Where Should Hospitals Direct Their Cybersecurity Focus?

An expert shares advice on what healthcare providers can do now as they continue to navigate security challenges.

Your browser doesn’t support HTML5 audio

Healthcare organizations across the U.S. face an increasingly challenging threat landscape. In fact, many have already dealt with data breaches and ransomware attacks.

At least 560 facilities in the U.S. were impacted by ransomware attacks in 2020, with about 24 percent of all ransomware attacks linked to healthcare, according to a report from managed security service provider Digital Hands. But only 7 percent or less of a healthcare provider’s IT budget is allocated for cybersecurity, compared to the 15 percent or more in other sectors, the report notes.

Security experts advise healthcare organizations to focus their limited resources on security technologies and processes that address backup and recovery as well as prevention. They also recommend that backup strategies follow the 3-2-1 rule, which refers to keeping three copies of critical data retained on two different types of media, with one stored offline.

Today’s sophisticated ransomware threat actors will first encrypt backups before encrypting live systems, says Kayne McGladrey, senior member of technical association IEEE.

“This is intended in response to their targeted victims not paying the ransom but rather restoring from backup,” he says. “Organizations should ensure that at least one backup copy is stored offline, so that if the primary backup systems are encrypted, there is still a clear path to data restoration.”

Implementing risk-based multifactor authentication for privileged users also mitigates the risks of credential stuffing attacks and lateral movement, he adds.

Credential stuffing attacks are often conducted by initial access brokers (IABs) who seek to validate stolen credentials before reselling them as part of the cybercriminal supply chain.

“It is easy for an IAB to quickly validate credentials when there are no additional authentications performed beyond a single password. Introducing multifactor authentication based on risk is a good compensating control,” McGladrey says.

One of the simplest ways to avoid cybersecurity threats is by keeping as many devices up to date as feasible.”

Kayne McGladrey

Senior Member, IEEE

For example, when a user who works in Seattle logs in from Seattle, and then attempts to log in five minutes later from Sao Paulo, a risk-based assessment will identify this impossible travel situation and either block the authentication attempts or require multifactor authentication.

Hospitals also use IT patching systems to patch server endpoints based on criticality and known exploits. They need to ensure that they’re up to date with known vulnerabilities.

“One of the simplest ways to avoid cybersecurity threats is by keeping as many devices up to date as feasible,” McGladrey says. “If an organization learns that there is a vulnerability being actively exploited — or that a proof of concept for a vulnerability has been developed and is in the wild — they can accelerate patching the affected, vulnerable assets to reduce the likelihood of a successful attack.”

Alternatively, devices that cannot be patched can be isolated from the network so that the effect of a successful compromise is reduced.

Be Prepared Instead of Shocked

He adds that healthcare organizations should have up-to-date golden images for servers and workstations, and offline copies of these should be stored on at least two types of media.

“Ransomware threat actors may unintentionally encrypt the golden images as part of the last stages of an attack,” McGladrey says. “It is substantially more difficult to recover from backup if an organization’s golden images are encrypted. Having an offline copy helps to mitigate this risk.”

Another critical piece of the puzzle? Organizations need to develop incident response and recovery plans for potential cyberattacks and get them to key staff as paper copies.

“The best teams play how they train, and the time to identify gaps in knowledge or in processes is not during an active breach,” McGladrey says, adding that plans should be tested on a regular basis.

Though having paper copies of the plans is less than ideal, McGladrey says the alternative is for those plans to be destroyed or encrypted in an attack, which would leave an organization to struggle through on memory alone.

More On Backup and Recovery, Management, Team Collaboration, Risk Assessment,