Editorial

Advanced Persistent Threat risks: creating a ‘security-first’ environment for healthcare

The healthcare industry is experiencing new methods of attack against its operations. Andrew Hollister, deputy CSO and VP labs at LogRhythm, explains why healthcare organisations must adopt a ‘security-first’ approach.

Posted 17 March 2022 by Christine Horton


Advanced Persistent Threat (APT) groups are continuing to leverage unique and sophisticated techniques to compromise healthcare organisations across Europe and the rest of the world. Over the last year, the global pandemic has raised additional interest for APT actors both to gather information related to Covid-19, and use the disruption as a cover for their activities.

The healthcare industry is experiencing new methods of attack against its operations. New waves of attack have been responsible for threats against the European Medicines Agency, disruption to hospitals through ransomware, and concerns about weaknesses in the vaccine supply chain.

According to the joint alert from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency and UK National Cyber Security Centre (NCSC) released last year, officials have seen an increase in Coronavirus-related password spraying campaigns as part of their cyber operations. Detecting these attacks requires in-depth holistic visibility into networks to detect, mitigate, and reduce response times. 

Securing data and monitoring medical devices is essential for patient well-being, making the job of hospital security operations teams especially challenging. There is a growing need for comprehensive detection and response solutions within the healthcare industry to overcome the threats posed by APT groups.

The threat to the healthcare sector

APT groups responsible for healthcare disruptions have been associated with a number of malicious attacks including phishing emails and password spraying. On top of this, threats to individual health privacy have accelerated, with ransomware and doxware attacks becoming more frequent. Ransomware has evolved from a commodity malware strain primarily targeting home users, to a devastating and effective tool in the arsenal of advanced threat groups.

The biggest challenge in protecting the healthcare sector from advanced threats is the unique and complex nature of the environment. Healthcare providers hold enormous amounts of sensitive information, they may run large campus style organisations, and typically have both commodity and specialised software and devices. Others in this industry may hold intellectual property of significant value that is of interest to both criminals and nation state actors.

Healthcare organisations are vulnerable to a variety of motives and may be targeted by many types of attacker. The targets of APT groups have included healthcare sectors involved in both national and international Covid-19 responses. Nation-state threat actors typically take interest in targeting research data or clinical trials data.

The healthcare sector needs to understand the imperative of cybersecurity within patient healthcare and react with a proactive approach to cybersecurity. If threat actor activity can be detected in the environment early enough in the kill-chain, security analysts stand a much better chance of unravelling the entire attack and reducing the risk to their organisation.

Combatting an evolving challenge

The threat landscape is continually evolving, with threat actors constantly searching for weaknesses, be that in people, process or technology. As more and more health information is digitalised and tele-health services grow in popularity the attack surface becomes larger, and the pay-off for threat actors increases.

In addition to the perfect storm of larger attack surfaces and persistent threat actors, many organisations, particularly in the public sector, may face budget constraints. Making the decision between investing in direct healthcare provision versus defending against bad actors is a trade-off no one wants to make, but given the current landscape those decisions may well be inevitable.

Given the received wisdom that “it’s when not if” you will experience an attack that compromises your defences, visibility becomes a very important part of an overall cybersecurity strategy. It isn’t enough to just deploy preventative technologies and hope that will suffice, continual monitoring of the environment is required, and will provide the basis for a variety of detection and response approaches.

A SIEM platform can provide the basis for that ongoing monitoring, providing comprehensive, single pane of glass visibility of the whole environment – including both legacy systems and cloud-based solutions. The data collected by the SIEM can further be leveraged for reporting, search, and analytics, surfacing individual events, or changes in behavior that may alert analysts to an attack in progress. Leveraging a SIEM in this way is key to reducing the time to detect. Reducing the time to detect is a key element in a successful security program, since dwell time is the threat actor’s best friend.

Securing the healthcare environment

The healthcare IT environment is growing increasingly complex and APT groups will continue to the exploit weaknesses created by the ever-changing nature of the industry. Healthcare security teams must stay abreast of the threats facing the medical sector and be prepared to act sooner rather than later.

To avoid the many consequences of increasingly common and sophisticated attacks, healthcare organisations must be ready to detect and respond to risks. The focus needs to be on becoming ‘security-first’.