In 2020 alone, the HHS reported 239.4 million attempted cyberattacks. With an average of 816 attempts per endpoint, this is an increase of 9,851% since 2019. As attempts continue increasing in occurrence and sophistication, systems must prepare for future attacks.
Ryan Witt, Industries Solutions and Strategy Leader at Proofpoint, and Gary Gooden, CTSO at Seattle Children’s Hospital, emphasized the need for building a security posture in response to these evolving attacks on the health industry.
According to Witt, ransomware is the “kitchen table” type of conversation. It is holding the health industry’s focus after notable institutions experienced compromised data.
“The reality is, at least what we see from a data standpoint, is ransomware, though hugely impactful when it hits in the way, is something to focus on,” Witt said.
As cybercriminals become more sophisticated, they have begun targeting specific information to achieve their goals. The “nirvana state” of any bad actor organization would be access to credentials, Witt positioned. This information would grant attackers power to decide the reconnaissance and what they choose to exploit from institutions. Initial access begins with emails and phishing attacks.
The primary mode of cyberattacks stems are emails, Gooden explained. A noticeable effect in the health industry started during the pandemic.
According to Gooden, Seattle Children’s has received 114 million corporate emails since June 2019. Out of these, 81% of which were blocked for malicious reasons.
As email phishing grows in sophistication, malicious links come in shifting techniques. Witt explained how attack campaigns target specific institutions, positions, and job functions.
“The level of research and due diligence is being taken by the cybercriminal gangs on organizations so that they know how to write an email that will get through the common filters, that will engage you in a conversation, that conversation over time will lead to pieces of the puzzle being dropped into their sort of research or intel gathering on you,” Witt said.
Cybercriminals will not simply ask for login credentials. Instead, by asking for information over time, they build profiles on targets and eventually gain trust with a user. Ultimately, this can lead to asking pivotal questions and successfully extracting passwords and system access which otherwise would not be acquired without building a relationship.
According to Gooden, it is a smorgasbord when it comes to attackers needing credentials to compromise systems.
Gooden emphasized that for the 85% of emails Proofpoint blocks, there can still be 3-to-5% truly malicious emails still getting through. Systems should expect this and prepare with a defense structure.
Of all compromised emails that Proofpoint has seen, Witt estimated that 45% revolve around business emails redirecting payment information. While credential scanning is a high priority, cyberattack groups utilize various advanced and persistent threat groups.
“On a daily basis, we stop roughly 450 million threats per day of all types—email, drive-by, brute force attempts. Everything in between,” Gooden said.
According to Witt, the first step in developing a defensive structure is to distinguish who is at the most risk within the organization. Specific jobs requiring employees to download files, click links, and interact with third-party suppliers are in positions that are likely targets.
As attackers research the type of work employees are responsible for within the organization, it is just as important the organization understands who are potential victims.
Many healthcare institutions are under budget constraints that restrict a gold standard of security posture. Therefore, Witt suggested institutions place security bets for where nefarious activities will most likely occur.
As the largest pediatric research institution in the country, Seattle Children’s embarked on a journey to become a zero-trust shop.
Leading a converged security and infrastructure program, Gooden advised teams to focus on layering the fence, identity, and entities. It is necessary to determine the entity of the institution. This consists of automation of provision, separating credentials, and removing local administrative controls. Gooden also explained that institutions need to ensure the endpoint detection service runs continually, 24/7, all year round.
“If you do those things and continue to up-armor that way because it’s really an arms race, then you’ll stay ahead of the curve,” Gooden said.
Because the remote working environment will continue at Seattle Children’s, they will accommodate this by creating hybridized, permanent remote, and permanent on-premise models.
As remote work becomes more integrated, health systems must consider where their data goes, how it is stored, and its edge of efficacy. With defense mechanisms for potentially compromising email vectors and credential skimming, technology can prohibit and warn of potential leering.
Gooden emphasized that funding is not an issue in this specific environment. Instead, the problem is the speed at which they can implement an immature technology process and mature the people’s side of the business.
Seattle Children’s has a managed service for its security operations center. It utilizes machine learning to automate event correlation speeds further and maintains a security posture of 24/7 end-point management and oversight.
Machine speed can influence the speed at which teams handle potential threats. Gooden explained how much of his time is spent ensuring the right level of engineers are in place to handle exceptions within managed services. With this in mind, there is a continual need to reinforce technology stacks to ensure mature processes that complement the trained people monitoring services.
Isolation technology is mature and readily available, but it is not well-deployable within healthcare. The approach containerizes email traffic, which allows people to interact with it in a safe environment, Witt explained. A containerized environment can limit exfiltrated data, protecting those vulnerable to attacks.
Seattle Children’s uses attack people profiles and isolation as part of its security posture. They identify staff who are at greater risk for being targeted, and security staff monitor them in case of a phishing attack.
Regarding phishing attached, modern technology has helped alleviate the direct onslaught of spam emails. While roughly 85% is filtered out, there are still 15% of these emails going through to inboxes. Out of those successful, only 3-to-5% are malicious in some way. A managed service monitors this small percentage to ensure immediate detection.
According to Gooden, the institution analyzes what happens in these events as they continue to build a better mousetrap.
“At some point, something will get through. It’s a question of not if but when,” he said.
How are phishing scams finding success? According to Witt, a significant amount of phishing attacks point people to legitimate file shares. More than 50% of files and links from phishers come from legitimate sources like SharePoint and Dropbox accounts.
“It’s no longer pointing you to some nefarious server in the middle of Central Europe. It’s pointing you to a legitimate file share that you would expect to go to. And I think that’s a big step change,” he said.
These trends create challenges for staff and security, he explained. When links stem from valid sources, it makes it challenging to filter out. According to Witt, phishing scams are becoming increasingly more targeted in this way.
Staff handling or accessing finances are also a point of attack. As bad actors target the purse strings of organizations, health systems should opt for additional layers of security controls over these accounts, according to Witt.
One of the biggest problems, according to Gooden, is cyber threats not being treated as national emergency issues. Just as other natural emergencies bring a FEMA response for extra resources and funding, he explained how cybersecurity needs an equitable program.
Healthcare systems vary in security sophistication levels. Even for baseline levels, funding is necessary for success, which some systems cannot afford, Gooden explained.
“Even if they were to factor in the risk of being compromised. It’s almost easier for them to be compromised, take a hit, and then go and pay because they just can’t afford it,” he said.
According to Witt, there is a direct correlation between the institution’s ability to have the right security posture and the ability to meet its mission, especially in recent ransomware events.
“If you don’t have the right sorts of security posture in place, you cannot, in many cases, provide patient care. You cannot adhere to your patient safety sort of mission statements if you have a compromise,” he said.
Exemplified in a recent significant health system attack, the security stack was inadequate while physical security was available. Whether it was a C-suite misunderstanding or an inability to present information on the threat, Gooden saw this as a situation in which funding could have made the system less easily compromised.
“This is no longer a compliance discussion; it’s not a brand discussion, and it’s not a fine discussion. Yes, those are all part of the equations, [but] it’s a patient safety discussion,” Witt said.