Penetration Testers Offer Real-World Advice About Threats, Securing Your Healthcare Organization

Today’s modern threat landscape is constantly evolving. Determined, opportunistic, and well-resourced threat actors continue to develop tools, tactics and techniques aimed at gaining access to systems, stealing data, and/or installing ransomware.  And unfortunately for healthcare organizations, their industry has become one of the most targeted due to the value of the data they possess and the importance of the services they provide.

The doggedness and ingenuity of these threat actors can be difficult to defend against. For many security teams, it is simply beyond their capacity to counter the level of persistent threats that they face.  Many threat actors have significant resources and are very motivated to achieve their goals, whether it is to obtain your organization’s propriety data or hold your data ransom.  The challenges faced by healthcare organization are overwhelming and show no sign of slowing.

As your organization develops products and services to better serve your patients and communities, it is inevitable that vulnerabilities will be introduced.  For some organizations, the vulnerabilities are introduced inadvertently by their own development teams, and for others, they are introduced as the result of using third-party software.

The risk associated with the increased attack surface applies to interconnected healthcare organizations and their business associates, such as hospital systems, research institutes, physician management groups, private practices, and other emerging medical conglomerates. Smaller organizations are also at risk, as they often have even fewer IT staff to evaluate software and implement secure protocols.  Regardless of your organization’s size and scope, it’s critically important that best practices are followed and that regular vulnerability assessments are performed.

Attacks on healthcare entities have increased in frequency and severity.  Since 2019, there has been a 62% increase in ransomware attacks, with threat actors increasingly focused on healthcare entities.  The criminal groups conducting the ransomware operations understand that healthcare entities possess sensitive and valuable data, and that the data is critical to their operation and survival.   While it can be difficult to recover from breaches of any kind, ransomware is particularly insidious and organizations are left with few good options once their data has been encrypted.

Organizations may choose to pay heavy ransom fees in order to retrieve the decryption keys for their encrypted data.   The amount demanded by ransomware gangs may not be trivial.  Ransom demands have ranged from tens of thousands to tens of millions of dollars, depending on the size of the organization.  This is in addition to the other recovery costs, legal fees, and potential fines or penalties.

Other organizations may decide not to pay the ransom, opting instead to rebuild their infrastructure from the ground up.  For most organizations, this option could result in complete ruin as their data is likely critical to their value and the services they provide.

The reality is that most organizations don’t have the capacity to handle ransomware attacks and the subsequent effects it has on their business.  This underscores the importance of engaging in proper vulnerability assessments, penetration testing, and incident response recovery planning in an effort to reduce the likelihood of a breach.

The term Advanced Persistent Threats (APTs) refers to highly skilled and well-resourced threat actors who are typically working in the service of a nation-state.  These groups are capable of running stealthy and lengthy campaigns against targets who possess data or information their nation has deemed valuable.

In recent years, APT groups have targeted organizations that develop medical technologies, conduct medical research, or store sensitive ePHI.  Whether the operations take place in order to gain a competitive technological advantage of American healthcare technology companies, or to gain access to ePHI for specific targeted individuals, the result is a threatening environment in which healthcare organizations are susceptible to attacks.

Since the outbreak of the coronavirus pandemic in 2020, the threat landscape has also expanded due to the sudden shift to organizations allowing remote work.  Unfortunately, when the shift to remote work occurred, many organizations had yet to develop the policies and protocols necessary in order to securely manage the infrastructure for large teams of remote workers.  The result has been that organizations’ shifting use of technology has outpaced their ability to protect it, leading to increased exposure and likelihood of attacks.

VPNs, for example, are increasingly used by organizations to allow remote workers to access internal resources.  Threat actors are aware of this and expend significant resources attempting to find previously unknown vulnerabilities, or “zero-days”, in commonly used VPN software.

Additionally, the increase in remote work has resulted an expansion of an organization’s network perimeter.  If an organization did not develop acceptable user policies prior to the shift to remote work, enforced by monitoring software on remote employees’ laptops, then an entire new set of concerns arises as it becomes more difficult to account for activity taking place on company devices.  This can and sometimes does result in the compromise of endpoint devices, and thus the compromise of internal network resources.

One missed patch cycle or a decision to wait to implement an update can result in exposure of vulnerable critical software.  Threat actors spend countless hours and resources looking for vulnerabilities in commonly used software.

One of the most critical areas for healthcare entities to focus on is their patch management.  Organizations must ensure that regular and out-of-cycle updates are implemented.  While threat actors look for new ways to infiltrate systems, they also use tried-and-true vectors such as exploiting missing patches or out-of-date software.

During a recent Clearwater webinar, “Getting Technical: Point of View from the Penetration Testers,” two of our penetration testing experts, Jason Yorty and Chris Dowhan, explained that unpatched software is one of the most common findings when performing pen testing.  It is not uncommon to find systems that haven’t been patched in several years.

Organizations must also consider how to design and implement strong password policies.  This should not be limited to directing users to choose a password of a minimum length.  Organizations should also help train their workforce to appropriately store and rotate passwords.  This should include the use of a password manager which stores users’ credentials in an encrypted database protected by a master password.

So how can you protect your healthcare entity against these increasing attacks? Here are a few tips.

If you haven’t already, implement multi-factor authentication protocols for all of your assets and systems. This makes it a bit more challenging for attackers to access your systems, unless they’ve been able to successfully steal a device, MFA isn’t enabled, or the threat actor can trick your employee into granting access for the request.

Inventory all of your web-facing assets and remove anything not needed and/or not approved. Once inventoried, ensure that all SSL certificates are current, valid, and that servers are configured to accept TLS 1.2 and above.

Organizations should be sure to implement a form of Endpoint Detection and Response (EDR) in order to detect, protect, and respond to malicious activity on networked devices.  This helps to provide visibility into activity on devices within the network and can alert an organization’s security team to anomalous or malicious behavior.

We recommend hardening employee endpoints and web-facing assets with:

  • Patching and updates
  • Software installation restrictions
  • Minimize local admin rights
  • Enable full disk encryption
  • Don’t share passwords or use default passwords
  • Ensure full disk encryption
  • User awareness training about phishing, common scams, and other dangers of remote work such as using public WIFI, cloud-based file sharing, and storage

Earlier we mentioned potential attack vectors from VPN usage. You can help to secure your VPN endpoints by implementing source IP allowed lists.  This will ensure that only traffic from designated IP addresses can reach the VPN endpoint.  However, it’s important to note employees working remotely may have dynamic IP addresses are occasionally rotated, thus making this approach difficult to implement.

In 2020, 22% of all breaches involved phishing emails.  Unsurprisingly, 85% of organizations say their employees have received phishing emails.  As a result, many organizations choose to hire penetration testers to conduct simulated phishing campaigns as a part of workforce security assessments.  Building awareness can help reduce the risk of your organization being breached as a result of targeted or opportunistic phishing campaigns.

Strengthening your organization’s security posture will take time, planning, and resources.  As you’ve just read and likely already are aware of, effective healthcare cybersecurity isn’t about one single defensive step or some magically powerful piece of software.

Enhancing your organization’s security posture involves undergoing thoughtful evaluation of your organization’s systems, policies, procedures, and contingency plans.  Once those components have been developed, they must be tested, re-evaluated, and then tested again.

Here at Clearwater, we are here to help you through the security lifecycle, whether through risk analysis or technical testing.


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us