Understanding the Cyber Kill Chain and Impacts on Patient Care Delivery

Bridging the Gap Between Cybersecurity Teams and Clinicians to Deliver Quality Patient Outcomes

Clinicians, along with the IT and cybersecurity teams that support them are all working toward a common goal-to deliver quality patient care while protecting the patients and their data in the process. Still, there’s often a disconnect between what happens in care delivery units and the departments working behind the scenes.

It’s time to change this as healthcare security breaches continue to make headlines, and the ramifications of those breaches reach further into care delivery. Clinicians are learning more about how cybersecurity weaknesses and failure to follow best practices can lead to fines, downtimes, and even put patient lives at risk.

While that’s a positive step forward, more needs to be done to unify relationships between clinicians and cybersecurity teams to shore up service delivery and improve the quality of the continuum of care.

What can help facilitate that? At a conceptual level, helping clinicians and security teams better understand the cyber kill chain, how it can impact patient care, and how both teams can work together to decrease breach likelihood is a great step in the right direction.

What is the Cyber Kill Chain?

Lockheed Martin introduced the concept of the cyber kill chain by developing a framework to help security practitioners identify and prevent malicious cyber acts. It outlines seven steps threat actors will likely take to achieve their objectives.

To build a better understanding, let’s look at what happens within the cyber kill chain. While attackers may have unique processes or tools, in general, we can see the cyber kill chain evolve as:

  1. Recon: Harvesting data (for example, stealing credentials and port scanning), target identification
  2. Weaponize: Coupling exploit with a backdoor into deliverable payload
  3. Deliver: Weaponized payload delivered to the victim
  4. Exploit: Vulnerability to execute code on the target
  5. Install: Malware with backdoor/implant in victim environment
  6. Command and control: Two-way comms established to C2 infrastructure
  7. Actions on objectives: With “hands-on” keyboard access, intruders accomplish their goals

Making the Connection to Quality Outcomes

When many healthcare professionals think about quality outcomes, they think about it from the perspective of a patient’s health after a medical event. An example: a patient has a successful surgery that addresses a health issue. It also results in a full recovery and no readmissions.

But what if, at any point in that process, a cyber attacker successfully accessed the patient’s personal health information (PHI). Is that still a quality outcome?

This likely depends on the extent of the damage done to the patient. If their protected data results in identity theft and damage to their credit score and bank accounts, they’ll likely feel a shadow cast over their entire healthcare experience.

Both sides must consider the impact of cyberattacks and what that means for quality patient care outcomes.

When patients engage with healthcare organizations, they trust them not only to provide care and treatment and deliver positive outcomes but to protect their sensitive data, too. As such, your entire healthcare organization should focus on preventing and mitigating all negative impacts on your patients, including data security.

Healthcare Threat Landscape

The threats to patient data, and thus impact on your healthcare organization’s ability to deliver quality services, are very real. In 2022, healthcare breaches impacted nearly 50 million patient records.

More than 90% of the Office for Civil Rights breach investigations are classified as hacking incidents.

Not only do healthcare organizations face more threats than before, but the threat landscape is constantly evolving, and attacks are becoming more complex. Given the soft target nature of healthcare organizations, attackers are incentivized to go after healthcare data. And, when a healthcare organization experiences a breach, it’s not just a problem for the security team. It affects everyone at all levels. The consequences are real-from significant fines and penalties to possible service disruption, and even worse, putting patients’ lives at risk.

Cyberattacks have already impacted mortality rates, longer lengths of stay, and delays in care and procedures.

Why do attackers zero in on healthcare?

Because healthcare offers a target-rich environment. What makes it so vulnerable, especially post-pandemic?

  • Digital sprawl
  • Increased use of medical devices
  • Use of apps, social media, text, and email to engage patients
  • IoT
  • Remote work
  • In-person interactions
  • Cloud adoption

All of these changes can negatively impact your organization’s cybersecurity and patient care.

The Continuum of Care

So, knowing that healthcare is constantly under attack, what can you do to defend your organization?

It begins with understanding the bi-directional connection between cybersecurity and quality care delivery, but unfortunately, neither is intuitive to the other.

Many clinicians don’t understand or routinely think about cybersecurity. Some struggle to navigate the confluence of technologies in the patient care environment. And likewise, as cybersecurity professionals focus on their responsibilities, the need to protect the organization is often their primary concern.

How does that relate to the continuum of care?

Healthcare providers follow patients through medical events and rehabilitation to deliver a quality outcome. Every touchpoint is a potential target for cyber adversaries. That starts with prenatal care and follows a patient through the end of life and everything in between.

Let’s look at what happens when a stroke patient is seen in an emergency room (ER). The process might look something like this:

  • Ambulance notifies ER and transports patient to the hospital
  • Hospital activates “code stroke” overhead
  • ER physician intercepts EMS and patient at ER entry
  • Stroke tests begin while the nurse draws blood
  • Stat order lab tests and CT scan
  • Neurologist reviews CT scan
  • ER physician and neurologist discuss assessment
  • If bleeding in the brain with severity, order tPA
  • Pharmacy compounds tPA in real-time
  • tPA is administered to the patient
  • Patient goes to Observation or an inpatient room on the neuro unit

What are some security dependencies directly related to this care example?

  • Available resources
  • Communication
  • Telemetry
  • Response times
  • Training to strengthen and support healthcare culture
  • Metrics: Infection control, near misses, adverse events, sharps injuries, etc.

While the focus in this example appears to be patient care, cybersecurity plays an integral role, for example, ensuring the availability, integrity, and confidentiality of patient data and the security components of medical technologies in play.

Specific components of the continuum of care interact with security strategy throughout service delivery. Unfortunately, many healthcare organizations struggle to bridge the gap, even though there are direct correlations between cybersecurity and quality patient care.

Cyber Kill Chain Impact on Service Delivery

Looking at the stroke patient example and related dependencies opens a door to further discuss how cybersecurity affects healthcare delivery.

If an attacker completes the cyber kill chain during any point of that process and successfully takes over a clinical system, it’s likely the provider won’t be able to deliver care, resulting in potential negative patient impacts, including possible mortality.

Strategies to Break the Kill Chain

By closing the security/clinician divide and maturing your organization’s security posture, you can work toward effectively mitigating risk impact and building a proactive identify, detect, respond, and recover strategy.

Here are some other recommendations to help your organization prevent threat actors from executing the cyber kill chain:

  • Conduct ongoing organizational training about social engineering
  • Be intentional with your digital footprint
  • Establish a patching program with accountability
  • Conduct tabletop exercises
  • Ensure adequate protection, given the criticality of the information system or asset
  • Develop and mature your cybersecurity strategy, whether that’s done completely in-house or through a third-party
  • Establish partnerships to augment as needed

Would you like to know more about how your organization can unify your security and clinician approaches to deliver better outcomes and protect your patients? Check out our on-demand webinar, “The Continuum of Care and the Cyber Kill Chain,” or reach out to a Clearwater advisor if you have questions.


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us