Cybersecurity critical in cyber criminals' top target: healthcare sector

THROUGHOUT the pandemic, a wave of ransomware attacks disrupted operations in healthcare organisations around the world. Cyber threat actors have been capitalising on the uncertainty and disruption caused by Covid-19 to conduct malicious cyber activities.

In recent months, cyber threat actors have also been attracted by the valuable research data and intellectual property relating to vaccines, treatments and testing of Covid-19 developed and held by healthcare organisations. As frontline workers fought to keep patients alive, many documented records by hand and struggled to deliver effective care in the absence of electronic patient health information (ePHI) and lifesaving, Internet-connected medical equipment.

The healthcare industry continues to be a prime target for cyber criminals as hospitals cannot afford downtime, and the need to access health records and computer systems creates urgency that increases the likelihood that victims will pay their extortionists. This incident highlighted the threats of ransomware attacks which can completely shut down business processes for weeks, and can have tremendous impact. Locally, the Cyber Security Agency of Singapore (CSA) received 89 reports of ransomware cases in 2020, marking a 154 per cent rise from the 35 cases reported in 2019. The cases included sectors from the healthcare industry.

This year, local Singapore private healthcare training provider HMI Institute of Health Sciences was fined a hefty S$35,000 for failing to provide adequate security arrangements to protect personal data stored in its server. The data breach affected more than 110,000 people including some 250 employees.

Interconnected healthcare systems: highly vulnerable targets

As more healthcare organisations in Singapore go beyond digitisation to narrow their focus on innovation, it has become more critical for them to build a strong digital foundation underpinned by security and compliance. Healthcare data has long been an attractive target for attackers. Hospitals and other private healthcare organisations routinely store ePHI records, which include Personally Identifiable Information (PII). These records must be compliant with many regulations and standards such as Singapore's Personal Data Protection Act (PDPA).

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

Yet, due to widespread resource constraints and legacy system limitations, many health records are stored without proper security protections. Moreover, unlike other industries, healthcare organisations cannot delete patient records after specified periods of time; these records must remain accessible forever.

Attackers are not stopping at commandeering these critical computers and servers. They are also increasingly reaching for medical IoT devices. For example, the WannaCry ransomware attack had infected 1,200 diagnostic devices in 2017, and many more were taken offline to stop the spread.

While increasing ePHI, computer system and IoT device interconnectivity is helping providers transform the way they deliver care - adding even more challenges to the growing list of cybersecurity concerns.

Whether politically or financially motivated, attackers understand that in the business of life and death, healthcare organisations simply cannot afford to negotiate for days or weeks while their systems are held hostage. However, even when organisations pay the ransom, there is no guarantee that healthcare systems will be restored - or that the attackers won't come back for more.

Operator-based ransomware and double-extortion demands on the rise

Ransomware attacks begin by exploiting configuration gaps and access vulnerabilities to deliver malware. These are often accomplished by using ransomware-as-a-service kits (ready to use and easy to find on the dark Web) to infect unpatched systems using common phishing techniques, drive-by malware downloads, known public exploits or brute-force credential theft.

Yet over the past several months, there has been a significant rise in operator-based ransomware attacks that look a lot different than these opportunistic "spray and pray" attempts.

Operator-based ransomware attacks are executed by highly skilled threat actors who can target - and react to - the specific attack surfaces of a specific organisation. In many cases, these attackers operate in stealth mode for extended periods of time. Unfortunately, it is no secret that in the healthcare industry, working as a privileged user who is authorised to sensitive data (for example, a doctor making his rounds with a tablet that can access numerous patients' medical records) or allowing a third-party vendor (for example, an insurance company or medical equipment supplier) to access a privileged system is all too common.

The attackers' next objective is to harvest credentials such as passwords for even higher privilege escalation and lateral movement, looking for valuable data to extort.

During their attacks, ransomware threat actors look for ways to disrupt backups stealthily, delete shadow copies and unlock files to maximise their impact. In many virtual hostage situations, attackers will not only demand a ransom payment for decrypting target data but also threaten to leak it unless an additional payment is made.

Staying ahead of ransomware attacks

As ransomware attacks become more sophisticated and highly targeted, healthcare organisations recognise the need to proactively ramp up their security posture to protect critical infrastructure and preserve patient care and trust.

Local data protection guidelines such as Singapore's personal data protection act (PDPA) provide prescriptive recommendations to help strengthen defences - and they echo the importance of identity restrictions as the core foundation for a modern cybersecurity programme based on Zero Trust.

By "trusting nothing completely and verifying everything systematically", organisations work to stop identity and privilege abuse at critical points in the attack chain. As a result, threats can be found and stopped before they do harm. Once these controls are in place, healthcare organisations can focus on enhancing cybersecurity awareness and skills training, revisiting digital security fundamentals and hardening and backing up critical hospital systems to protect against future attacks.

• The writer is senior vice-president for Asia-Pacific and Japan at CyberArk