Healthcare: five factors behind increased cyber-attacks

Across the world, the healthcare sector faces attacks that are capable of paralysing all, or part, of their information systems. These attacks can have an impact on both administrative and healthcare information systems (patient administration, electronic medical records, for example) and on biomedical information systems (scanners, monitoring, and more). The consequences often lead care providers to fall back on less effective procedures: using paper records, postponing operations, for instance. Ultimately, this can have direct and indirect impacts on patients' health.

‘Technological deficits’ keep the door open to attackers

As with other organisations, attacks on healthcare institutions target weaknesses that are often related to the deterioration of the software and hardware in use, or a failure to update it regularly. The issue is more difficult for institutions to tackle when it comes to biomedical equipment, which is almost universally maintained by manufacturers or software publishers rather than the IT teams of the institutions themselves.

In this case, projects to identify technological deficits, followed by action plans, can be implemented to help reduce cyber risks that expose these institutions.

Covid-19 increased attack vulnerability

Covid-19 presented hackers with a ‘perfect storm’ of opportunities: a rise in telemedicine and an increased reliance on IT resources in a sector that evidently keeps records with valuable personal information, attracting identify theft. According to the Bitglass ‘Healthcare Breach Report 2021’ cyber-attacks in the US increased by 55% in 2020, costing victims of attacks $499 on average - a significant increase from 2019.

These vulnerabilities exploited during the global pandemic were not only costly and compromising to those who fell victim, but they also were not easy to recover from: the average healthcare firm took about 236 days to recover from a breach. The report shows a shifting landscape in cybersecurity, as the sector embraces a cloud-first world, and highlights the need for institutions to leverage their tools and strategies to address the growing threats of malicious actors.

Responding to ransomware

Recent attacks are mostly based on the deployment of ransomware that can cause complete paralysis of the information system. This ransomware is generally distributed in the following way:

1. A malicious code is installed either by using e-mail phishing techniques or by exploiting a vulnerability;
2. The installed code integrates into the system and installs a service that seems legitimate;
3. The information discovered is transferred back to the attacker;
4. The attacker launches the attack.

Detecting and responding to ransomware-type attacks requires the use of specialist tools, fairly similar to antivirus solutions. However, such solutions are not widely used within these institutions. Although these tools alone would not provide complete protection against these attacks, their current absence puts institutions at higher risk.

Awareness and user testing still insufficient

Chief Information Officers (CIOs) and Chief Information Security Officers (CISO) have long been involved in training and cyber risk awareness-raising activities for users in a range of formats, both traditional (intranet notices, e-mails) and through ‘play’, for instance escape games and online games). Still, a large number of institutions do not have the resources to meet ambitious cyber risk training objectives.

Raising awareness is key in order to keep users informed and on track, as they do not always receive timely warnings or know the appropriate practices to adopt. Both training and testing, such as quizzes or phishing simulations, are essential elements to security in promoting user awareness that can be best assessed at all levels of the organisation.

Lastly, there can be no effective training without testing the levels of knowledge or awareness that users acquire. In practice, CIOs and CISOs could implement testing campaigns that resemble the kind of tactic an attacker might use, such as phishing.

Attacks identified after the damage is already done

Is there anything worse for a CIO or CISO than to find out that their institution’s information system is inaccessible or not working? Unfortunately, attacks are often identified after the damage has already been done.

It is important to design or identify information systems able to monitor or prevent attacks or suspicious behaviour wherever possible. There are many solutions on the market that allow proactive identification and alerts. The challenge is then to have an in-house or third-party resource for analysing technical tracks and raising alerts within an appropriate timeframe.

Professional bodies, support groups and authorities are providers of cybersecurity doctrine and best practices, which should be implemented within information systems. This guidance is a valuable aid for decision-makers and CIOs who want to raise the level of security.

Finally, it should be kept in mind that timing is a crucial factor for these cyber threats: the more robust the security, organisational and technical elements, the longer it will take to successfully carry out an attack.

An earlier version of this article appeared on Mazars.fr here