A 3-step program to help organizations anticipate hackers’ attacks
Improved governance, an effective security platform and wise use of threat intelligence can give providers a head start in blocking data system incursions.
The threat landscape forecast anticipates more aggressive ransomware attacks and a rise in data exfiltration attempts targeting the healthcare sector.
Already in 2023, the Department of Health and Human Services’ Healthcare Cybersecurity Coordination Center has issued alerts about the rise in Royal and Blackcat ransomware attacks, as well as the Clop ransomware group aggressively targeting the healthcare sector.
This comes at a time when data – the crown jewels of an organization – is everywhere, expanding the attack surface for ransomware and cybercriminals.
Scattered data
Because healthcare organizations don’t really know where all their data is, protecting it can be difficult. They typically focus on protecting electronic medical records systems or other major clinical, business and research applications.
While that’s not a bad plan, the reality is that data is often pulled from production systems, medical devices and other resources into data pools that are used by individual departments to help them make better decisions. Those data pools can be anything from an actual database to a spreadsheet to a shared drive with a collection of standard reports. This creates a multitude of decentralized, undocumented, data crown jewel “fiefdoms.”
As a result, healthcare leaders may not know where all of the data in their organization exists. And honestly, that’s a data management weakness that cyber-thugs are counting on. If organizations don’t have visibility of all their data – if they’re not doing strong data management – they’re likely not protecting that data as well as they should. That makes life way easier for bad guys who want to exfiltrate the data, then repurpose it for sale in dark web online data markets.
Crafting a three-point plan
So what must healthcare organizations do to protect their data from attacks in the current cyber threat landscape?
Create a data governance program. Healthcare data governance should be organization-wide and include interdisciplinary teams consisting of subject matter experts, according to the American Health Information Management Association (AHIMA). “The key purpose of healthcare data governance is to establish an organizational culture that ensures data is secure, reliable and available to those who should have access to it,” AHIMA says.
Deploy a comprehensive security platform. This kind of security structure gives an organization visibility across the entire IT infrastructure, from the data center to cloud workloads to all the endpoints connected to the healthcare organization’s network. The platform also should provide identity protection because credential theft is a primary way for an attacker to gain access to an organization’s network and systems. Moreover, identity protection provides information on gaps in Active Directory (like service-accounts) that attackers might exploit. Endpoint protection can do the same for devices connected to the network.
Employ threat intelligence and threat hunting techniques, tools and services. Cybercriminals and nation-state actors are using sophisticated techniques to move laterally through a network after they gain access. It takes an attacker about one hour and 24 minutes to “break out” of the first computer they compromise and move into a second system in the organization, according to the CrowdStrike 2023 Global Threat Report. And after an adversary breaks out of that first machine, the odds of ransomware or exfiltrating data skyrockets.
As a result, the goal should be to create a security program that detects, investigates, isolates and remediates any intrusions in less than 1 hour and 24 minutes. Security programs should aspire to employ threat intelligence and threat-hunting capabilities that give the team the ability to detect an incident within one minute, investigate the incident within 10 minutes and remediate the problem in 60 minutes. That “1-10-60 standard” – when delivered consistently all day, every day – ensures that an organization can be devastatingly effective against the vast majority of today’s most sophisticated attacks.
Mitigating risk now and beyond
The healthcare industry’s cybersecurity stakes are growing higher everyday as more hospitals and healthcare facilities are targeted by ransomware and other attacks. Those attacks have a real impact on patient safety. Our patients and their families cannot afford to have medical services disrupted. That means that cybersecurity IS patient safety.
With strong data governance, an understanding of the adversary’s capabilities, and a willingness to field a comprehensive platform with cloud, endpoint and identity protections, as well as threat intelligence and threat hunting capabilities, healthcare facilities can mitigate current and emerging risks.
Drex DeFord is the executive healthcare strategist at CrowdStrike; he was CIO at Scripps Health in San Diego, Seattle Children’s Hospital and Steward Healthcare. He is also past chair of the College of Healthcare Information Management Executives and served on the board of directors at HIMSS.