How the healthcare sector can prepare for cyber threats
Hi Trevor, please introduce yourself and your role.
“Hello there. I'm Trevor Dearing, Director of Critical Infrastructure Solutions at Illumio, the Zero Trust Segmentation company. My focus is on helping organisations in critical industries, such as healthcare, energy and manufacturing, increase their cyber resilience. Healthcare is of particular importance given that a serious security incident could directly impact patient care and human lives.”
What is Illumio?
“Illumio is a global security company specialising in Zero Trust Segmentation (ZTS). We stop breaches from spreading by providing organisations with highly granular control over who can access and move through their network. This is microsegmentation based on the Zero Trust principle of least privilege.
“Our products include Illumio Endpoint for user devices, Illumio CloudSecure for cloud-native workloads, and Illumio Core for on-premises and data centre workloads. All solutions are highly effective at helping organisations to mitigate the impact of attacks by preventing lateral movement and containing cyber threats such as ransomware.
“We work with organisations that have zero appetite for risk, including 15 of the Fortune 100 and six of the largest global banks. We also work with several leading global healthcare providers and adjacent fields like healthcare insurance. Forrester has also named us as a leader in its Forrester Wave reports for both Zero Trust and microsegmentation.”
Trevor Dearing, Director of Critical Infrastructure Solutions at Illumio
Why is the healthcare sector at the top of cyber attackers' target lists?
“Healthcare is a prime target for cyberattacks because an attack can put the welfare, and even lives, of patients in jeopardy.
“Cybercriminals will always target those that offer the greatest chance of reward. They know that healthcare providers cannot afford any downtime with patient safety on the line and are more likely to pay out and do so quickly. That’s why the sector has become a leading victim of ransomware attacks – particularly in the past few years. In fact, attacks on healthcare rose by 328% in the last year according to SonicWall.
“But it’s not just ransomware attacks that organisations need to look out for. Healthcare providers hold large volumes of personal data about patients which is a commodity on dark web markets. This data fuels more targeted attacks, blackmail, and fraud.
“The industry has also become a more attractive target thanks to the rise of connected medical devices, which have expanded the attack surface. Economic instability and public spending pressures also mean that many healthcare providers lack the budget to match other sectors' more robust cyber strategies.”
Exactly how do ransomware attacks unfold?
“Most ransomware attacks follow a similar pattern. Ransomware actors gain initial access to an organisation and hide inside networks (for up to months at a time) before striking. They will move stealthily across the organisation’s network, gaining higher-level access privileges to access valuable files and mission-critical systems before deploying their ransomware, effectively locking down files and applications. Unless the organisation can stop the spread, it will quickly find all activity grinding to a halt.
“For healthcare providers, a worst-case scenario could be the disconnection of medical devices, such as sensors for monitoring patient vitals and automatically administering treatment. Or it could lock critical patient records and systems for managing appointments, effectively paralysing the organisation.
“We are also seeing more attacks using a 'double extortion' tactic combining data encryption with exfiltration. The attacker will make copies of data and encrypt it, and then threaten to leak or sell confidential information even if the victim pays the ransom.”
How can healthcare organisations stay safe from cyber threats?
“Organisations need to stop investing so many resources into trying to prevent attacks from happening and invest instead in managing the impact. This means accepting that attacks will happen and mitigating the impact through breach containment.
“One of the best security models for improving cyber resilience is Zero Trust. This strategy is based on the mantra of “Never trust, always verify” which means no user is automatically trusted to access files and applications simply because they have the proper credentials.
“Typically, Zero Trust consists of three pillars; Zero Trust Network Access (ZTNA), Zero Trust Data Security (ZTDS) and Zero Trust Segmentation (ZTS). The latter of which is critical for breach containment, dividing the network into multiple sealed sections, with Zero Trust principles governing movement between zones.
“Working with red team specialist Bishop Fox, we found that ZTS can render attackers ineffective in less than 10m. Research from Enterprise Strategy Group (ESG) also found that organisations that have adopted Zero Trust Segmentation avert an average of five cyber disasters annually, and save an average of US$20m in application downtime.”
Why should the healthcare industry shift its mindset to working on isolating attacks, not preventing them?
“We’ve seen a huge shift in attack motives in recent years, from a focus on stealing data to impacting availability. This means cybersecurity is no longer just a security issue; it is an operational issue with impacts including extended operational downtime, financial and reputational damages, and for healthcare, potential loss of life.
“Attacks are now geared around causing maximum disruption with threat actors counting on being
able to reach critical systems and data before defences detect them. Attacks are also rising in numbers and cybercriminals are using increasingly sophisticated tactics to meet their aims. This means prevention alone is no longer a viable strategy.
“No matter how well-secured the network may be, compromise is inevitable. This is what we call the ‘assume breach’ mentality. This might seem like a very defeatist attitude for a security specialist to take; however, it is this mentality that will stop a breach from becoming a serious disaster. If organisations accept that an attacker will breach their defences, they can put in place measures to contain the threat and minimise the impact.”
Tell us about the steps that any healthcare organisation, regardless of size and budget, can take to strengthen their security posture immediately.
“The first step organisations should take is to map the communications of all systems. Once an attacker has infiltrated an organisation, they will try to move to the highest value assets. This could be patient data or medical devices. Organisations need to identify which systems can communicate and how to inform which restrictions to put in place.
“Next, organisations should use this knowledge to identify and quantify the risks faced by any asset or application. This can be based on the vulnerability of each system and the exposure it faces in connecting to other systems and devices.
“The final step is to apply controls based on least privilege to govern and restrict access between resources. Stopping unauthorised communication enables an attack to be contained in a single location and prevents attackers from reaching critical assets and services. This approach is equally applicable for medical devices, data centres, the cloud and endpoints.
“Following these steps will make medical infrastructure breach tolerant and ensure organisations can maintain services even while under attack, without the need to shut down services or move patients.”