The following is a guest article by Steven Stone, Head of Rubrik Zero Labs at Rubrik
In early August, a ransomware attack disrupted operations across its network of 17 hospitals and more than 165 clinics in four states and forced some to rely on paper records. Some emergency rooms were shut down and ambulances diverted after the company took its computer systems offline to protect and restore them.
Again. Here we go again. This is what most of us thought when we read this story. Cyberattacks on healthcare institutions are not only particularly galling, they’re growing. Healthcare organizations were hit with 1,426 attacks per week in 2022, a 60 percent increase over the previous year, according to Check Point Research.
“From small, independent practitioners to large, integrated health systems, cyberattacks on healthcare records, IT systems, and medical devices have infected even the most protected systems,” the federal Cybersecurity and Infrastructure Security Agency says. “Given the increasingly sophisticated and widespread nature of cyberattacks, the healthcare industry must make cybersecurity a priority and make the appropriate investments needed to protect its patients.”
There are some recommendations to that end, but first, let’s unpack why healthcare organizations became such a frequent target and the unique challenges they face in defending themselves.
As much as the world might like to believe that even the most hardened cyber criminals would have enough heart to avoid attacking hospitals and other healthcare organizations, the last few years have proven that a fantasy.
Why? First, many ransomware attackers assume healthcare organizations, given their vital mission, are more likely than those in other industries to give in to their demands. Put simply, ransomware attackers can apply more psychological pressure and impacts. Second, and an even bigger factor, is healthcare organizations manage a treasure trove of data irresistible to hackers. Let’s not forget intrusions are always about the data, ransomware is no different.
“Healthcare organizations are particularly vulnerable and targeted by cyberattacks because they possess so much information of high monetary and intelligence value to cyber thieves and nation-state actors,” according to the American Hospital Association.
Stolen data such as patients’ confidential health records, financial information like credit card and bank account numbers, and other personal information such as Social Security numbers may sell up to 10 times or more than stolen credit card numbers on the dark web, the AHA says.
Not only is the quality of data high, so is the quantity. A recent Rubrik study found that the typical healthcare environment contains 280 back-end terabytes of all kinds of data, nearly 17 percent more than those in other industries. And when it comes to sensitive data, healthcare trails only financial services in volume.
Complicating matters further, healthcare organizations have huge, complex, diverse computing infrastructures. Included are electronic health records and various other types of specialized information systems for practice management, clinical decision support, radiology information, and prescriptions.
On top of those systems, there are thousands of wireless devices such as remote patient monitors, alert systems, scanners, and infusion pumps.
All of this presents an unusually large and broad attack surface for cybercriminals. The conglomeration of so many different, often heavily customized systems (which may or may not have been built with security in mind) is much harder to protect than, say, an enterprise that effortlessly updates a few thousand laptops on Patch Tuesday.
So, what should healthcare organizations be doing? Along with preventative measures aimed at fending off attacks, they should assume attacks will inevitably occur and focus on resilience. A resilience approach asks questions such as: How will we respond to a breach and quickly recover? How can we maintain operations even in the event of recurring attacks? How can we make resilience the core philosophy of our security strategy and execution?
This is the right track for every industry, but especially so for healthcare. Here are three specific recommendations.
Have a Clear View of the Data Landscape
This is particularly challenging for healthcare organizations because of their tricky infrastructures. Nevertheless, it is critical to have visibility into what data is most sensitive and where it resides.
That may sound obvious, but it’s easy for healthcare organizations to overcorrect in other areas like compliance. For example, in their attempts to delineate and identify data they consider the most sensitive, they may zero in on HIPAA records to satisfy government regulations. Compliance is important, but this constitutes the floor not the ceiling of data security.
The lesson: Make resilience the centerpiece of the organization’s cyber strategy, and, in executing that, begin at the beginning: Figure out what the most important and sensitive data is and where it lives.
Consolidate Key Data
Healthcare organizations are apt to discover that it’s too time-consuming, expensive, and ultimately ineffective to try to secure all their data scattered over so many parts of their disparate infrastructure. For technical and business reasons, organizations need to be careful not to spread themselves too thin.
Instead, it makes more sense to consolidate the most critical data into fewer places within the enterprise. That makes securing data to the highest standards much easier and more effective. It also allows for effective prioritization during intrusions.
Adopt a Best Practices Mindset
I’d like to double-click on a point I touched on in my first recommendation, about the need for healthcare organizations to think beyond the bare minimum of satisfying government regulations.
Regulatory compliance is and likely always will be core to the mission. But healthcare organizations can’t let that distract them from higher-level work – the execution of cutting-edge cybersecurity policies and practices tailored to the industry’s unique realities and requirements.
Fortunately, healthcare by and large has excellent cybersecurity talent with a solid understanding of the industry’s nuances and is in a good position to tackle the important work ahead.
The recent attack is just the latest to show that cybercriminals won’t stop targeting healthcare organizations anytime soon. In fact, I bet by the time this article is printed there will be a newer, more impactful event. That’s plain reality. As my three recommendations show, healthcare organizations have the power to meet that reality with proactivity and innovation.
This is particularly challenging for healthcare organizations because of their tricky infrastructures. Nevertheless, it is critical to have visibility into what data is most sensitive and where it resides.