Healthcare’s cyber resilience under siege as attacks multiply

In this Help Net Security interview, Eric Demers, CEO of Madaket Health, discusses prevalent cyber threats targeting healthcare organizations.

He highlights challenges in protecting patient data due to infrastructure limitations and the role of employee awareness in preventing insider threats. Demers also addresses cybersecurity concerns with IoT devices and recommends enhancing resilience through updates, redundancies, and partnerships.

What are the most common and dangerous cyber threats facing the healthcare sector in 2024?

Cyber threats haven’t necessarily changed, but they’ve become more frequent in healthcare. The most common threat to healthcare systems remains phishing attacks, sent in hopes that just one person, out of thousands, clicks a link or opens a file contained within the email. That file or link gets the hackers’ foot in the door to the network and from there, they can either lock the system down with ransomware or steal data. Stolen data can be leveraged in a multitude of ways by criminals, ranging from medical ID theft to extorting from patients directly. We saw a recent attack on Change Healthcare shut down the largest payer system in the U.S.

DDoS (distributed denial of service) attacks are also prevalent, but ransomware has certainly dominated headlines in recent years.

Many attacks against healthcare organizations come from outside the U.S., and the sophistication of these cyberattacks allows deeper access to systems or data within a system. We can likely expect these attacks to continue to grow in 2024.

Many of these instances are coming from bad actors offshore. While there’s not much one can do about being targeted, healthcare organizations can certainly take steps to strengthen their network’s cyber resilience as well as educate employees on how to be vigilant in detecting potential risks.

With healthcare experiencing a high rate of data breaches, what are the primary challenges in protecting health records and patient information?

One of the most significant challenges facing the healthcare industry is that the infrastructure is less advanced compared to other sectors that are highly reliant on tech. Therefore, being up-to-date is a challenge in itself. Secondly, with so many potential access points to data across the healthcare ecosystem – through a healthcare organization, employees, connected medical devices, or even patients – healthcare systems are particularly vulnerable to these attacks.

Everyone with access to these entry points and data has shared custody of that data, which creates significant challenges. And it only takes one or two entry points. For example, if someone is tricked into opening an unknown attachment or clicking something unknowingly dangerous, bad actors could access the system and take over. We’ve seen this play out time and time again in the healthcare industry.

Can you discuss the role of employee awareness in preventing insider threats in healthcare settings?

Every healthcare organization must ensure employees are well aware of and trained about potential threats. It’s critical to ensure they understand how to navigate and evaluate everything that comes in. One requirement could be to only open emails from known senders or to only open attachments if they are secure. Many organizations’ security teams will conduct resilience tests and distribute suspicious-looking emails to see which employees will click it. Modern spam filters are relatively adept at weeding out risky emails, but anyone with an inbox knows that many get through to end users.

Most employers issue computers and devices, allowing for secured settings maintained by IT departments. It’s important to keep access and logins only to those devices and not on any personal devices, which are typically much easier attack points to enter a system. Maintaining robust security settings on issued machines is especially important if the employee will be working from remote locations, including at home, where network security tends to not be as robust as within enterprises.

While not every organization has the ability to implement every security measure outlined above, all healthcare organizations should ensure their employees understand potential threats and potential outcomes. Educational sessions can be a beneficial tool in threat mitigation. Many compliance training sessions mimic these types of events to ensure employees don’t fall prey to these tactics.

With the increasing use of IoT devices in healthcare, what are the primary cybersecurity concerns, and how can they be addressed?

Again, it comes back to security updates. Most IoT devices become static at some point or another. Patches or security settings are automatically updated or have to be pushed through by an end user. Ultimately, if a device isn’t current, there is a higher likelihood of potential to gain access to that device.

The most concerning part of this scenario is that smart medical devices are connected with high-care settings. If an attacker were to take control of those devices, it could lead to devastating consequences – from life-threatening outcomes for patients to DDoS attacks on the system.

What are your recommendations for enhancing cyber resilience in the healthcare sector?

Cyberattacks will not stop and healthcare systems are in for a continuous battle. As such, healthcare organizations must do everything possible to ensure their systems are protected and access is appropriately restricted. As these attacks happen, depending on what part of the data you’re working with or storing, working with partners, vendors or applications that allow you to manage high volumes of data while being up-to-date across that data can be helpful.

With the recent Change Healthcare breach, redundancy and alternate systems helped to alleviate some of the effects of the attack. For those sending information or processing through Change, a “re-routing” of that information through another vendor or another endpoint, helped mitigate some of the major interruptions regarding revenue, flow and access to the patient claims to be processed. This is just one example of how applications, partners and vendors that can manage that piece of the data at scale is another way to help mitigate the potential downsides of an attack.

Redundancy also comes into play here along with data pathways. It is vital for an organization to think about the infrastructure, pathways and partnerships required to move data that is critical to business operations. The Change Healthcare attack vividly demonstrates that while putting all your eggs in one basket might be cost-advantageous, it can become a chokepoint and potentially devastate your business in the event of an attack.

What emerging trends in cybersecurity should healthcare professionals be aware of in the coming years?

The threat landscape largely remains the same in terms of the way that cyber attackers are getting access to data. As I mentioned, there are two areas where attackers will likely continue to gain access increasingly: Individuals who think they are doing something appropriate but are being deceived. The second is exploiting connected medical devices that are not up-to-date on their security patches or settings.

Consider the devastating consequences of bad actors attacking remote patient monitoring devices or into ventilators or a smart medical device connected to a patient. As the healthcare industry continues to become more technologically advanced, the more access points exist for potential harm. This is why steadfast vigilance, training and ongoing security updates are so critical to the industry.