Early Attack Activity Forcing New Thinking in Healthcare IT/Security

Every year when we conduct our survey for the Global Application & Network Security Report, one of the more interesting things to observe is how different industries are viewing the threat landscape. Changes such as technology adoption within industry tend to create new points of vulnerability, which quickly become the targets of malicious actors looking to exploit these new-found points of access. This year has been a particularly eye-opening year for the healthcare industry, which has seen a rash of recent attacks targeting their increased reliance on technology and networked data, often through the tactic of ransom attacks.

The increase in ransom attacks was one of the many interesting angles we saw within the inputs of the healthcare industry through our survey. Others provide additional insight into areas IT and security practitioners in the space have more or less concern, or feel either exposed or more or less secure.

A View into What’s Behind Attacks on Healthcare

One of the first questions to ask when considering the threat landscape targeting healthcare providers is motive. Without question, it takes a different level of vitriol to maliciously target an organization that is providing healthcare, recognizing the impacts can inflict very real harm. These attacks tend to be much less frequently driven by script-kiddies or more casual attacks. This is borne out in the inputs we get from healthcare companies through the survey.

By far, the most commonly cited motive behind these attacks is financial gains through professional hacker groups. 75% of respondents called this segment the most dangerous for their industry. There was also a high response to the risk of insider threats, with 58% saying this was a very real concern. This was the highest response rate across all industries for this type of threat.

Healthcare was also the highest industry responding to ransom attacks, with 50% saying they were the target of such an attack in 2015. We can see from the recent headlines that unfortunately this trend continues.

The healthcare industry also struggles, as many do, with understanding the motive behind attacks. 66% of respondents said they were unclear on what the motives were, the second highest rate across industries surveyed.

Trends around attack types, frequency and impact

Whether you know the motive or not, being prepared for attacks is an obvious requirement. Healthcare providers are frequent targets of real attacks, not just empty ransom threats. 75% of those responding from the healthcare industry report being the target of at least one attack during 2015. Of the remaining 25%, two-thirds acknowledge they cannot be sure they were not attacked. By and large, the industry expects the rate of targeting to increase. When asked about their expectations for the frequency of attack, we saw a jump in those expecting daily or weekly attacks from 25% to 33%.

[You might also like: Sustained Vigilance Key for Financial Services Organizations in Light of Stable, Steady Threat Landscape]

Another important factor when looking at attacks is their duration, i.e., how long do they last. Interestingly, the healthcare industry reported one of the longest average duration of attack, at 142 hours per attack. This is higher than the average duration reported by both the telecommunications and financial services industries. Of particular concern is that the average was driven up by a high number (18%) reporting attacks lasting over one month, yet this industry had the lowest level of confidence in their ability to fight attacks for over one month (8%).

Understanding the Operational Impact

An undeniable shift and a wake-up call of sorts for the healthcare industry is how these attacks impact ongoing operations. For many years, the primary focus of IT and security professionals in healthcare has been around protecting patient data from breach. Many industry regulatory requirements exist around protection from these kinds of breaches, as well as a variety of fines and necessary notification requirements if and when a breach does occur.

But the recent ransom attacks have put a bright light on another potentially more serious impact, that of interrupting actual delivery of healthcare. The introduction of new technologies into healthcare has brought with it a new level of reliance on network and data accessibility. We are very clearly at a stage where life-and-death scenarios become a reality when doctors and nurses cannot access critical information due to network downtime. This is forcing a broadening of the lens for healthcare IT on threats to availability, balancing out from an over-emphasis on confidentiality and integrity.

Underestimating the Impact of DDoS

Reflected in this over-emphasis on breach of sensitive data is the healthcare industry’s attitude towards Distributed Denial of Service (DDoS) attacks. These attacks, despite growing dramatically in frequency and size, ranked lowest for the healthcare industry, with only 8% saying these attacks were a major concern. Additionally, half of those surveyed from healthcare said they had no current solution and no future plans for DDoS attack protection. We have already seen ransom attacks against this industry targeting the vulnerabilities around DDoS to disrupt operations. Most troubling about these attacks is unlike a ransomware attack, where generally exploit has already occurred, a DDoS ransom can be sent to a target organization with no actual investment or prior attack.

As the healthcare industry continues to implement new networked technologies deeper into day-to-day operations, and as attackers understand how this expands their attack footprint, IT and security practitioners need to take another look at the availability threats (such as DDoS) and reassess their strategies for protection and mitigating impacts.