Understanding Your AdversaryWhat Health System Leaders Need to Know About Cyberattackers and Risk Drivers
Though healthcare organizations once approached risks within clinical environments and cyber risks as if they were isolated, we've learned too much about the connection between cybersecurity and patient safety to continue this way.
Today, many organizations are managing cyber risk as a business issue, focusing on system availability, care delivery and patient safety. Resilience, not just compliance, is becoming healthcare’s primary goal in managing cyber risk.
Know Your Adversary
Moving to a more resilient state requires continuous cyber risk management, which also requires knowing your adversary. It's important to understand how an adversary thinks and how they attack to ensure that the appropriate safeguards are in place, starting with the following:
- The human being is still a primary target, and phishing attacks are still the primary vector. According to a report published by KnowBe4 analyzing how prone employees in organizations across 19 different industries are to clicking on malicious links in phishing emails, healthcare and pharmaceuticals ranked number two across medium-sized organizations, with a 36.6 Phish-prone Percentage. Across all industries, nearly 1 in 3 employees will click a link in a phishing email.
- Cyberattackers primarily steal credentials and APIs to compromise cloud services, according to Google Cloud's Threat Horizons Report. In a cloud service, what's key is who has access and how the applications and data interact, which is why credentials and APIs continue to be the top vectors in cloud environments.
- Adversaries operate sophisticated enterprises. Ransomware is a lucrative business; some cyberattackers offer their services to other threat actors in what is known as ransomware as a service. Attackers scale by sharing tactics, tools and techniques, and profit sharing between parties makes the arrangement lucrative for both.
- Threat actors are skilled at moving laterally through your network undetected. The longer an attacker can stay hidden, the more credentials they can steal, the more data they can encrypt and the more damage they can do.
Key Drivers of Healthcare Risk
How you prepare for a cyberattack today will determine how effectively you mitigate a future attack and minimize the impact on your organization. That preparation includes understanding the key drivers of healthcare risk. While each organization has its own risk factors, some commonalities exist across the industry.
Below are the top five risk drivers by asset, component and program levels. The data is sourced from Clearwater's Security Operations Center, IRM|Analysis software and aggregated Clearwater analyses.
Asset-Level Risk Drivers
- Inadequate safeguards to protect user identities, including multifactor authentication and single sign-on;
- Lack of formal and continuous user activity review;
- System logging that is not formally aggregated or integrated into continuous monitoring;
- Weak password controls;
- Lack of user protections such as preventing simultaneous user logins or addressing failed login attempts.
Component-Level Risk Drivers
- MFA fatigue: As organizations expand MFA, they are trying to make it easier on the end user and are inadvertently making it easier for end users to approve access that's not theirs.
- Native cloud logging: Organizations trust that default logging in cloud services is adequate, not realizing it may be limited in scope, duration and content to understand better what occurred.
- Unpatched, legacy or unsupported systems: Organizational side effects of ineffective vulnerability management programs and lack of system development lifecycle.
- Inconsistent controls implemented: Organizations apply different security controls for production, corporate and development environments, creating gaps in visibility and protection.
- Incomplete or outdated awareness training: Modern threat tactics are changing, and an organization's awareness program must reflect this.
Program-Level Risk Drivers
- Unpatched, legacy or unsupported systems;
- Lack of system hardening and configuration management;
- Lack of network segmentation;
- Poor user management practices for domain, local admin, and business applications;
- Missing business impact analysis or critical functions.
Decreasing Cyber Risk
Threat actors are educated about healthcare organizations' security weaknesses, and they're actively trying to exploit them. Here are six recommendations to decrease risk and shore up your defenses:
- Perform ongoing risk analysis of all information systems at the asset level .
- Consider following SP 800-37 when implementing new systems.
- Move from quarterly scans to ongoing scanning and remediation.
- Conduct more sophisticated penetration testing, such as red teaming.
- Conduct a security controls validation assessment to test your defenses.
- Tier your third-party vendors based on risk to patient safety.