The proliferation of healthcare internet-of-things (IoT) devices, along with unpartitioned networks, insufficient access controls and the reliance on legacy systems, has exposed a vulnerable attack surface that can be exploited by cybercriminals determined to steal personally identifiable information (PII) and protected health information (PHI), in addition to disrupting healthcare delivery processes, according to the Vectra 2019 Spotlight Report on Healthcare

"Healthcare IT security teams are often kept in the dark and behind the curve when it comes to changes in infrastructure. For example, new medical devices are often connected to the network without informing IT security teams. Gaps in IT security policies and procedures make it easier for healthcare staffs to make unintentional errors that result in exposure and increased security risk. This can take the form of improper handling and storage of patient files, which is a soft spot for cybercriminals in search of weaknesses to exploit," says Chris Morales, Head of Security Analytics, Vectra. 

Key findings include: 

  • The most prevalent method attackers use to hide command-and-control communications in healthcare networks was hidden HTTPS tunnels. This traffic represents external communication involving multiple sessions over long periods of time that appear to be normal encrypted web traffic.
  • The most common method attackers use to hide data exfiltration behaviors in healthcare networks was hidden domain name system (DNS) tunnels. Behaviors consistent with exfiltration can also be caused by IT and security tools that use DNS communication.
  • There was a spike in behaviors consistent with attackers performing internal reconnaissance in the form of internal darknet scans and Microsoft Server Message Block (SMB) account scans. Internal darknet scans occur when internal host devices search for internal IP addresses that do not exist on the network. SMB account scans occur when a host device rapidly makes use of multiple accounts via the SMB protocol that is typically used for file sharing. 
  • While many healthcare organizations experienced ransomware attacks in recent years, the report found that ransomware threats were not as prevalent in the second half of 2018. It is still important to catch ransomware attacks early, before files are encrypted and clinical operations are disrupted.
  • Botnet attacks are opportunistic and are not targeted at specific organizations. While botnet attacks persist everywhere, their rate of occurrence in healthcare is lower than other industries.