The Sizable Risk of Cyber Well-being in Healthcare

June 30, 2020
Vectra AI Security Research team
The Sizable Risk of Cyber Well-being in Healthcare

Squarely at the forefront of the COVID-19 pandemic, healthcare professionals tasked with defending our well-being have been working relentlessly to take care us. But how has the healthcare industry been doing against targeted cyberattacks during this crucial time? Is cybersecurity in healthcare better, worse or the same as it was before 2020?

There were early indicators of security concerns as the pandemic escalated globally. Specific to the healthcare industry, the World Health Organization (WHO) in March reported a fivefold increase in phishing and ransomware attacks. The WHO also called attention to compromised external databases and user accounts that could unknowingly be used against healthcare workers.

To assess the situation, Vectra studied data collected from January-May 2020 from its opt-in healthcare customers to assess the situation. Upon examining the Cognito Network Detection and Response platform in healthcare network deployments, Vectra found that the attack landscape did not change much compared to 2019.

The attack surface is growing

Nonetheless, the attack surface is pivoting and scaling to considerable proportions. Attackers go after data wherever it is stored. In healthcare, that data is migrating to the cloud at an accelerated rate due to the increase in telemedicine and new remote work requirements prompted by the spread of COVID-19.

Vectra investigated network behaviors that are consistent with threats across the entire cyberattack lifecycle—botnet monetization, command and control, internal reconnaissance, lateral movement, and data exfiltration. These behaviors were largely from cloud migration activities and not attackers.

  • Europe, the Middle East, and Africa (EMEA) as well as North America show an uptick in the volume of external data movement, known as exfiltration. This is consistent with cloud migration.
  • Smash-and grab behaviors have increased significantly, which occurs when medical IoT devices send large volumes of data to a hosted cloud site.
  • Data smuggler activity also increased. This was likely caused by immense volumes of patient medical records migrating to cloud storage.

In 2019, Vectra reported a spreading attack surface of medical IoT devices used for patient care and introduced by healthcare professionals without the knowledge of IT. In 2020, Vectra found that remote access behaviors persisted from medical IoT devices, which creates a new layer of risk as medical data leaves internal healthcare networks to improperly secured cloud services.

Warning of a possible cyberpandemic

Healthcare’s shift to the cloud is not new. However, COVID-19 has accelerated the roadmap for cloud adoption faster than most organizations can ensure the secure transition data to cloud services. This leaves healthcare security teams in a reactive mode as they try to identify new vulnerabilities and stop new threats rather than staying proactive to head-off the spread of potential attacks.

The healthcare attack surface of unmanaged medical IoT devices is now compounded with an attack surface of unmanaged cloud services. This is incredibly risky and represents a future cyberpandemic just waiting to happen.

In the current climate, the need for immediate response outweighs the normal policy oversight to ensure secure data-handling processes. Healthcare operations involve never-ending challenges to balance security and policy enforcement with usability and efficiency.

Healthcare security organizations will very likely struggle with managing the need for availability of patient information with the policy and controls required for securing and protecting that data in the cloud.

To learn more and see the insights found through Vectra research, read the 2020 Vectra Spotlight Report on Healthcare.