Know Your Adversary: Four Behaviors Healthcare Leaders Should Understand About Cyber Attackers

Healthcare organizations once approached risks within clinical environments and cyber risks as if they were isolated from each other. Cyber risk management was contained as part of the compliance program, data breaches were feared, audits and fines were likely, and the primary goals were data protection and compliance. Healthcare leaders have learned too much about the connection between cybersecurity and patient safety to continue this way.

Today, under the constant threat of potential cyberattacks, a growing number of organizations understand that approach no longer works. They have shifted to managing cyber risk as a business issue, focusing cyber risk management around system availability, care delivery, and patient safety. Ransomware has taken center stage as a primary concern that can interrupt patient care, potentially increasing length of stay and mortality. This is often followed by an OCR investigation, fines and penalties, and sometimes lawsuits. As a result, resilience, not just compliance, is becoming healthcare’s primary goal in managing cyber risk.

Know Your Adversary

Moving to a more resilient state requires continuous cyber risk management, which also requires knowing your adversary. It’s important to understand how an adversary thinks and how they attack to ensure that the appropriate safeguards are in place.

Here are four critical behaviors to understand about adversaries that are eyeing your healthcare organization:

1. The human being is still a primary target, and phishing attacks are still the primary vector. According to a report published by KnowBe4 analyzing how prone organizations across 19 different industries are to click malicious links in phishing emails, healthcare and pharmaceuticals ranked number two across medium-sized organizations with a 36.6 Phish-prone™ Percentage. This means 36.6% of employees in that group clicked a link or opened a file, or were susceptible to phishing.  Across all industries, nearly one out of every three employees will click a link in a phishing email.
2. Cyber attackers primarily steal credentials and APIs to compromise cloud services, according to Google Cloud’s Threat Horizons Report. In a cloud service, what’s key is who has access and how the applications and data interact, which is why credentials and APIs continue to be the top vectors in cloud environments.
3. Your adversaries are sophisticated and highly capable, and they’re operating as enterprises. In other words, ransomware is such a lucrative business that cyber attackers now offer their services to other threat actors in what is known as Ransomware-as-a-Service. Business agreements between threat actors allow them to use tactics, tools, and techniques without investing in those strategies themselves, and profit sharing between the two parties makes the arrangement lucrative for both.
4. Your adversary is skilled at moving laterally through your network undetected. The longer an attacker can stay hidden, the more credentials they can steal, the more data they can encrypt, and the more damage they can do. This added leverage makes it more likely that their attack will be successful and they’ll get the ransom they’re demanding.

Key Drivers of Healthcare Risk

If your healthcare organization has yet to experience a cyber incident or full-blown cyberattack, it’s important to understand that it’s no longer a matter of if it might happen but when. Your preparation today will pay off when you can mitigate an attack and minimize the impact to your organization. That preparation includes understanding the key drivers of healthcare risk. While each organization has its own set of risk factors, there are some commonalities across the industry.

Curious about these potential trends, Clearwater consultants recently reviewed risk data at the asset, component, and program levels from aggregated customer analyses and assessments. Here are some of the key findings:

Asset-Level Data

Clearwater conducts asset-level risk analysis because it’s the most rigorous methodology, yielding not only the best cyber risk management strategies but also ensuring the analysis meets OCR’s risk analysis requirements. These analyses are completed using the IRM|Analysis® software solution, which includes peer-to-peer benchmarking. When looking at data across all analyses, cybersecurity experts discovered the following top 5 drivers of risk for healthcare organizations:

1. Inadequate safeguards to protect user identities
   1. Systems that process, store, or transmit ePHI are not multifactor-enabled or integrated securely into a single sign-on capability.
2. Lack of user activity review
   1. User activity and permissions are not formally reviewed or integrated into continuous monitoring.
3. Inadequate log aggregation and monitoring
   1. System logging is not formally aggregated or integrated into continuous monitoring.
4. Weak password controls
   1. Systems are not enforcing strong password requirements for users.
5. Lack of user protections
   1. Systems are not preventing simultaneous user logins or haven’t adequately addressed failed login attempts.

Component-Level Data

Clearwater operates a 24x7x365 Security Operations Center (SOC) to monitor endpoints, detect threats, and mitigate them before they become a crisis. Based on data from providing services like firewall management, continual threat detection, attack monitoring, and incident response in, the Clearwater SOC team identified the following top 5 component-level risk drivers:

1. MFA fatigue
   1. As organizations expand MFA, they are trying to make it easier on the end-user and are inadvertently making it easier for end users to approve access that’s not theirs.
2. Native cloud logging
   1. Organizations trust that default logging in cloud services is adequate, not realizing they may be limited in scope, duration, and content to understand better what occurred.
3. Unpatched, legacy, or unsupported systems
   1. Ineffective vulnerability management programs and lack of system development lifecycle.
4. Inconsistent controls implemented
   1. Organizations are applying different security controls for production, corporate, and development environments that are creating gaps in visibility and protection.
5. Incomplete or outdated awareness training
   1. Modern threat tactics are changing, and many organizations have a relatively static awareness program that does not reflect this.

Program-Level Data

Finally, the Clearwater team often conducts framework maturity assessments specific to the NIST Cybersecurity Framework (CSF). When assessing cybersecurity programs across healthcare organizations, Clearwater experts found the following top 5 drivers of cyber risk: 

1. Unpatched, legacy, or unsupported systems
   1. Ineffective vulnerability management programs and lack of system development lifecycle
2. Lack of system hardening and configuration management
   1. Ineffective practices to protect network-connected devices, especially medical devices
3. Lack of network segmentation
   1. Incomplete strategies to minimize the attack surface and segment critical assets and functions
4. Inadequate safeguards to protect user identities
   1. Poor user management practices for domain, local admin, and business applications.
5. Missing business impact analysis (BIA) or critical functions
   1. Missing or incomplete BIA that supports the response and recovery from a cyber-attack.

That BIA may very well be the most important factor in achieving resiliency. You should not only understand who your adversary is and which security weaknesses they like to exploit but also the potential impact of those exploitations. If you don’t understand what your critical functions are and what they do, it’s nearly impossible to exercise appropriate response and recovery strategies.

Decreasing Cyber Risk

Threat actors are educated about healthcare organizations’ security weaknesses, and they’re actively trying to exploit them. Since it generally takes months for an organization to discover an attacker has infiltrated a network—an adversary could be covertly moving through your systems right now.

So, what can you do to decrease your organization’s risk? Here are six recommendations:

1. Perform ongoing risk analysis of all information systems at the asset level to identify where gaps exist and create a risk response plan based on risk level.
2. Consider following SP 800-37 when implementing new systems: categorize the system, select and implement controls, perform risk analysis, and determine authorization to operate/use
3. Move from quarterly scans to vulnerability management with ongoing scanning and remediation.
4. Conduct more sophisticated penetration testing, such as red teaming.
5. Conduct a security controls validation assessment to test your defenses against specific attack scenarios.
6. Architect your third-party risk management program such that it creates a tiered approach to assessing vendors based on risk to patient safety.