Rising threat of cyberattacks on health care organizations puts physicians, patients at risk

© Michael Traitov - stock.adobe.com

Physicians’ offices, hospitals and health care organizations have become increasingly attractive targets for cybercriminals. Combine a relatively vulnerable attack surface with a high likelihood of payoff, and it becomes easy to see why these attacks keep occurring. The ongoing fallout from the recent Change Healthcare hack shows the vital role of cybersecurity in health care. Providers relying on ACH checks face prolonged disruptions, with Optum's assistance insufficient to sustain vulnerable family offices, highlighting the urgent need for enhanced cybersecurity measures. This news has garnered national attention given that federal regulators are launching an investigation into the cyberattack. Physicians, pharmacists, hospitals and health insurers nationwide must collaborate to recover from this significant cyberattack.

Chris Henderson
_{© Huntress}

To reduce the attractiveness of the health care industry to these cyber criminals, there needs to be more advanced defenses or an agreement that these businesses should never pay the ransom. Unfortunately, non-payment can often turn into negative health outcomes, leaving businesses to manage and reduce the health care attack surface.

Attack surface is a term mentioned frequently in cybersecurity. In layman's terms it is the equivalent of assessing the number of entry points, like doors and windows in a house, along with defenses guarding them. A locked door is stronger than a closed door, a closed door is stronger than an open door, and so on. In cybersecurity, the attack surface includes many things: the computers in a practice or hospital, the online services they use to provide patient care portals, and the identities used to log into internal IT systems, to name a few.

Reducing this attack surface is no small task and it is certainly not cheap, especially for primary care physicians who already are dealing with staffing shortages, inflation and cuts to Medicare reimbursement, without the benefit of a large IT department.Managing cybersecurity protocols for a hospital or health system is already a considerable challenge, but for an independent doctor in a small town without a robust IT team, it becomes a Herculean endeavor. One of the most common weaknesses exploited by adversaries for both initial access and propagation of attacks are vulnerabilities in software and operating systems. Mitigating this weakness sounds straightforward, such as keeping systems and software up to date. However, that is far easier said than done in the medical industry where imaging devices costing millions of dollars are still using out-of-date operating systems because the vendor has not provided updated software to run on modern operating systems.

This leaves a practice or hospital primarily with two options: invest in new hardware to address the software vulnerabilities or isolate those imaging devices to prevent any communication with other technologies within the building. Unfortunately, until hospitals start mandating that medical technology vendors provide updates beyond the typical four- or five-year period, this means the best defense is a strongly segmented network.

The increased interconnectivity of health care organizations has also increased the third-party risks already present in the space. Third-party risk is the concept that a negative outcome at one of the technology providers used by an organization will directly (or indirectly) cause a negative outcome for the customer organization. As consumers, we evaluate third-party risk regularly by checking expiration dates on food before consuming, accepting or denying permissions on the apps we install, and checking reviews prior to buying items online.

In cybersecurity, we don’t often get full insight into the cybersecurity practices of the organizations that corporations purchase services from. Instead, they have to evaluate third-party audits of their security posture which no consumer will ever do. Health care organizations need to start demanding stringent security audits of the businesses they choose to partner with. These audits should include penetration tests in addition to the audits of their application security practices and organizational cybersecurity programs.

Without these audits, businesses will continue to see more attacks leading to the entire health care supply chain being disrupted. Consequences range from consumers not being able to get their medications, to physicians’ offices not receiving claims reimbursements after major health care organizations have paid millions in ransom. Health care organizations must demand exceptional results from their partner’s audits.

Even with a strong perimeter, its effectiveness diminishes when circumvented. Maintaining patched and segmented assets, and ensuring supply chain security, are essential steps to build a strong defense for a health care organization. These organizations should also prepare for the possibility of these measures failing, along with the reality that attackers may still infiltrate their systems through various other mechanisms and tactics. Security monitoring entails a substantial task, often demanding a sizable workforce due to the specialized talent necessary for a fully operational security operation center. However, acquiring such talent proves to be both expensive and challenging. To optimize their security and do it within a healthy and reasonable budget, health care organizations have turned to outsourced monitoring through managed service providers to extend their resources or augment or replace their own staffing needs.

Whichever path health care organizations take, these are all steps to help prevent the industry from being riddled with these costly and reputation-damaging attacks that have significant impact on the entire health care supply chain.

Chris Henderson runs threat operations and internal security at Huntress. He has been securing managed service providers and their clients for more than 10 years through various roles in software quality assurance, business intelligence, and information security.