Critical Infrastructure Security

Federal Report Offers Healthcare Cyberattack Trend Insights

Suggests Actions to Better Defend Against Current, Future Threats
Federal Report Offers Healthcare Cyberattack Trend Insights

A new federal report spotlighting the spate of cyberattacks on the healthcare and other sectors over the last few of years provides insights to help organizations better navigate continuing and evolving cybersecurity trends and challenges in 2022 and beyond.

See Also: Bank on Seeing More Targeted Attacks on Financial Services

The report, Health Sector Cybersecurity: 2021 Retrospective and 2022 Look Ahead issued Friday by the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center, or HC3, provides a roundup of some of the major attacks affecting entities in the healthcare sector and other industries, as well as vendors - in recent years, and especially in 2021.

Large Healthcare Sector Attacks

Among those spotlighted include the 2021 ransomware attack on San Diego, California-based Scripps Health - which disrupted the entity's five hospitals and 19 outpatient facilities for weeks. That incident cost Scripps at least $106.8 million, including $91 million in lost revenue and $21 in incident response and recovery costs, with insurance covering about $6 million of the expenses, HC3 writes.

A 2021 cyberattack affected multiple Scripps Health hospitals and other facilities.

But it was not just U.S.-based healthcare organizations that suffered crippling cyberattacks in 2021: A Conti ransomware attack on Ireland's national public healthcare system, Health Service Executive, forced HSE to shut down all IT systems and revert to pen and paper for weeks, with full recovery taking four months, HC3 says.

Meanwhile, cyberattacks also hit a number of key third-party firms, in 2021, including vendors servicing the healthcare sector, the report says.

That included a ransomware and data theft incident involving San Antonio, Texas-based NEC Networks, a pharmacy benefits management firm doing business as CaptureRX. That incident affected as least 22 CaptureRX hospital and healthcare provider clients, compromising information of at least 2.5 million individuals, the report says.

"Threat actors continue to evolve and become more sophisticated and effective," HC3 says. Distributed attack vectors are increasingly used, while threats targeting managed service providers, supply chain vendors and open-source software vulnerabilities, such as the Apache Log4j flaw, rise, the report says.

"Governments are increasingly aggressive in fighting back. Despite this, healthcare organizations have as big a role as ever in defending themselves," the report says.

Taking Action

So what do the recent trends mean for healthcare cybersecurity for 2022 and beyond?

Healthcare sector organizations should continue to defend against phishing, including implementing employee training and awareness that considers how current events serve as themes for new phishing campaigns, HC3 writes.

Additionally, entities should consider phishing test programs; gateway/mail server filtering; blacklisting/whitelisting; and operationalization of indicators of compromise, HC3 writes.

Also, remote access technologies should be locked down, HC3 says. "Virtual private networks and technologies leveraging the remote desktop protocol should be operationally minimized," HC3 writes.

"Turn off services where they are not needed. Limit services to only when they are needed. Log and periodically review activity. Update all tools as soon as updates are released. Always apply the principle of least privilege."

Vulnerability management is also critical, HC3 says. "Situational awareness begins with knowing your own infrastructure. Develop and aggressively maintain enterprise asset inventory."

Vulnerability management must be systematic, comprehensive, and repeatable - plus, have mechanisms of enforcement, HC3 says. "Maintain situational awareness of applicable vendor updates and alerts. Develop repeatable testing, patching and update deployment procedures."

It is also critical for entities to understand the value of what their organization offers to adversaries, including protected health information, personally identifiable information and other patient records that can all be sold for high prices, HC3 says.

"If you operate in such a way that you can be disrupted, then you can also be extorted. Foreign countries may want or need your intellectual property."

Healthcare sector entities also should operate with "resilience in mind," HC3 says. That includes considering a high probability of compromise and preparing how the organization will respond to the incident, and its continuity of operations.

Defensive Thinking

HC3 says healthcare sector entities should take a "relatively new-ish" approach to thinking about defense."

That includes distributed attack vectors. "Adversaries are thinking in terms of maximizing their victims with a single attack."

Additional attack vectors affecting health sector entities include compromises involving managed service providers, supply chain vendors and software components. Examples of such include recent incidents involving SolarWinds, Kaseya, and the Apache Log4j vulnerabilities.

How best to prevent and mitigate such incidents involving third parties? "Request MSPs to enumerate their security capabilities. Request software bills of materials. Develop/implement/test contigency plans," HC3 writes.

"We have also seen nation-states leverage ransomware executables to perform destructive attacks against entities. These attacks will continue for the foreseeable future and may in fact increase as a result of geopolitical tensions and spillover from active warfare."
—Rick McElroy, VMware

"Most important: Think in terms of how you can be compromised by your suppliers, vendors, business partners, customers and service providers. … The cybercriminal ecosystem is resilient. As long as there are victims to compromise, there will be someone willing to try."

Moving forward in 2022 and beyond, situational awareness will continue to be increasingly more important, HC3 writes. That includes keeping up with new threats and their tactics, techniques, procedures and weapons, as well as new vulnerabilities and the means to correct them or mitigate exploitation.

Maintaining trusted defense measures and defending against distributed attacks and other new avenues of compromise are important, HC3 adds.

Moving Forward

Some industry experts predict that cyberthreats against the healthcare and other sectors will continue to become more malicious and menacing.

"Ransomware cartels become more punitive in their actions against organizations, including data destruction and attacks on the integrity of systems themselves," says Rick McElroy, principal cybersecurity strategist at security vendor VMware.

"We have also seen nation-states leverage ransomware executables to perform destructive attacks against entities. These attacks will continue for the foreseeable future and may in fact increase as a result of geopolitical tensions and spillover from active warfare," he says.

"Organizations and healthcare providers, unfortunately, often find themselves on the front lines of cyber warfare and this won’t change anytime soon."

Nation-states and cybercriminals also will continue to target the digital supply chain, McElroy says. "While there is positive strategic momentum to improve security with new legislation and executive orders, there are still a number of bad software design practices that we must rapidly address."

Other Actions

Application programming interface security "in a cloud-first world" is imperative for organizations, he says. Attackers will continue to go after the suppliers of digital technology and organizations must assume a trust but verify model when it comes to hardware and software, McElroy suggests.

Also, as potential cyberthreats grow related to the Russia-Ukraine war, it is critical for entities to gain "full visibility" into what attackers are doing, in order to prevent, detect and respond to cyberattacks, McElroy says.

"To stay prepared, organizations should frequently test their incident response and more importantly their disaster recovery and restoration process," he says.

"It is not enough to do backups anymore. Organizations must drive towards a fully automated restoration process that allows them to recover as fast as possible with minimal downtime while closing those visibility gaps."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.