Security

Q&A: The Anatomy of a Healthcare Breach with a Palo Alto Networks Expert

When a malicious actor breaches a healthcare security system, it sets off a chain of events that requires a coordinated response from IT security leaders to minimize the damage.

Nathan Eddy

Nathan Eddy works as an independent filmmaker and journalist based in Berlin, specializing in architecture, business technology and healthcare IT. He is a graduate of Northwestern University’s Medill School of Journalism.

Healthcare organizations are facing the growing and ever more complex challenge of defending against cyberthreats and malicious actors as they continue their digital transformations.

To better prepare for attacks and the likelihood of a compromise, healthcare IT security leaders must understand the anatomy of a breach, from the initial attack vector to detection and a rapid, coordinated response.

HealthTech spoke with Troy Ament, global industry leader for healthcare at Palo Alto Networks, to walk through what happens when systems are breached and how healthcare organizations must prepare and execute their response.

DISCOVER: Palo Alto Networks secures healthcare organizations against modern threats.

HEALTHTECH: What are some of the top threat vectors that healthcare organizations are facing today?

AMENT: Healthcare organizations are facing significant security threats due to their rapid digital transformation over the past 10 to 15 years. Adversaries, including nation-state actors, are increasingly targeting these systems to disrupt clinical and business operations.

The most prevalent threat is ransomware, which often exploits weaknesses in the underlying infrastructure. Many healthcare organizations lack basic security controls such as multifactor authentication and adequate patching and vulnerability management. Even when multifactor authentication is thought to be in place, there are often gaps due to poor inventory management of applications, systems and users. These gaps provide an attack surface for adversaries to exploit, leading to widespread ransomware or distributed denial-of-service (DDoS) attacks, effectively shutting down operations.

Click the banner below to learn why cyber resilience is essential to healthcare success.

x-cyberresillience4-static-2024-na-desktop

x-cyberresillience4-static-2024-na-mobile

HEALTHTECH: What is the first stage in the anatomy of a healthcare breach?

AMENT: The first stage of an attack on a healthcare system typically begins early in the week, on Monday or Tuesday, when adversaries establish their foothold. They then wait for a time when the organization is vulnerable; for example, when there are no on-call staff or active monitoring. They target the underlying infrastructure, such as domain controllers and dynamic host configuration protocol (DHCP) services, which leads to widespread disruptions.

Critical systems, such as phone and overhead paging systems, are among the first to go down, hindering essential communication. This disruption extends to various departments, such as the emergency department, ICU, laboratory, radiology and pharmacy, all of which rely on interconnected digital networks. This chaos not only disrupts operations but poses significant risks to patient care and safety.

HEALTHTECH: Now the breach is spreading — how do security teams detect it?

AMENT: After the initial entry and escalation phases of a healthcare breach, the next critical stage is its detection. The point at which a breach is detected can significantly influence the outcome. This phase often separates organizations that can effectively manage the situation from those that cannot. Well-prepared organizations with sophisticated cybersecurity measures, such as 24/7 incident response teams and retainers with a cybersecurity firm like Palo Alto Networks, can detect breaches early, limiting the damage to a brief disruption.

In contrast, organizations that lack robust incident response procedures and detection systems face prolonged disruptions. For instance, a breach that initially affects hospital operations on a weekend can spill over into the following week, causing widespread chaos. Before the COVID-19 pandemic, some large health systems handled about 100 virtual visits per month; now, many conduct over 45,000 virtual visits monthly. A ransomware attack can halt these virtual services, creating a massive backlog and significant patient care disruptions.

Another key aspect is preparation. Recognize that it’s not a matter of if, but when an attack will happen.”

Troy Ament Global Industry Leader for Healthcare, Palo Alto Networks

HEALTHTECH: Following detection of the breach, how must security leaders respond?

AMENT: After detecting a breach, it’s crucial to implement an effective incident response. The first step is to embrace a defense-in-depth strategy, which involves multiple layers of security controls across the IT environment. This includes everything from firewalls and endpoint detection to cloud security and identity management. Continuous monitoring for misconfigurations or vulnerabilities is essential because systems evolve constantly. It’s about maintaining good cyber hygiene and being vigilant to any changes that could expose your system to attackers.

Another key aspect is preparation. Recognize that it’s not a matter of if, but when an attack will happen. Having partnerships and incident response retainers in place is vital. Regularly conducting tabletop exercises helps to build and refine your action plan. These exercises simulate an attack, allowing your team to practice and improve their response.

When an incident occurs, having experts on standby through incident response retainers means they can immediately start remediation without the delays of contract negotiations. These experts should be familiar with your systems, ready to protect, respond and remove adversaries quickly. This preparedness ensures that your network is secured promptly, minimizing the impact of the breach and protecting the rest of your infrastructure.

Brought to you by: