Attacking health care cybersecurity with breaches and ransomware attempts is the big-game-hunting strategy of choice for cybercriminals in 2021. Bad actors, including ransomware gangs, admit health care providers are a soft target and the most willing to pay ransoms. Oh, and there’s another dark-business motivation: Personal health information (PHI) data is the most lucrative to sell on the dark web.
Ransomware overall is the most worrisome form of online crime at the moment. Where the average payout was about $15,000 two years ago, it’s now about $250,000 (although that figure is skewed by some large multiple-million-dollar payouts from companies such as Colonial and JBS), according to researcher IDC.
Cybercriminals also promote the easy financial gain of hacking into health care businesses when recruiting ransomware gangs into affiliate programs. Recruited ransomware affiliates receive 80% of the ransom they set and send 20% to the sponsoring cybercriminal gang. As a result, health care’s cybersecurity weaknesses have become a selling point for ransomware affiliate recruiting programs.
Health care under siege in 2021
Sixty-seven percent of health care-delivery organizations have been victims of ransomware attacks, while 33% have been hit twice or more, according to the recently published Ponemon Research Report: “The Impact of Ransomware on Healthcare During COVID-19 and Beyond.” Cybercriminals are familiar with how to hack endpoints or use phishing to steal privileged access credentials to gain access and move across networks.
According to a briefing earlier this year by the U.S. Health and Human Services (HHS) Cybersecurity Program, health care is the most targeted sector for data breaches. The HHS Breach Portal, a useful online reference to all health care-related breaches and ransomware attempts, shows that there have been 472 health care-related breaches affecting 35.3 million patients between January and October of this year.
The top nine breaches alone affected 17 million patients, indicating cybercriminals’ preference for big-game hunting attacks that deliver millions of PHI records at once. One in three of these health care cyberattacks started with an email, and 52% started with an exploit of a network-edge vulnerability. According to a recent IDC survey, the average ransomware payment is $250,000 over the past 12 months.
Health care chief information security officers (CISOs) interviewed say that their boards of directors are increasing cybersecurity spending by at least 15% in 2022; one said their spending could increase by as much as 35%. CISOs and their CIO counterparts are prioritizing zero-trust network access (ZTNA), unified endpoint management (UEM), and training to slow down phishing and social engineering attempts. According to Ericom’s first annual Zero Trust Market Dynamics Survey, 80% of organizations plan to implement zero-trust security within less than 12 months, and 83% agree that zero trust is strategically necessary for their business.
Zero trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture. Zero trust is not about making a system trusted, but instead about eliminating trust.
How to improve health care cybersecurity
Ericom’s survey results are consistent with conversations and interviews VentureBeat has had with leading health care provider CIOs and CISOs, who say one of their greatest challenges is securing the many new remote endpoints that now regularly connect to on-premises network infrastructures.
The pandemic has been a windfall for cybercriminals as organizations launch new endpoints across legacy on-premises network infrastructures, often with little or any endpoint security in place. Interestingly, one CISO said that it’s not the unprotected endpoints that are the most dangerous or that she worries about most: It’s the ones that are overconfigured with too much conflicting software or those that aren’t self-healing.
Absolute Software’s 2021 Endpoint-Risk Report found out that the typical endpoint device has on average 11.7 clients installed. See the VB article “Endpoint security is a double-edged sword; Protected systems can still be breached” for additional insights into endpoint vulnerabilities. Health care CISOs told VentureBeat last week that their plans for 2022 also include pilots of self-healing endpoints, given their successful use in enterprises.
Recommendations from CISOs
CISOs shared the following five recommendations with VentureBeat on how health care organizations can get started with their ZTNA frameworks, improve endpoint security, and achieve broader cybersecurity readiness:
- Start by defining the specifics of a ZTNA framework that scales with your business model while ensuring regulatory compliance with HIPAA. CISOs caution that adding HIPAA compliance as a bolt-on rarely works, even if a larger ZTNA vendor offers it as a bundled solution. The issue is data transparency regarding audits and how flexible the bolt-on module is for automating an entire audit workflow. One CISO said that the cost benefits of accepting a bundle deal aren’t worth the hassle of trying to get auditing to work at scale. Any ZTNA framework also needs to support device and compliance audits of the endpoint. A good endpoint security platform can validate patient data integrity with self-healing endpoint security technologies.
- Identity and access management (IAM) needs to scale beyond just a single facility to cover entire supply chains and treatment centers. The cornerstone of a successful ZTNA framework is getting IAM right from the first planning sessions. For a ZTNA framework to succeed, it needs to be based on an approach to IAM that can quickly accommodate new human and machine identities being added to corporate networks. Standalone IAM solutions tend to be expensive, however. For organizations just starting out on zero trust, it’s a good idea to find a solution that has IAM integrated as a core part of its platform. Leading cybersecurity providers include Akamai, Fortinet, Ericom, Ivanti, and Palo Alto Networks. Ericom’s ZTEdge platform is noteworthy for its combining ML-enabled identity and access management, ZTNA, micro-segmentation, and secure web gateway (SWG) with remote browser isolation (RBI).
- Implement multi-factor authentication (MFA) across all patient, physician, supplier, and provider network accounts. Endpoints, patients, and especially privileged-access, credential-based accounts are often the primary targets of phishing and social engineering-based breaches in the health care industry. So requiring MFA across all patient, physician, staff, supplier, and provider accounts is a given.
- Create incentives and give employees time off to take cybersecurity training programs to teach them how to identify phishing and social engineered-email breach attempts. One of the best platforms for training is LinkedIn Learning, which has more than 700 cybersecurity courses, including about 100 on cybersecurity’s practical, hands-on aspects. It’s important to keep training in a pragmatic context and realize that any training program alone is not sufficient to protect a company, however. Cybercriminals are experts at manipulating users via convincing phishing emails. RBI thwarts ransomware attacks delivered via malicious links in phishing emails or sites, as well as against credential theft attempts that users can miss, by opening suspicious sites as read-only, so data cannot be entered.
- Health care mergers and acquisitions are accelerating, and cybersecurity planning must be part of any transition plan from the start. Too often, in a rush to combine acquired or merged companies, senior management overlooks creating a solid, integrated cybersecurity strategy to unify the two companies. Ignoring this factor in health care can quickly lead to insider threats as employees opposed to the acquisition or merger seek to profit from cybersecurity gaps. Shut these gaps quickly by making cybersecurity planning a core part of any merger and acquisition process, funded as part of the transaction itself to ensure that there’s an adequate budget for training and maintenance.
Takeaways from this article
Zero-trust network access needs to be at the foundation of any health care cybersecurity initiative to scale and secure every endpoint across every patient, physician, supplier, and treatment center. The five recommendations from health care CISOs and CIOs in this article are only the start. In addition, health care organizations need to define their cybersecurity roadmaps, prioritizing the shutting down of ransomware with remote browser isolation.
All health care organizations need to improve employee training by realistically assessing how trained their employees are today and what they need to learn in the future. They also need to adopt advanced security technologies that include RBI, IAM, and a ZTNA framework as the first line of defense against cyberattacks.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.
Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more
Become a member