On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness.

The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct impact on patient care and safety.

To compile the Hospital Cyber Resiliency Landscape Analysis, data was curated from multiple sources, such as the U.S. government, cybersecurity vendors, open-source intelligence, CrowdStrike, Verizon, CISA, FBI, NSA, Health Sector Cybersecurity Coordination Center and Health-Information Sharing and Analysis Center (Health-ISAC) threat reports. The investigators also consulted with 20 geographically and demographically diverse hospitals.

The report paints a picture of the challenges hospitals face in today’s cyber landscape — as well as how they can adapt.

Ransomware Leverages DDoS

The HHS states that ransomware continues to be the biggest threat to the healthcare sector. The report also stressed the effect ransomware can have on services that directly impact patient care and safety — such as attacks that compromise the availability of patient care tools.

Of particular interest, the HHS notes that adversaries may elevate ransomware attacks when victims do not meet their demands. For example, attackers sometimes launch DDoS attacks against the target organization. Actors may also make ransom demands from others affected by the release of sensitive information (patients, hospital affiliates, etc.). Criminals might even leverage both DDoS and collateral ransom attacks simultaneously.

In fact, in March 2023, Microsoft documented a sharp rise in DDoS attacks against the healthcare sector using Azure. The attack rate had grown from up to 20 attacks per day in November 2022 to up to 60 per day in February 2023 (a 300% increase).

Critical Security Features and Processes

Many healthcare entities are adopting more robust security practices. However, the depth and consistency of these practices may be inadequate, according to the HHS report. Some examples include:

  • Multi-Factor Authentication (MFA): Only 84% of VPNs and 88% of email systems are MFA-protected. The lack of full MFA adoption can leave critical assets open to successful compromises.
  • Training and Outreach: Data suggests there may be considerable variability in hospital cyber training. Some hospitals indicated that scenario-based training (where results are shared in near real-time) is an effective way to improve cyber hygiene, as is training targeting high-risk groups (such as executives).
  • Hospital-at-Home: In-home care uses medical devices in patients’ homes to facilitate clinical care. Hospitals face challenges such as device protection, standardization issues, vendor lock-in and scaling services while maintaining asset security.

More Key Observations

Other key observations made by the HHS report include:

  • Hospitals report success in implementing email protections. Over 99% of hospitals surveyed reported having basic anti-spam and anti-phishing capabilities. Also, 92% of hospitals use URL detection, and 86% leverage automated responses to malicious email removal. Still, these methods may not definitively thwart newer social engineering and phishing attacks.
  • Supply chain risk is pervasive in hospitals. Only 49% of hospitals state they have adequate coverage in managing supply chain risk. Nearly every participating hospital considered supply chain risk management as a top priority to address. Many hospitals already require CISO approval before making acquisition requests.
  • Attackers do not typically exploit medical devices. Threat intelligence and breach data suggest medical devices are not a prominent attack vector against hospital operations — yet. However, device vulnerabilities can allow advanced forms of attacks to spread across the organization.
  • Significant variation in cybersecurity resiliency. Primary sources of resilience investment variation include third-party risk management, medical device security, asset management, participation in Information Sharing and Analysis Centers (ISACs) and the use of governance, risk and compliance systems. Many hospitals expressed a need for more benchmarking data and consumable, actionable intelligence information.
  • The use of antiquated hardware, systems and software. The HHS states that 96% of hospitals say they use end-of-life operating systems or software with known vulnerabilities. Antiquated technologies limit hospitals’ abilities to harden (e.g., patch) and secure their systems.
  • Rising cybersecurity insurance premiums. Sharp increases in cyber insurance costs have caused some hospitals to forgo insurance or self-insure to reduce risk. Coverage exclusions for non-compliance with security standards have reduced coverage as well. These exclusions tend to be more challenging for small and rural hospitals.

High-Priority Cybersecurity for Hospitals

The HHS report identified the following Health Industry Cybersecurity Practices as being of the highest risk and priority:

  • Endpoint Protection Systems: An endpoint is any device connected to the network. As per the HHS, “EDR tools are critical for identifying initial exploitation attempts and follow-on lateral movement or malicious use of built-in system utilities that may occur as part of an attacker’s kill-chain pattern.”
  • Identity and Access Management: IAM ensures that only authorized individuals have access to sensitive resources and that user actions are properly monitored and audited. Despite claims of IAM deployment, the HHS “continues to see a majority of successful attacks against hospitals where a single credential stolen from a phishing attack was the key vector used.”
  • Network Management: Self-assessment data on IT asset management referenced 91% of participating organizations monitoring devices on their networks. However, only 52.6% have an inventory of personal devices on the network. The HHS states this disparity suggests coverage gaps in network monitoring controls.
  • Vulnerability Management: The low percentage of hospitals using advanced forms of vulnerability testing, like Red Team, Purple Team and Tabletop exercises to uncover flaws, is a major concern. As per the report, higher forms of assessment testing are necessary to detect advanced attacks such as ransomware.
  • Security Operations Center and Incident Response: Data suggests that the vast majority of hospitals participate in DHS/CISA’s threat indicator sharing programs. However, hospital security personnel also said threat-sharing programs are cumbersome and offer largely duplicative information with little to no unique value per feed.

The HHS Hospital Cyber Resiliency Initiative Landscape Analysis is required reading for anyone on the front lines of healthcare cybersecurity. The report contains a wealth of information and insight that can help guide hospital-based security professionals.

More from News

Spot Fake Extortion Attacks Without Wasting Time and Money

3 min read - Ransomware attacks — the scourge of businesses, schools, hospitals and other organizations — follow a familiar pattern. Shady criminals contact an organization, telling them their company or customer data has been breached, encrypted and/or exfiltrated. Pay us money, or we’ll publish your data. In 2022, some 41% of victims paid, according to cyber-intelligence firm Coveware, rewarding the extortionists for their efforts. (Payment is declining every year, down from 76% in 2019.)That knowledge no doubt inspired lazier, less-skillful scammers into action. In…

3 min read

High-Impact Attacks On Critical Infrastructure Climb 140%

4 min read - Prior to the pandemic, cyber-sabotage attacks on manufacturing plants were non-existent. Today, the situation has changed dramatically. As per a recent report, attacks that led to physical consequences in process manufacturing, discrete manufacturing and critical industrial infrastructures impacted over 150 industrial operations in 2022. In addition, the total number of attacks increased 2.4x over the previous year. At this rate of growth, cyberattacks may shut down up to 15,000 industrial sites within the next five years. Growing Threat to OT…

4 min read

AI Assistance Cuts Alert Triage Times in Half

4 min read - Clearly, ChatGPT has placed artificial intelligence on everyone’s radar these days. But AI in mainstream business applications has been around for decades. In cybersecurity, AI can be used for data augmentation and attack simulation. It can also help detect anomalies in network traffic or user behavior to enhance overall threat detection and response. As per a recent report, one area where AI has made significant strides is in threat alert triage efforts. In fact, with AI assistance, alert triage timelines…

4 min read

Congressman Proposes Act to Improve K-12 Cybersecurity

2 min read - When Iowa Congressman Zach Nunn served on the White House’s National Security Council, he witnessed the dramatic impact of cybersecurity incidents. Nunn became especially concerned about how cybersecurity crimes impact schools and their ability to educate students. He also realized how the growing threats have been making it easier to disrupt not only individual schools but entire school systems. “These are no longer attackers in basements or individuals who intend to do harm for a one-time profit,” Nunn told KGLO…

2 min read