If you’ve kept up with security headlines this year, or are on the frontlines of healthcare security yourself, you know that healthcare networks are in an escalating battle against cyberattacks. As one of the most targeted industries, healthcare not only contends with a growing volume of attacks, but confronts some of the highest costs when breaches are successful.
According to reporting from the Department of Health and Human Services, healthcare data breaches have been increasing steadily. From 2018 to 2022, the number of large breaches reported rose by 93%, and breaches involving ransomware saw a staggering 278% increase during the same period.
As for 2024, reports suggest a continued increase in healthcare breaches compared to 2023. In the first half of 2024, the Department of Health and Human Services finds that there were 341 security breaches across healthcare organizations in the U.S. alone.
These attacks can have profound consequences that go beyond damage to networks themselves. In some cases, patient health is compromised. As reported by Cyberscoop, Microsoft recently found that ransomware attacks on hospitals have resulted in worse outcomes for patient care. When hospital operations are halted and patients are diverted to other hospitals, a spillover effect is observed, where “unaffected hospitals see a surge in patients, leading to stroke cases rising by 113% and cardiac arrest cases jumping 81%. Survival rates also dropped from those cardiac arrest cases.”
Why Cyber Criminals Target Healthcare: Data, Disruption, and Defense Gaps
Threat actors focus on launching attacks against healthcare organizations for a number of reasons:
Data is expansive and high value. A single healthcare organization may house thousands of patient records detailing personal, medical, and financial information. When this valuable information is held hostage in ransomware attacks, many healthcare organizations have been willing to pay the ransom (or feel they have no choice), making them even more lucrative targets for threat actors.
Disruption to operations can be significant. Threat actors looking for maximum impact can grab headlines when targeting healthcare organizations. As noted above, we’ve seen cyber attacks shut down entire systems and devices, causing operations to come to a standstill and patients lose access to care.
Security measures can be lacking. As with the financial services industry, healthcare has undergone significant digital transformation in the last two decades, and some healthcare systems have been challenged to keep up with implementing necessary security measures to protect the broad swaths of patient and provider information that have migrated online.
Healthcare organizations know they need to take action to prevent successful attacks, and quickly. At a fundamental level, this means shifting from reactive security response – which we’ve seen plenty of in recent years – to proactive security defense that up levels the organization’s baseline security hygiene.
Adopting a proactive security posture has many dimensions to it, but let’s look at some of the most impactful ways healthcare security teams can improve their cyber hygiene and prevent successful attacks.
Achieving Proactive Cyber Hygiene
1. Prioritize Exposed Assets for Immediate Action
Swiftly identifying and prioritizing exposed assets on the attack surface is one of the biggest challenges — and opportunities — for healthcare security teams. That’s because exposures serve as easy points of entry for attackers. In fact, the Cyentia Institute’s recent reporting finds that exploited, public-facing assets are the top points of entry for ransomware attacks, which healthcare organizations experience more of than any other sector according to reporting from the FBI. You can read more about the Cyentia Institute’s findings in our blog post.
What makes spotting and addressing these exposures difficult? Proliferating attack surfaces have generated huge volumes of assets that need to be patched. Determining which assets to address first can be challenging and time-consuming. And, when new vulnerabilities are announced, teams typically only have a short window of time to figure out which assets on their attack surface are affected before attackers take action.
Healthcare’s digital revolution, which includes the rise of internet-connected medical devices, has further propagated the volume of potential exposures on the healthcare attack surface. For context, the Censys Research team recently observed over 14,000 unique IP addresses exposing healthcare devices and data systems connected to potentially sensitive information on the public internet.
Legacy systems also create risk. According to the Hospital Cyber Resiliency Initiative Landscape Analysis, 96% of small, medium, and large sized hospitals claim they were operating with end-of-life operating systems or software with known vulnerabilities.
Healthcare security teams need efficient ways to identify, prioritize, and patch these exposures. Attack Surface Management is one automated, scalable way that teams can achieve real-time visibility into all of their public-facing digital assets, both known and unknown — and gain the essential context needed to strategically prioritize risk. This contextualized, up-to-date insight allows teams to understand where vulnerabilities exist, and which vulnerabilities should be addressed first. You can learn more about Attack Surface Management in this ASM 101 whitepaper.
2. Gain Visibility into Risk from Acquisitions & Third-Party Vendors
Healthcare subsidiaries, acquisitions, third-party vendors, and supply chain partners have become increasingly attractive targets for threat actors. They’ve learned that disrupting a healthcare system doesn’t have to involve a direct breach to a system; instead, entry can be gained via exposed assets on a connected subsidiary’s or third-party provider’s attack surface. Targeting third-party vendors and the broader supply chain is particularly enticing to threat actors because they can target not just the vendor, but every entity connected to the vendor. When too many healthcare systems rely on the same vendors, the entire industry can be impacted.
For healthcare organizations to prevent these types of attacks, they need to gain continuous visibility into potential risk across their partner ecosystems. Third Party Risk Management systems are designed to help provide this visibility, but these solutions often don’t provide the real-time data security teams need to act quickly (for example, to understand if a partner in their ecosystem is affected by a new zero-day vulnerability).
Accessing real-time internet intelligence sources, like the proprietary internet intelligence available in Censys Search, can give teams the immediate visibility into third-party risk required for proactive defense. Most teams unfortunately still have a long way to go on this front. According to a report written in partnership with the Department of Health and Human Services, “Only 49% of hospitals state they have adequate coverage in managing risks to supply chain risk management. In addition, third-party and supply chain risk rates as the third most important threat amongst 288 CISOs, surveyed as part of the 2023 H-ISAC Threat Report.”
3. Monitor Vital Protocols and Systems with Reliable Internet Intelligence
Healthcare security teams further need continuous visibility into the vital protocols and systems that are critical to their operations. Monitoring these specific protocols and systems can help teams more quickly identify potentially vulnerable assets on their attack surface for advanced threat detection, as well as expedient incident response. However, in complex digital infrastructures that rely on hundreds of software systems, keeping tabs on these various protocols without a reliable intelligence source can be easier said than done.
Censys provides access to billions of services, hosts, and certificates that security teams can proactively run queries against. Within this expansive internet dataset, security teams can run queries to identify and monitor critical IT healthcare systems and protocols. For example, teams can search for the Hospital Information System (HIS) protocol, which accounts for systems that house financial, clinical, and administrative information. The DICOM, HL7, and EHR protocols, among many others, can also be detected using Censys.
Censys makes searching for these systems and protocols easy with labels. Labels provide quick ways to narrow the scope of a search to relevant systems and protocols. The labels “medical-device,” “remote-access,” and “file-sharing” can be particularly useful to healthcare security teams. Saved query automation further lets teams run queries against these critical IT systems and protocols on a daily, automated basis.
Moving From Reactive to Resilient
As attackers continue to target healthcare for its sensitive data and potential for operational disruption, now is the time for healthcare security teams to elevate their defenses. By prioritizing exposed assets, enhancing third-party risk visibility, and monitoring vital protocols, healthcare organizations can mitigate vulnerabilities, better manage their attack surface, and, most importantly, protect patient safety and trust.
Interested in learning more?
Check out our Healthcare Cyber Hygiene Checklist for additional security best practices.
