health Service (NHS) was hit badly by the WannaCry ransomware worm in 2017 after HCOs failed to patch a Windows vulnerability promptly. An estimated 19,000 appointments and operations were cancelled. This ended up costing the health service £92m in IT overtime (£72m) and lost output (£19m).

Ireland’s Health Service Executive (HSE) was struck in 2021 by the Conti ransomware group, after an employee opened a booby-trapped Excel document in a phishing email. The attackers were able to go undetected for over eight weeks until they deployed the ransomware. Among the lessons learned were:

• AV software set to “monitor” mode, meaning it didn’t block malicious files
• Failure to act swiftly after detection of malicious activity on a Microsoft Windows Domain Controller
• AV software failed to quarantine malicious files after detecting Cobalt Strike, a tool commonly used by ransomware groups
• HSE’s security operations (SecOps) team advised a server restart when contacted about widespread threat events at multiple hospitals

Ransomware attacks on French hospitals at Dax and Villefranche-sur-Saone forced patients to be diverted to other facilities at the height of the COVID-19 crisis. Phone and IT systems were forced offline, with clinicians using pen and paper for record keeping. Unusually, French security agency ANSSI linked the attacks to Russian intelligence, which may be a sign of increased cross-over of tooling and techniques between the cybercrime underground and state actors.

Building cyber-resilience into healthcare

In the face of mounting pressure, HCOs must find a way to mitigate cyber-risk more effectively in a way which doesn’t break the bank or impact the productivity of hard-working staff. The good news is that many of the best practice steps which can build resilience across other CNI sectors will work here. These include:

• Gain visibility of the attack surface, including all IT assets, their patch status and configuration. A regularly updated CMDB is useful here to catalogue inventory.
• Ensure these assets are correctly configured and patched via continuous risk-based patch management programs.
• Understand the impact of supply chain risk through regular audits and monitoring.
• Build a strong first line of defense against phishing with improved user awareness training.
• Address identity and access management with multi-factor authentication (MFA) everywhere and a least privilege approach to access.
• Consider building on the above with a Zero Trust approach.
• Collect and analyze telemetry from security tools across the environment for rapid incident detection and response.

European HCOs have compliance obligations not only to the EU Network and Information Security directive (NIS) for continuity of service, but also the GDPR (for data protection), as well as any local laws and regulations. ENISA wants to see dedicated healthcare Computer Security Incident Response Teams (CSIRTs) in each member state. But in the meantime, HCOs must strike out on their own. Without a secure IT foundation to build on, the region’s healthcare provision will always be at the mercy of malign forces.