Healthcare sector “stretched thin” in fight against cyber attacks warns CSO of Health-ISAC

Share post:

Healthcare organizations need more support from boards and governments to defend against the rising number of cyber attacks, particularly ransomware, says the chief security officer of a U.S.-based information sharing and analysis centre for the sector.

“Organizations are stretched thin, they just don’t have the people, budget to support the basic types of [cybersecurity] programs,” Errol Weiss, CSO of the Health-ISAC said in a recent interview.

“We need more resources for cybersecurity, everything including budget and appropriately trained and experienced staff to set up cybersecurity systems and to make sure they are being monitored and anomalies are being addressed quickly and mitigating controls are being put in place rapidily to close those holes.”

Two recent reports show what the sector is facing. Health-ISAC’s Q4 report for last year highlighted that ransomware attacks against the healthcare sector rose steadily throughout 2023.

Globally, 459 of 5,559 ransomware attacks hit the healthcare sector last year. The vast majority of them (379) were in the Americas (315 in the U.S. and 17 in Canada).

While initial compromises were often through poorly secured implementations of Windows RDP (remote desktop protocol) and compromised credentials, towards the end of the year many networks were penetrated by exploiting a vulnerability in devices running Cisco Systems’ IOS XE operating system (CVE-2023-20198).

The latest examples of the crisis: In the past seven days, the BlackCat/AlphV ransomware gang took credit for an attack on Change Healthcare, which processes pharmaceutical scripts for many hospitals, and the Rhysida gang said it was behind the attack on Chicago’s Lurie Children’s Hospital.

Health-ISAC also participated with the American Hospital Association in a just-released report for CISOs on the current and emerging healthcare cyber threats.

The number of healthcare-related data thefts globally averaged more than 86,000 records a day for the past 13 years, it found. “What’s even more troubling,” the report adds, “is that the number of incidents reported is increasing at an alarming rate.”

Although headquartered in Orlando, Fla., the Health-ISAC has 835 members in 100 countries, including 10 in Canada. Members include hospitals, clinics, insurance companies, pharmaceutical companies, medical device manufacturers, and electronic health software providers.

Health-ISAC charges membership fees based on revenue. For example, organizations that have under US$100 million revenue pay US$2,400 a year for access to threat intelligence.

Last year, it provided 39 targeted alerts to specific Health-ISAC member organizations to help teams mitigate potentially exploited vulnerabilities. It also delivered eight targeted alerts to member organizations where threat actors had already installed an implant using the Cisco IOS XE vulnerability.

Hospitals and clinics hold sensitive data of patients, which may put pressure on them to cave to ransom demands. And for-profit hospitals might seem to be logical targets in particular, because they would be seen as able to pay to get access back to encrypted and stolen data.

However, Weiss believes most ransomware attacks are opportunistic: Attackers exploit any opening at any organization they find. “I call it a shotgun method: They’re not aiming at anyone, they’re just casting a wide net.”

“They don’t even realize, when they obtain access to a victim’s network, what they have a foothold in,” he said.

However, once inside and when they realize what the victim organization is, gangs don’t hold back on their pressure tactics. “We have seen threats to release information including psychiatric care notes, even images of cancer patients, before and after pictures of surgeries — really horrific stuff,” Weiss said.

Asked why cybersecurity isn’t more of a priority in the sector, Weiss said that in the past several years, the rapid rise of ransomware is causing organizations to act. “We’re starting to see more discussion around what represents good minimum cyber hygiene, for example, when it comes to securing environments.”

Historically in the U.S., he said, healthcare institutions were focused on being compliant with privacy regulations. That has left “a large gaping security hole that an adversary could take advantage of.”

One recent aid: In January, the U.S. Department of Health and Human Services published Cybersecurity Performance Goals for the public health sector to follow.

The biggest mistakes organizations make are: not backing up data regularly, not patching vulnerabilities fast enough, and not implementing multifactor authentication to protect logins, Weiss said.

Asked why healthcare organizations aren’t doing those basics, he said it comes back to a lack of financial and human resources.

To move in the right direction, organizations sometimes have to decide between buying medical or IT equipment, he said. But they also have to realize that cybersecurity risks are “huge.”

“There’s going to have to be some hard decisions made when it comes to budgets,” he said. Government tax breaks for purchases and training IT staff will help, he added.

If things continue as they are, “we’ll continue to read about organizations becoming victims of the next cybercriminal organization,” he said. “The malware we’re getting is getting more sophisticated. Bad guys are constantly evolving their tactics to beat the system, and if organizations aren’t addressing that, there will be an impact.”

The post Healthcare sector “stretched thin” in fight against cyber attacks warns CSO of Health-ISAC first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Controversial expansion of US surveillance powers nears Senate vote

The US Senate is poised to vote on a significant expansion of Section 702 of the Foreign Intelligence...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways