Cyberwarfare against health systems: The nation-state threat
Photo: Andrew Hollister
While criminal organizations and chaos actors are responsible for a substantial percentage of the constant cyberattacks on provider organizations’ data and information systems, another growing threat comes from nation-state perpetrators.
Earlier this year, for instance, as Russia’s war on Ukraine began, the American Hospital Association issued a warning to hospitals and health systems to remain vigilant against cyberattacks as the conflict escalated.
On July 6, the Cybersecurity and Infrastructure Security Agency along with the FBI and the Department of the Treasury issued an alert about North Korea-sponsored hackers who had been targeting the healthcare and public health sector in the U.S. for more than a year.
And the U.S. Cybersecurity and Infrastructure Agency issued an alert – among many others in recent years – in November 2021 highlighting malicious activity from an advanced persistent threat group associated with the government of Iran.
Hospitals and health systems must prepare for the potential of powerful nation-state attacks. There are many preventative measures healthcare organizations can implement, such as having visibility into an organization’s exposure to cyber risks to enable appropriate response, remediation and informed decision making.
Andrew Hollister is chief security officer at security information and event management technology vendor LogRhythm and vice president at LogRhythm Labs. We interviewed him to get his perspective on nation-state cyberattacks and learn some best practices that CIOs, CISOs and other IT and infosec leaders can put into place.
Q. How would you describe the climate today for nation-state cyberattacks against targets in the United States?
A. As evidenced by both the volume of attacks reported in the press, as well as the initiatives being taken by various agencies within the U.S. government, the climate for cyberattacks, unfortunately, continues to be very favorable.
Historically we have used the fact that a cyberattack occasionally made an appearance in mainstream media as a signal that a threshold had been crossed, or that something of particularly virulent or pernicious nature had been released. However, today we see cyberattacks in the mainstream media almost every day, which gives us an indication of the alarming state of the current threat landscape.
Furthermore, we see U.S. government agencies releasing guidance, and indeed the president himself signing an executive order explicitly intended to improve the country’s cybersecurity and protect federal networks.
The order recognized the “persistent and increasingly sophisticated campaigns” that threaten both the private and public sector, further stating that “prevention, detection, assessment and remediation of cyber incidents is a top priority and essential to national and economic security.”
No one should be in any doubt that the digital assets of every organization are at risk, whether directly targeted by a state actor, or as so-called collateral damage in a broader cyberattack. Some attackers are more indiscriminate in their targeting. For example, WannaCry probably wasn’t directly targeted at the UK Health service; however, the service was vulnerable and the attack resulted in a significant impact.
Q. Why would nation-state attackers prioritize U.S. healthcare provider organizations as targets?
A. There are two primary reasons why nation-state attackers might target U.S. healthcare providers but let me first say that nation-state attacks in itself is a broad term. It covers both direct action by a nation-state, but also by criminal actors who are either tacitly approved or simply protected by the nation-state.
This is where the confusion comes in. A state might be interested in gaining technological advantage, sowing disruption or confusion, or direct interference in the target country, whilst a criminal gang ultimately is likely to come down to financial profit when all is said and done.
One of the major reasons why healthcare is such a target is due to the unique and complex nature of those environments. Healthcare providers may hold vast amounts of personal information, payment information, as well as medical research.
Additionally, they may run on multiple physical locations or even campuses and operate both corporate networks as well as healthcare-specific devices, some of which may be connected to people. Complexity is the enemy of security, in which simply gaining an overall picture of the assets and their risk posture is a significant task, and that’s before considering the data that is held by the organization.
Over the course of the last couple of years, we have also seen an increase in smaller healthcare organizations falling prey to cyberattacks. There may be a combination of reasons behind this, but certainly budget and expertise are likely the key factors here.
A small organization may not have the resources to invest in cybersecurity and lack the in-house expertise to understand where its major risks are. It’s certainly not an easy decision to make when your budget is constrained, and you have to choose between direct patient services and investing more in cybersecurity.
However, given the current threat landscape, cybersecurity must remain a priority for all organizations.
Q. How should U.S. healthcare provider organizations prepare for attacks from nation-states?
A. Everything starts with understanding the basics and doing them flawlessly. For example, the Center for Internet Security and the SANS Institute have developed Critical Security Controls. Just the basic implementation of these controls has been shown in some studies to be capable of thwarting 85% of cyberattacks.
Yet organizations continue to fail to implement the most basic controls around asset and software management, identity and vulnerability management, and things such as multi-factor authentication.
The executive order I referred to as well as the OMB have mandated the implementation of Zero Trust by Federal agencies, and with good reason. Taking the position that all entities are untrusted by default, least privilege access is enforced, and that comprehensive security monitoring is implemented, is a great step forward in securing any environment.
Organizations ultimately require something beyond preventative security – the industry widely accepts that it’s when, not if, you will experience a cyberattack that breaches your defenses, and thus detection and response capabilities are critical in securing an organization against threat actors with either the resources or backing of a nation-state.
Q. You suggest a provider organization must have visibility of its current exposure to cyber risks to enable appropriate response, remediation and informed decision making. Please elaborate.
A. The attack surface in healthcare organizations is both broad and complex, and given the potential impact directly on patients’ health it is of the utmost priority to keep patient services both available and secured. Perhaps nowhere else is the triad of confidentiality, integrity and availability more relevant.
It’s impossible to protect what you don’t see, and the CIS Critical Security Controls address understanding exactly what it is that you are protecting early on – both in terms of assets as well as data, whether that is personally identifiable information or intellectual property of one form or another.
Armed with that knowledge, it’s then possible to build a strategy for both preventative technologies as well as detection and response to active threats.
Everyone should realize that whilst they may not directly be targeted by nation-state threat actors, they may be impacted either as collateral damage or through a supply chain compromise that has a much wider impact.
Constant vigilance is required, and visibility across the entire environment is a necessity if bad actors of all flavors are to be detected and stopped before they reach their ultimate goal of disruption, destruction or exfiltration of data.
In this effort, it is critical that teams are equipped with high-quality signals and automated response capabilities so they can confidently defend against cyberattacks. Reducing the noise for security analysts is one of the most significant levers to empowering security teams to be successful in response and remediation of cyber risks.
Twitter: @SiwickiHealthIT
Email the writer: [email protected]
Healthcare IT News is a HIMSS Media publication.
Source: Read Full Article