Industry Insights with Dave Bailey, Vice President of Consulting Services, Clearwater

Governance & Risk Management , Healthcare , Healthcare Information Exchange (HIE)

Understanding Your Adversary

What Health System Leaders Need to Know About Cyberattackers and Risk Drivers
Understanding Your Adversary

Though healthcare organizations once approached risks within clinical environments and cyber risks as if they were isolated, we've learned too much about the connection between cybersecurity and patient safety to continue this way.

See Also: eBook: Secure Remote Access Simplified

Today, many organizations are managing cyber risk as a business issue, focusing on system availability, care delivery and patient safety. Resilience, not just compliance, is becoming healthcare’s primary goal in managing cyber risk.

Know Your Adversary

Moving to a more resilient state requires continuous cyber risk management, which also requires knowing your adversary. It's important to understand how an adversary thinks and how they attack to ensure that the appropriate safeguards are in place, starting with the following:

  • The human being is still a primary target, and phishing attacks are still the primary vector. According to a report published by KnowBe4 analyzing how prone employees in organizations across 19 different industries are to clicking on malicious links in phishing emails, healthcare and pharmaceuticals ranked number two across medium-sized organizations, with a 36.6 Phish-prone Percentage. Across all industries, nearly 1 in 3 employees will click a link in a phishing email.
  • Cyberattackers primarily steal credentials and APIs to compromise cloud services, according to Google Cloud's Threat Horizons Report. In a cloud service, what's key is who has access and how the applications and data interact, which is why credentials and APIs continue to be the top vectors in cloud environments.
  • Adversaries operate sophisticated enterprises. Ransomware is a lucrative business; some cyberattackers offer their services to other threat actors in what is known as ransomware as a service. Attackers scale by sharing tactics, tools and techniques, and profit sharing between parties makes the arrangement lucrative for both.
  • Threat actors are skilled at moving laterally through your network undetected. The longer an attacker can stay hidden, the more credentials they can steal, the more data they can encrypt and the more damage they can do.

Key Drivers of Healthcare Risk

How you prepare for a cyberattack today will determine how effectively you mitigate a future attack and minimize the impact on your organization. That preparation includes understanding the key drivers of healthcare risk. While each organization has its own risk factors, some commonalities exist across the industry.

Below are the top five risk drivers by asset, component and program levels. The data is sourced from Clearwater's Security Operations Center, IRM|Analysis software and aggregated Clearwater analyses.

Asset-Level Risk Drivers

  • Inadequate safeguards to protect user identities, including multifactor authentication and single sign-on;
  • Lack of formal and continuous user activity review;
  • System logging that is not formally aggregated or integrated into continuous monitoring;
  • Weak password controls;
  • Lack of user protections such as preventing simultaneous user logins or addressing failed login attempts.

Component-Level Risk Drivers

  • MFA fatigue: As organizations expand MFA, they are trying to make it easier on the end user and are inadvertently making it easier for end users to approve access that's not theirs.
  • Native cloud logging: Organizations trust that default logging in cloud services is adequate, not realizing it may be limited in scope, duration and content to understand better what occurred.
  • Unpatched, legacy or unsupported systems: Organizational side effects of ineffective vulnerability management programs and lack of system development lifecycle.
  • Inconsistent controls implemented: Organizations apply different security controls for production, corporate and development environments, creating gaps in visibility and protection.
  • Incomplete or outdated awareness training: Modern threat tactics are changing, and an organization's awareness program must reflect this.

Program-Level Risk Drivers

  • Unpatched, legacy or unsupported systems;
  • Lack of system hardening and configuration management;
  • Lack of network segmentation;
  • Poor user management practices for domain, local admin, and business applications;
  • Missing business impact analysis or critical functions.

Decreasing Cyber Risk

Threat actors are educated about healthcare organizations' security weaknesses, and they're actively trying to exploit them. Here are six recommendations to decrease risk and shore up your defenses:

  1. Perform ongoing risk analysis of all information systems at the asset level .
  2. Consider following SP 800-37 when implementing new systems.
  3. Move from quarterly scans to ongoing scanning and remediation.
  4. Conduct more sophisticated penetration testing, such as red teaming.
  5. Conduct a security controls validation assessment to test your defenses.
  6. Tier your third-party vendors based on risk to patient safety.

About the Author

Dave Bailey, Vice President of Consulting Services, Clearwater

Dave Bailey, Vice President of Consulting Services, Clearwater

Vice President of Consulting Services, Clearwater

Dave Bailey is Vice President of Consulting Services at Clearwater and leads the managed and consulting services for Health Systems, Digital Health, Physician Practice Management, and the Defense Industrial Base segments. Before his role at Clearwater, Dave served as the Director of Technology and Security at Mary Washington Healthcare, responsible for technology leadership and served as the HIPAA Security Officer. Dave is a Certified Information Systems Security Professional (CISSP). Dave has spent the last 14 years in healthcare cybersecurity. Dave started his cybersecurity journey in the Air Force and has 12 years of cybersecurity experience supporting the federal government in small and large business as a cybersecurity leader.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.