Code Blue: Strengthening Healthcare Cybersecurity Defenses
Another high-profile healthcare cyber attack is sending shockwaves through the healthcare industry. This time, a Chicago children’s hospital is at the center of a damaging, costly, and life-threatening cyber attack.
Few in the industry, if any, are surprised, but there is universal dismay and intense frustration among those charged with keeping infrastructure secure. Dismay over the seemingly endless vector points through which bad actors can target and exploit this industry, and frustration over the continuously stressful pattern of defending what feels indefensible.
Worldwide, healthcare remains the number one industry targeted by cyber attackers, with 173 attacks in 2023 costing an average of $10 million each, according to data compiled by INE Security cybersecurity instructor Alexis Ahmed. More than 365 million records were compromised during that time, a 22% increase over the prior year, and only a portion of the more than 1.2 billion records exposed in all corporate attacks.
In the face of unprecedented challenges and an endless onslaught of healthcare cybersecurity attacks, we sat down with INE Security’s Defensive Security Instructor Brian Olliff to talk about healthcare cybersecurity solutions. Brian spent nearly a decade working as a cybersecurity analyst and manager for a large South Carolina-based healthcare organization. He has had a front-row seat to the growing cybersecurity challenges faced by the healthcare industry and is passionate about strengthening cyber defense training for this critical industry.
How vulnerable is the healthcare industry right now compared to other industries?
When it comes to cybersecurity for hospitals and healthcare facilities, the iron will always be hot. That’s to say, attacks have been bad, but they are getting worse. There are more of them, they are getting more expensive, and in some cases actually costing lives, which is obviously the absolute worst-case scenario.
Why is healthcare such a hot target?
The high-stakes dynamic means healthcare organizations have little room to negotiate or risk wasting valuable time by refusing to cooperate. The urgency of keeping everything online and functioning makes healthcare infrastructure particularly vulnerable. With hospitals and other healthcare operations, you aren’t just talking about money, lost revenue, or lost business, you’re talking about lost lives. Unfortunately, the majority of attackers have more resources and more time than defenders do, so that leaves an uneven and vulnerable playing field, giving attackers the upper hand.
What is standing in the way of healthcare organizations being more secure and able to defend themselves?
Budgets are tight, and regulations are not stringent enough. A lot of businesses, healthcare included, will take the approach that paying the ransom or paying the fines is cheaper than investing in the technology to defend against them. You can understand how they would get there; the attacks are sophisticated and come in from a lot of different vectors. However, mitigation and prevention of these attacks can, in reality, be diminished with efficient and appropriate use of budget – creating a strong defense even with a small budget.
How should healthcare organizations prioritize their budgets?
First, I’ll say cybersecurity training, from front to back offices, is crucial in the effort to prevent and defend against bad actors looking to exploit healthcare organizations. Data shows, and I sincerely believe, that training is the number one way organizations can stand up a strong defense against cybersecurity attacks. Training is critical. Obviously, ongoing cybersecurity training within the IT team is really important to ensure the entire team understands the newest technologies and threats and has constant real-world practice so that when an attack hits it is almost just muscle memory.
Beyond that, user education and user training is one of the least expensive and most effective ways to set up a first line of defense for cybersecurity breaches. Social engineering is one of the simplest ways for attackers to access systems. You’ve got phishing attacks through email, where attackers will try to get users to click on links in an email that will lead users to a fake landing page. Most of these pages look very legitimate, so it's difficult for even experts to tell the difference sometimes, and without some type of training, users will just give up their username and password without realizing it. By implementing a robust training program for employees, you can help them recognize what a suspicious email looks like, and when to raise a red flag. Then you provide them an easy, frictionless way to report that suspicious message so a security professional can then look at it. A lot of companies do annual security awareness training to meet compliance requirements, and the reality is that is simply not enough – not by a long shot. This is why cybercrime works.
Second, make sure whatever budget you have is being used efficiently. This will look different for each organization. But a lot of companies are using cloud providers and cloud-hosted resources. They want to make sure those are properly configured and have the right controls, settings, and permissions in place, then verify that those controls are effective, either through audits or pentests. Configuring it correctly is only half the battle - you have to verify that it is actually effective.
Minimizing the extent of publicly-hosted systems or applications is another big one. This is more challenging with so many remote workers now, but still important. Implementing multi-factor authentication into the systems is an additional layer of security. There are ways to trick users into giving up the token codes, and unfortunately, this happens more than it should. But it’s the combination of these security tactics that become layers upon layers of solid defense, and you count on that to protect you.
Conclusion
The dynamic nature of cyber threats requires continuous vigilance, particularly within the healthcare industry, where the stakes have never been higher. Combining proper cybersecurity training, efficiently allocated resources, and layered security measures across the organization are critical to combatting threats.
Download our whitepaper “A Strong Defense for Training Security Teams” to learn more about how advanced training programs can equip providers to safeguard data amid threats.
Interested in learning more about how INE Security can offer solutions to your team? Connect with our team to see firsthand how INE’s immersive cyber training will empower your organization with job-ready skills to implement protections in a strained threat landscape.
Relevant Training
Penetration Testing Student
The hardest thing you will ever do in cybersecurity is to land your first job. There are HR gateways, industry jargon, and companies unwilling to hire new talen...
Security+ Domain 2: Threats, Vulnerabilities & Mitigations
The CompTIA Security+ is an industry-standard, well-recognized certification that covers the skills needed to succeed in a cybersecurity career. In this course,...