Healthcare is a vitally important industry, especially today. Sadly, healthcare organizations are frequently the targets of cyberattacks. This is especially important today because many of these attacks impede the ability of the organizations to offer care to their patients. The most severe attacks can even cause life-threatening situations.
Common attacks on healthcare
While healthcare, like any other industry, is open to numerous types of attacks, there are some attacks that are more common. Let’s review them.
Ransomware attacks are very common in the healthcare industry and they can happen at large scales. For example, Universal Health Services, one of the largest healthcare providers in the U.S., was recently hit by an attack which locked computers and phone systems at several UHS facilities.
Ransomware attacks can be performed in various ways, but the objective of the attacker is always the same: to extort a ransom payment from the victim. First, the attacker penetrates the targeted network (usually through a malicious email attachment or link). Then malware is used to encrypt files or lock the legitimate users out of the system.
If you are the victim of a successful ransomware attack, then you have several choices, and all of them are bad:
- Try to clean out the malware from the system and roll back the damage that it did. (This might not succeed, and will in any case take a long time to attempt.)
- Try to restore the entire system from a recent backup. (This assumes that there is a good recent backup, which all too often, is not available.)
- Pay the ransom and trust that the cybercriminal who attacked you will keep his word, and will release your files and system access after you pay.
Sadly, in most cases, paying the ransom is the simplest and quickest way to stop the attack.
Ransomware is already a grave threat to healthcare organizations, and the threat is growing worse. As this article was being written, a joint Alert, “Ransomware Activity Targeting the Healthcare and Public Health Sector”, was issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS).
The Alert warns of “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers,” from threat actors using specific malware tools that “often lead to ransomware attacks, data theft, and the disruption of healthcare services.”
Although DDoS might sound less harmful than ransomware, it is still a serious threat against the healthcare industry. A DDoS attack can easily hinder many services offered by hospitals. One notorious example was the week-long DDoS against Boston Children’s Hospital that affected many services such as patient appointment scheduling. (And the attacker’s goal wasn’t even to receive a ransom payment; he merely wanted to make a statement.)
Hospitals and healthcare service providers hold very sensitive information in their systems: patients’ names, addresses, medical records, Social Security numbers, and even credit card numbers. If stolen by a hacker, this information can easily be used for identity theft. Thus, it is one of the most coveted commodities on the dark web.
The Big Bad Bot
There are many ways to attack a healthcare facility, but almost all the attack vectors have one thing in common: they use malicious bots.
“Bot” is an abbreviation for Web Robot (also known as Internet Bots or WWW Robots). A bot is a software application that automates activities that a human might otherwise do. Usually, bots will be faster and/or operate at a larger scale than would be practical otherwise.
Good bots are an important part of the Internet today: everything from chatbots on websites to Googlebot that crawls and indexes the web. But there are also bad bots—the ones used in cybercrime.
Successful attacks are rarely waged by the Hollywood image of a hacker (someone wearing a hoodie hunched over a keyboard). Today’s cyberattacks require a lot of computing power, time, and often, massive amounts of bandwidth. As a result, hackers use bots—lots and lots of them.
In healthcare attacks, hostile bots are used in a variety of ways. The two most serious are:
- DDoS Attacks. Malicious actors use large networks of bots to create coordinated attacks on a massive scale. The goal is to disrupt the targeted organization by overwhelming its web applications or APIs with incoming requests, making them unavailable for normal use. If the victim cannot filter out the attack traffic, the disruption will last for as long as the attacker wishes.
- Vulnerability Scans. Hackers use bots to automatically scan systems throughout the Internet for known vulnerabilities. When an exploitable system is found, hackers follow up with direct attacks: SQL injection, code/command injection, or whatever attack will be successful against the vulnerability that was found. Many ransomware infections and data breaches of healthcare providers began with vulnerability scans that the providers’ security measures failed to block.
How to protect your organization
In this environment, effective security is essential. Here are some important requirements for protecting your organization from these attacks, and others as well.
- Internal email hygiene. Many successful attacks are enabled by an unwitting staff member who clicked on a link or an attachment in a malicious email. One click can be all that’s necessary for a hacker to initially penetrate your network. Then they gradually broaden their access until they have everything they need to launch their attack. Threat actors are growing more subtle in the format and content of the emails that they send; you should ensure that your staff is trained to recognize the various types of attacks that can arrive in an email, or even a text message.
- External web security. It goes without saying that every organization needs to filter malicious traffic and block it from reaching their sites, web applications, and APIs. When evaluating web security solutions, important features include autoscaling (so that the solution can scale up its resources automatically and absorb DDoS attacks), thorough input validation and sanitization (which will block a wide variety of other attacks), and robust bot detection (that can identify even the latest-generation malicious bots which masquerade as human visitors).
- Managed web security. The best web security solutions are managed by the vendors. The Internet threat environment constantly evolves, and your defenses must be kept up-to-date. If your organization does not have at least one security expert on staff—and few healthcare organizations do—consider a solution that is maintained and managed by the experts who created it. Basically, they will be your organization’s security experts, on call 24/7.
- Disaster preparedness. Even if you ensure that your organization is well-protected from cyberattacks, you should still plan for the worst. For example, if your network was crippled by ransomware tomorrow, what would you do? Could your frontline workers still coordinate and provide effective care while the IT team scrambled to bring everything back online? Could your doctors receive important lab results if the network were down? In what vital areas of care is the network a single point of failure? Uncomfortable questions like these need to be asked now, while they can be discussed and solved calmly. And during this process, be sure to discuss the IT backup schedule, how it will be monitored and enforced, and how well the staff has been trained on the proper procedures for verifying and restoring a backup. Yes, backups are tedious and time-consuming and everyone dislikes doing them. That’s why they are often neglected, and why organizations sometimes find themselves in the middle of a crisis, lacking one basic necessity: a recent, complete, and valid system backup. Proper planning now can prevent disasters from happening later.
A word about COVID-19
One would think that during these times, when doctors and healthcare professionals are in the frontlines of the pandemic, that hackers would leave hospitals alone. Sadly, this is not the case. We are seeing more and more attacks targeting healthcare providers during recent months. Hackers have no shame, and they are exploiting this horrible situation.
Make sure your organization is safe.