There is some startling data in the 2017 Verizon Data Breach Investigation Report. What stood out to me as most concerning is that more breaches occurred in healthcare this year than last year. After reviewing the report, I see three key trends.
The real threat is already inside healthcare networks in the form of privileged access misuse
When healthcare organizations are hit from the outside, it is usually ransomware extorting them for money
The growth in healthcare IoT is overwhelming and dangerous
It’s an insider threat 68% of the time
By default, a lot of people have access to patient medical records. This only make it very easy, and perhaps a bit enticing, for a few of those people to take advantage of the situation.
The Verizon report shows that internal actors are largely responsible for the loss of data. I’m talking about employees who access patient data out of curiosity or to commit identity fraud. Apparently, it is the only industry where this is occurring in such a dramatic volume.
While everyone else is worrying about cyber attacks from someone they’ve never met, cybersecurity professionals in healthcare worry most about the people they talk to in the break room.
Even worse, it seems to be a bit of a mix between financial gain – patient records are the most valuable form of digital personal data – and simple curiosity. The curious want to know what’s going on with others and the information is there for the taking.
72% of malware is ransomware
When an attack on healthcare comes from an outsider, ransomware is the order of the day, extorting millions of dollars from people and organizations after infecting and encrypting their systems.
It was a lowly 22 on the list of common malware in the 2014 Verizon report. In 2017, it’s No. 5. The number of ransomware incidents increased to 228 in this year’s report, up from 159 in the 2016. That tells me it’s easy to do, and more importantly, it works. Good for attackers. Not so good for healthcare.
Love affair with IoT devices
The ongoing proliferation of IoT in the medical industry doesn’t help either. These medical devices are producing an unprecedented volume of data about all of us at an alarming rate, and most people don’t even have a way to track what or where those devices are.
IoT might be the easiest target for attackers. There are lots of them, no one is watching and security is nonexistent. We’ve seen recent attacks evolve from authenticating through default admin passwords and using IoT for botnets to the outright destruction of IoT devices by wiping their drives. Granted, wiped devices can be restored, but the impact is far greater if those devices deliver critical care.
A recurring nightmare
There is a recurring set of challenges based on the feedback we get from our healthcare customers.
Lack of cybersecurity personnel – One person can only do so much in a day. Healthcare cybersecurity professionals are tasked to do more than is humanly achievable.
Lack of money – Hiring more people is tough because healthcare organizations have lean budgets. They are tasked with finding operational efficiencies and doing more with what they have.
Lack of visibility – Lots of IoT devices, coupled with the free flow of patient data in the network, create massive internal blind spots about what’s happening. The biggest threat is in the network, where perimeter security is blind.
Reduce the time to discovery
When you factor in how long it takes to discover a digital breach, it becomes apparent that healthcare is currently losing the battle. It’s not acceptable to find out weeks, months or years after a breach occurs.
I believe the answer lies in 360-degree visibility inside the network, real-time attacker detection, and the prioritization of all detected threats.
However, that answer must address the challenges I mentioned earlier. Here are four ways to get there:
Eliminate the manual, time-consuming work of security analysts
Lower the skills barrier needed to hunt down cyber threats
Consider that everything is connected, which makes for an easy target
Provide visibility inside the network to see attackers and what they’re doing
This is the fundamental approach advocated by a growing number of healthcare organizations. Many are augmenting their security teams with artificial intelligence to automate the hunt for cyber attackers in the network and speed-up incident response. It’s a battle that has been won by many healthcare organizations.
What’s healthcare doing?
Ransomware attacks have unique characteristics, such as credential theft to propagate the attack, delayed encryption to infect as many machines as possible, and code that targets servers and user systems.
Healthcare is the No. 2 target of ransomware. One recent victim is Greenway Health, an electronic health records firm for the healthcare industry. A few weeks ago, a ransomware attack impacted 400 clients, according to a story in Health Data Management.
The article states that Greenway restored about half its clients to date, with the other half still stuck using manual processes. This is of concern to everyone. Greenway is suffering financial losses and healthcare providers are suffering from a crisis in the quality of care.
Ironically, the chief information security officer at one of our healthcare customers recently told me that “Vectra enabled my security team to detect and stop not one, but three ransomware attacks last year before they caused damage.”
The idea of automating the hunt cyber attackers in the network and speeding-up incident response is catching on in healthcare.