Healthcare providers have increasingly become a target for cybercriminals, primarily due to the value of healthcare data on the black market. In addition, healthcare organizations may be more likely to pay ransomware attackers so that providers can continue to offer vital care to patients.
Unfortunately, healthcare organizations have also become targets of advanced persistent threat (APT) campaigns. An APT is a cyberattack wherein criminals work together to steal data or infiltrate systems over a long period of time. In many cases, these attacks are performed by nation-states seeking to undermine another government or fund their internationally sanctioned regimes.
APTs are different from other cyberattacks such as malware or phishing schemes, which are typically carried out in a matter of days. An APT attack can take place over months or even years. The threat actor lies in wait undetected and strikes with catastrophic results. While they lie in wait, they gather information regarding your network and how they can exploit it.
MITRE is a federally funded, non-for-profit organization that has documented and cataloged the techniques of these groups. Some of the groups include:
- WICKED PANDA, AKA APT41, has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries.
- menuPass, AKA APT 10, has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.
- Orangeworm has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage.
The common theme is that these groups are using multiple vectors to achieve their objectives, which includes stealing credentials, planting ransomware, and demanding ransoms. Some of the attacks have been catastrophic for the victims, including the loss of access to patient records and electronic health record (EHR) systems.
Six Best Practices for Cybersecurity in Healthcare
Traditional security tools used over the last 15 years such as signature-based antivirus and perimeter firewalls are ineffective in dealing with these multi-faceted APT attacks.
Fortunately, healthcare organizations can protect themselves by implementing the right mix of tools and technology to deal with today’s threat landscape.
Here are six things healthcare organizations can do to protect themselves:
- Many breaches occur at endpoints such as desktops, laptops, and mobile devices, so using endpoint detection and response (EDR) technologies will protect the endpoint before the breach occurs. EDR works in conjunction with security information and event management (SIEM) technologies that analyze, detect, and alert IT departments about potential threats. These tools must be managed by a 24×7 security operations center and a qualified 24×7 incident response team, which will ensure the detection of lateral movement and ensure anomalies on the network are found and stopped as quickly as possible.
- Utilize multi-factor authentication (MFA). This adds another layer of protection by making it difficult for hackers and threat actors to compromise a system. Even if they were to obtain or guess a password, MFA will add another layer of protection to prevent an account from becoming compromised. Using MFA can also help organizations comply with industry compliance requirements such as HIPAA.
- Use the principal of least privilege for user access as well as administrative access. This minimizes the number of users with elevated privileges, which also minimizes the number of potential APT targets, making it more difficult for threat actors to gain elevated access to an environment.
- Ensure up-to-date security patching. This foundational security practice ensures all systems have software vendors’ latest security patches. A vigilant approach to patching will minimize the chances of an APT exploiting vulnerabilities in operating systems and applications.
- Use traffic monitoring tools to detect any suspicious flows or anomalies. Monitoring and detecting suspicious flows will prevent exfiltration or data loss before it occurs.
- Conduct regular security awareness training (SAT) to keep security at the top of mind for employees so they don’t easily fall prey to targeted phishing campaigns or social engineering. It is one of the easiest steps any organization can take to protect themselves from APT attacks.
The APT’s objective is to evade defenses and gather as much information about the environment as possible, allowing threat actors to maximize their impact. Using these recommended technologies and processes to conduct regular “threat hunting” is key to identifying signs there is an APT threat hiding in the network. This is done by flagging the presence of specific tactics, techniques, and procedures. Because many healthcare organizations do not have the expertise to effectively conduct this type of activity, they often partner with an outside firm that does.
Finally, if an incident occurs, it is critical to have an incident response plan in place. Many victims are left scrambling trying to figure out what to do when they find ransomware or discover that their data has been exfiltrated. An incident response retainer with a firm that knows your environment can offer immediate assistance to deal with an APT attack and limit the damage.
Ongoing APT threats have the potential to target your organization with catastrophic results. Implementing the right blend of technologies tailored to today’s threat landscape can help healthcare organizations minimize risk, prevent breaches, and protect patient data.
About the Author:
Bob Satyal is Security Officer at Med Tech Solutions