Treating the underlying causes of healthcare’s cyber security symptoms

Australia’s health sector is constantly the target of cyberattacks, and in the first half of 2020, a total of 22 per cent of all Australian data breaches were in the health sector.

Through our own research, we know the real threat is already in healthcare networks in the form of privileged access misuse, the growth in healthcare IoT devices, and that the majority of attacks occur due to underinvestment in security operations or a lack of security awareness by insiders.

The increased number of cyber threats the Australian health sector has encountered in recent months led the federal government to warn that cyber attackers were taking advantage of the COVID-19 pandemic, targeting hospitals, medical services and crisis-response organisations.

The Australian Strategic Policy Institute’s International Cyber Policy Centre recently noted that hospitals are targeted because they are essential services and more likely to pay a ransom to regain control of their network from hackers.

Many people within the healthcare industry have access to patient medical records, making it easy for some to take advantage of that privilege. Internal actors – meaning employees who access patient data with unlawful intent – are largely responsible for healthcare data loss, and healthcare is the only industry where this occurs at such an alarming rate. Indeed, our own research demonstrated that human error and misuse occurred more frequently in the healthcare industry than external threats such as hacking or ransomware.

The threat from vulnerable devices

The ongoing proliferation of the internet of things (IoT) in the medical industry doesn’t help either. These medical devices improve clinical care and outcomes but produce massive volumes of data about every patient, and most healthcare organisations don’t have a way to track those devices, or where they’re connected.

Microsoft Office 365 services, such as Outlook and Teams, are often used by GPs to manage patient care, and although these tools can help ease the workload, they also come with vulnerabilities. Vectra AI’s recent Spotlight Report on Office 365, which looked at four million Microsoft Office 365 users, found that 96% experience lateral movement behaviour which allows hackers to bypass multifactor authentication controls and gain access to an organisation’s confidential data.

Office 365 is an example of a popular platform that is easily targeted by attackers. The potential threat is higher in the health sector, where security is often not seen as a priority, especially over clinical imperatives.

Our research highlighted why there is a compelling reason to take this risk seriously. Across multiple industries, the global cost of account takeovers has been estimated at around $9.5 billion annually. We’ve seen cyberattacks evolve from authenticating through default admin passwords and using IoT for botnets, to the outright destruction of IoT devices by wiping hard drives.

Recurring challenges

There is a recurring set of cyber security challenges the healthcare industry is facing on a daily basis. The lack of security professionals means defensive tasks are regularly rushed or missed, and lean budgets mean it’s hard to fill those skill gaps.

Additionally, there is a real lack of visibility across the industry. Office 365 is an example of where hackers can take over an account and ultimately cause the loss of personal data. A huge number of deployed IoT devices, coupled with the free flow of patient data in the network, creates internal blind spots. And the biggest threat is inside the network, where perimeter security is blind.

With these pressures, and the changing nature of ransomware attacks, traditional defences become ineffective, leaving organisations vulnerable. Identifying specific tools or ransomware used to breach a network no longer works. Entities should instead be monitoring abnormal behaviour on their network.

Curing the problem

When you factor in how long it takes to discover a data breach, it suggests that healthcare is losing the battle against cyber criminals. It’s not acceptable to find out weeks, months or years after a breach occurs, but unfortunately that is what’s happening.

The answer lies in 360-degree visibility inside the network. This includes the need to monitor across the cloud, data centre, IoT devices, and enterprise networks, as well as having the ability to carry out real-time attacker detection while prioritising detected threats so you know where to start. However, to achieve this the health sector will need to automate time-consuming security analysts’ work and provide visibility inside the network to see attackers and identify the compromised hosts.

This fundamental approach is advocated by a growing number of healthcare security professionals. Many of whom are augmenting their security teams with AI-derived machine-learning models to automate the early detection of cyber attackers, speed up incident response, investigate conclusively, and hunt for threats more efficiently, at a speed and scale that traditional methods cannot achieve.

It’s a battle that has been won by many healthcare organisations, but the industry still has work to do to ensure the protection of all of its patients, as well as their data.

Chris Fisher is director of security engineering at Vectra AI, Asia-Pacific/Japan. Chris has over 15 years of cyber security experience from practitioner through to strategic advisor for large organisations. He has a vast experience in SCADA environments working in the mining and energy sectors for a number of years.