Annually, the healthcare industry faces staggering losses running into tens of billions of USD due to data breaches (https://expertinsights.com/insights/healthcare-cyber-attack-statistics/), a testament to the pervasive reach of digital transformation across healthcare institutions. Despite this, the entire sector continues to be overlooked in terms of investment and focus on cybersecurity. Alarmingly, in some hospitals, IT security is still the domain of the most 'technically proficient' doctor rather than a dedicated professional. It’s a known fact that managing IT and cybersecurity doesn't require a “brain surgeon”, but the complexity and critical nature of protecting digital patient records in an environment with even just a dozens of PCs, local network, and a growing number of interconnected healthcare IoT devices, cannot be underestimated anymore. As the scale of IT infrastructure expands, the need for specialized internal or outsourced IT security experts becomes not just a recommendation, but a critical investment. Before delving into the technology and budget allocations necessary to fortify these institutions, it's crucial to understand the multifaceted threats and risks today's hospitals face.
As a hospital CEO, your foremost priority is ensuring seamless patient care every day – making sure that your hospital operates like clockwork. Now imagine a scenario where you're jolted awake early Saturday morning by a frantic call from the head nurse. Every patient record is inaccessible, all computers display a threatening ransom message, the state-of-the-art MRI machine is offline, ultrasounds are inoperable, and the chaos extends beyond. This isn't just a bad start to the weekend; it's a calculated assault by a formidable adversary. This entity, let's call it HACKS-R-US, operates without a recognizable brand but boasts revenues and an infrastructure rivaling many publicly traded corporations, complete with round-the-clock support, marketing, with paid cloud solutions on offer, such as Phishing-as-a-Service platform. Unfortunately, your hospital's defenses, given the current cybersecurity measures, stood little chance against the cyber-attack that has now crippled your operations. Let's unpack how this happened and why:
(description of the below cyberattack is based on a real-world event)
In the days leading up to the crisis, your hospital was marked as a prime target for a ransomware attack through a phishing scheme. The attackers discovered that you were utilizing Microsoft Office 365 without the robust protection of phishing-resistant multifactor authentication. Armed with this knowledge, they crafted a seemingly authentic email tailored to the language and visual style familiar to your staff. AI was employed to refine the content, ensuring it was indistinguishable from legitimate correspondence from IT department. The final manual task for the attackers was gathering your employees' names using social media, setting the stage for the next phase of the attack.
Utilizing a Phishing-as-a-Service platform, available via the dark web from HACKS-R-US, they launched a widespread campaign against your employees. This platform isn't exclusive to seasoned criminals; even an inexperienced individual, motivated by quick profit, could orchestrate this level of attack. The crafted phishing emails were dispatched en masse from familiar looking domain name, deceitfully urging your staff to urgently update their credentials. Predictably, the campaign succeeded, and the attackers harvested a multitude of credentials, providing broad access to employee mailboxes and even to electronic health records of your cloud EHR.
The immediate financial gain for the attackers lay in the patient records, each valued well over 100 Euros on the dark web, with VIP records fetching even higher sums. Yet, the broader aim was more insidious: gaining control of the hospital's domain controller - Active Directory (AD) server. With a bit of patience and tools rented from HACKS-R-US, they eventually breached your domain controller. Complicating matters, your backup system, likely connected to your AD domain with good intentions exposed your backups to the attacker as well. The attackers then deployed the rented ransomware, methodically encrypting your hospital's infrastructure under AD control, starting with your backups. By Saturday morning, not only had all your data been stolen, but it was also encrypted, with the attackers demanding a ransom of 500k Euro in Bitcoin for the decryption key. The only glimmer of hope lies in the existence of offline backups from the previous month. However, this raises a critical question: when did your stretched-thin IT department last conduct a drill to restore the network-connected filesystem or the comprehensive patient record databases? The answer to this could mean the difference between a swift recovery and a prolonged nightmare.
If yours is an average hospital the damages caused by this attack will climb to millions of Euro, including payment for ransom, recovery services, lost revenue, possibly even fines and legal fees. (https://www.hipaajournal.com/2023-cost-healthcare-data-breach/)
Why was this attack successful, and could it have been prevented?
At its core, the attack's success hinged on the effective use of social engineering, a technique that exploits human psychology and senses rather than technical hacking. This method is particularly potent in high-pressure environments like hospitals, where busy and stressed personnel are more likely to overlook suspicious details.
Educating employees about the nuances of phishing and other social engineering tactics is a vital line of defense. While no single measure is foolproof, awareness significantly reduces the risk of successful attacks. Therefore, allocating resources for comprehensive training should be a non-negotiable part of your 2024 IT budget.
However, education alone isn't nearly enough. The sophistication of phishing attacks means that technical safeguards are even more critical in healthcare environments. Implementing phishing-resistant multifactor authentication (MFA) across all hospital systems is not just a recommendation; it's an absolute necessity. While the top multifactor authentication (MFA) solutions on the market come with a significant price tag, it's important to consider that this attack, much like 80% of all data breaches, began with an attacker simply logging into your network (https://www.graphus.ai/blog/10-facts-about-phishing-in-2021-that-you-need-to-see/). Given this stark reality, skimping on MFA in your budget is a false economy. Good MFA, coupled with an enterprise antivirus SW providing robust filtering of dangerous links and email attachments, forms a formidable barrier against launching an attack on your hospital infrastructure.
Existing measures like backups, firewalls, and VPNs are foundational but require continuous upgrades to match evolving threats. More importantly, the configurations of these systems must be intelligently managed by skilled personnel to avoid creating inadvertent vulnerabilities.
This brings us to what may be the most crucial element of your 2024 IT budget: investing in a dedicated cybersecurity professional. Recruiting a specialist to spearhead your cybersecurity strategy, ensure adherence to the forthcoming NIS2 directive, and manage the rollout of sophisticated security measures isn't just another line item—it's a critical investment that will secure your hospital well beyond 2024.
In summary, while the attack was a result of cunning exploitation of human and technical vulnerabilities, its success was not inevitable. With the right combination of education, technical defenses, and specialized expertise, you can fortify your healthcare institution against these invisible but ever-present threats. As you plan for 2024, remember: in the realm of cybersecurity, proactive investment is always much more cost-effective than post-incident damage control.
Peter Kolarov
