Blog - article

How to win the cybersecurity battle in healthcare

How to win the cybersecurity battle in healthcare

How to win the cybersecurity battle in healthcare

Chris Morales
May 4, 2017

Risky business

There is some startling data in the 2017 Verizon Data Breach Investigation Report. What stood out to me as most concerning is that more breaches occurred in healthcare this year than last year. After reviewing the report, I see three key trends.

  1. The real threat is already inside healthcare networks in the form of privileged access misuse
  2. When healthcare organizations are hit from the outside, it is usually ransomware extorting them for money
  3. The growth in healthcare IoT is overwhelming and dangerous

It’s an insider threat 68% of the time

By default, a lot of people have access to patient medical records. This only make it very easy, and perhaps a bit enticing, for a few of those people to take advantage of the situation.

The Verizon report shows that internal actors are largely responsible for the loss of data. I’m talking about employees who access patient data out of curiosity or to commit identity fraud. Apparently, it is the only industry where this is occurring in such a dramatic volume.

While everyone else is worrying about cyber attacks from someone they’ve never met, cybersecurity professionals in healthcare worry most about the people they talk to in the break room.

Even worse, it seems to be a bit of a mix between financial gain – patient records are the most valuable form of digital personal data – and simple curiosity. The curious want to know what’s going on with others and the information is there for the taking.

72% of malware is ransomware

When an attack on healthcare comes from an outsider, ransomware is the order of the day, extorting millions of dollars from people and organizations after infecting and encrypting their systems.

It was a lowly 22 on the list of common malware in the 2014 Verizon report. In 2017, it’s No. 5. The number of ransomware incidents increased to 228 in this year’s report, up from 159 in the 2016. That tells me it’s easy to do, and more importantly, it works. Good for attackers. Not so good for healthcare.

Love affair with IoT devices

The ongoing proliferation of IoT in the medical industry doesn’t help either. These medical devices are producing an unprecedented volume of data about all of us at an alarming rate, and most people don’t even have a way to track what or where those devices are.

IoT might be the easiest target for attackers. There are lots of them, no one is watching and security is nonexistent. We’ve seen recent attacks evolve from authenticating through default admin passwords and using IoT for botnets to the outright destruction of IoT devices by wiping their drives. Granted, wiped devices can be restored, but the impact is far greater if those devices deliver critical care.

A recurring nightmare

There is a recurring set of challenges based on the feedback we get from our healthcare customers.

  • Lack of cybersecurity personnel – One person can only do so much in a day. Healthcare cybersecurity professionals are tasked to do more than is humanly achievable.
  • Lack of money – Hiring more people is tough because healthcare organizations have lean budgets. They are tasked with finding operational efficiencies and doing more with what they have.
  • Lack of visibility – Lots of IoT devices, coupled with the free flow of patient data in the network, create massive internal blind spots about what’s happening. The biggest threat is in the network, where perimeter security is blind.

Reduce the time to discovery

When you factor in how long it takes to discover a digital breach, it becomes apparent that healthcare is currently losing the battle. It’s not acceptable to find out weeks, months or years after a breach occurs.

I believe the answer lies in 360-degree visibility inside the network, real-time attacker detection, and the prioritization of all detected threats.

However, that answer must address the challenges I mentioned earlier. Here are four ways to get there:

  1. Eliminate the manual, time-consuming work of security analysts
  2. Lower the skills barrier needed to hunt down cyber threats
  3. Consider that everything is connected, which makes for an easy target
  4. Provide visibility inside the network to see attackers and what they’re doing

This is the fundamental approach advocated by a growing number of healthcare organizations. Many are augmenting their security teams with artificial intelligence to automate the hunt for cyber attackers in the network and speed-up incident response. It’s a battle that has been won by many healthcare organizations.

What’s healthcare doing?

Ransomware attacks have unique characteristics, such as credential theft to propagate the attack, delayed encryption to infect as many machines as possible, and code that targets servers and user systems.

Healthcare is the No. 2 target of ransomware. One recent victim is Greenway Health, an electronic health records firm for the healthcare industry. A few weeks ago, a ransomware attack impacted 400 clients, according to a story in Health Data Management.

The article states that Greenway restored about half its clients to date, with the other half still stuck using manual processes. This is of concern to everyone. Greenway is suffering financial losses and healthcare providers are suffering from a crisis in the quality of care.

Ironically, the chief information security officer at one of our healthcare customers recently told me that “Vectra enabled my security team to detect and stop not one, but three ransomware attacks last year before they caused damage.”

The idea of automating the hunt cyber attackers in the network and speeding-up incident response is catching on in healthcare.

For more information about strengthening cybersecurity in healthcare, download the solution brief, Protecting patient health and privacy from cybercriminals.

About the author

Chris Morales

Chris Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs for Fortune 500 enterprise clients. He has nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles. Christopher is a widely respected expert on cybersecurity issues and technologies and has researched, written and presented numerous information security architecture programs and processes.

Author profile and blog posts

Most recent blog posts from the same author


Most attacks against energy and utilities occur in the enterprise IT network

November 1, 2018
Read blog post
Security operations

2018 Black Hat Superpower Survey: It's about time and talent

August 22, 2018
Read blog post
Threat detection

Cyberattack detections from more than 250 Vectra customers with over 4 million devices and workloads

August 8, 2018
Read blog post