Healthcare sector “stretched thin” in fight against cyber attacks warns CSO of Health-ISAC

Healthcare organizations need more support from boards and governments to defend against the rising number of cyber attacks, particularly ransomware, says the chief security officer of a U.S.-based information sharing and analysis centre for the sector.

“Organizations are stretched thin, they just don’t have the people, budget to support the basic types of [cybersecurity] programs,” Errol Weiss, CSO of the Health-ISAC said in a recent interview.

“We need more resources for cybersecurity, everything including budget and appropriately trained and experienced staff to set up cybersecurity systems and to make sure they are being monitored and anomalies are being addressed quickly and mitigating controls are being put in place rapidily to close those holes.”

Two recent reports show what the sector is facing. Health-ISAC’s Q4 report for last year highlighted that ransomware attacks against the healthcare sector rose steadily throughout 2023.

Globally, 459 of 5,559 ransomware attacks hit the healthcare sector last year. The vast majority of them (379) were in the Americas (315 in the U.S. and 17 in Canada).

While initial compromises were often through poorly secured implementations of Windows RDP (remote desktop protocol) and compromised credentials, towards the end of the year many networks were penetrated by exploiting a vulnerability in devices running Cisco Systems’ IOS XE operating system (CVE-2023-20198).

The latest examples of the crisis: In the past seven days, the BlackCat/AlphV ransomware gang took credit for an attack on Change Healthcare, which processes pharmaceutical scripts for many hospitals, and the Rhysida gang said it was behind the attack on Chicago’s Lurie Children’s Hospital.

Health-ISAC also participated with the American Hospital Association in a just-released report for CISOs on the current and emerging healthcare cyber threats.

The number of healthcare-related data thefts globally averaged more than 86,000 records a day for the past 13 years, it found. “What’s even more troubling,” the report adds, “is that the number of incidents reported is increasing at an alarming rate.”

Although headquartered in Orlando, Fla., the Health-ISAC has 835 members in 100 countries, including 10 in Canada. Members include hospitals, clinics, insurance companies, pharmaceutical companies, medical device manufacturers, and electronic health software providers.

Health-ISAC charges membership fees based on revenue. For example, organizations that have under US$100 million revenue pay US$2,400 a year for access to threat intelligence.

Last year, it provided 39 targeted alerts to specific Health-ISAC member organizations to help teams mitigate potentially exploited vulnerabilities. It also delivered eight targeted alerts to member organizations where threat actors had already installed an implant using the Cisco IOS XE vulnerability.

Hospitals and clinics hold sensitive data of patients, which may put pressure on them to cave to ransom demands. And for-profit hospitals might seem to be logical targets in particular, because they would be seen as able to pay to get access back to encrypted and stolen data.

However, Weiss believes most ransomware attacks are opportunistic: Attackers exploit any opening at any organization they find. “I call it a shotgun method: They’re not aiming at anyone, they’re just casting a wide net.”

“They don’t even realize, when they obtain access to a victim’s network, what they have a foothold in,” he said.

However, once inside and when they realize what the victim organization is, gangs don’t hold back on their pressure tactics. “We have seen threats to release information including psychiatric care notes, even images of cancer patients, before and after pictures of surgeries — really horrific stuff,” Weiss said.

Asked why cybersecurity isn’t more of a priority in the sector, Weiss said that in the past several years, the rapid rise of ransomware is causing organizations to act. “We’re starting to see more discussion around what represents good minimum cyber hygiene, for example, when it comes to securing environments.”

Historically in the U.S., he said, healthcare institutions were focused on being compliant with privacy regulations. That has left “a large gaping security hole that an adversary could take advantage of.”

One recent aid: In January, the U.S. Department of Health and Human Services published Cybersecurity Performance Goals for the public health sector to follow.

The biggest mistakes organizations make are: not backing up data regularly, not patching vulnerabilities fast enough, and not implementing multifactor authentication to protect logins, Weiss said.

Asked why healthcare organizations aren’t doing those basics, he said it comes back to a lack of financial and human resources.

To move in the right direction, organizations sometimes have to decide between buying medical or IT equipment, he said. But they also have to realize that cybersecurity risks are “huge.”

“There’s going to have to be some hard decisions made when it comes to budgets,” he said. Government tax breaks for purchases and training IT staff will help, he added.

If things continue as they are, “we’ll continue to read about organizations becoming victims of the next cybercriminal organization,” he said. “The malware we’re getting is getting more sophisticated. Bad guys are constantly evolving their tactics to beat the system, and if organizations aren’t addressing that, there will be an impact.”