Health care has become an increasingly attractive target for cybersecurity breaches, which have the potential to disable key systems, take important functions offline, compromise private information and cost health systems dearly.
Recent major breaches, such as those striking Change Healthcare and the Ascension health system, are evidence of the growing strength and complexity of these attacks.
Jamie Levy, director of adversary tactics for the cybersecurity firm Huntress, introduced the company’s 2024 Cyber Threat Report during a recent Fierce Healthcare webinar and discussed how health systems are at risk. Levy offered an overview of how online menaces like ransomware hackers work themselves into health care and what organizations can do to keep up their defenses.
Bad actors on small stages
Levy said cybercriminals often test their hacking tactics on smaller health care organizations, such as physician practices, dental offices, outlying hospitals and pharmacies, to gauge how successful they might be with larger targets. “A lot of these customers are pretty vulnerable because they are these smaller businesses, they don’t have cutting-edge technology, they haven’t locked down their systems, and there’s a low bar to entry,” Levy said.
This trend poses a considerable danger, as modern cybersecurity platforms are mainly designed for large organizations. So it’s important for small entities to be vigilant and implement protections designed to scale.
The report authors said cybercriminals’ behavior is always evolving and expanding, as evidenced by increased ransomware attacks and compromised remote monitoring and management platforms in health care. ScreenConnect and Atera were the two most common RMM systems used fraudulently in 2023.
Other recent threats have included credential dumping – or hacking a device to steal credentials and gain access — as well misusing cloud storage systems and business email accounts. “The largest amount of issues we saw within mailbox compromise was in mailbox rules,” Levy said. “If you do have an attacker who has access, they might be impersonating the person whose mailbox they have taken over, and they might be using that to establish trust with some target.”
Levy added that it’s important to see the hacker landscape as an evolving one. As soon as one group of cybercriminals gets taken down by the authorities, new ones are always waiting to “move into the space,” she said. Threats might be coming from outside the US as well as domestically.
Prevention as protection
When asked what small organizations with limited funding can do to protect themselves, Levy recommended trying to be preventive. “Lock down your systems and keep them updated. Try to do the best practices to keep people out of your systems,” she said. “Most businesses pretty much have to have an EDR [endpoint detection and response] solution. That gives you an insight into what’s going on because you can see the different processes that are running and resources they are accessing. If somebody does manage to get access to your machines, they have to get there first. There has to be a phishing email or some contact with the machine.”
She said a good EDR “should have that time capsule of activity, of what happened before the actual bypass occurred,” which can help determine how to close that hole going forward.
Levy was asked how health organizations can protect themselves from danger by association when a vendor partner gets attacked. “If you have some kind of security EDR solution, it should have a quarantine option that would allow you to isolate your machines,” she said. “It would isolate you from being able to talk to the Internet or other machines. We can still do an investigation on that until we can figure out what the underlying cause was, and at that point you can de-isolate the machines.”
When asked about the effectiveness of antivirus platforms such as Microsoft Defender, Levy said there probably will always be ways for hackers to get around or through these tools, but that doesn’t mean they are without value. “It’s not a perfect solution, but it stops a lot of things,” Levy said. “It’s definitely worthwhile keeping that turned on. It’s never going to be a 100% solution, but would you rather go without it?”