A recent federal cybersecurity advisory calls for healthcare providers to immediately adopt phishing-resistant multi-factor authentication (MFA) for all administrative access. Vendors should establish systems to verify the implementation of new login procedures, implement network separation controls, and change, remove, or disable any default login information.
The advisory was issued by the Cybersecurity and Infrastructure Security Agency (CISA), which conducted a risk and vulnerability assessment (RVA) last year to identify vulnerabilities and areas for improvement. An RVA is a two-week penetration test of an entire organization, with one week spent on external testing and one week on internal network assessment. As part of the RVA, the CISA assessment team conducted web application, phishing, penetration, database and wireless assessments. The team evaluated a large organization that deployed software on-premises.
During the week-long external assessment, the team was unable to identify any significant or exploitable conditions in externally available systems. Phishing prevented the assessment team from initially gaining access to the organization being assessed. However, during internal penetration testing, the team exploited misconfigurations, weak passwords, and other issues through multiple attack paths to compromise the company’s domain.
In coordination with the assessed organizations, CISA is releasing a new Cybersecurity Advisory (CSA) detailing the RVA team’s activities and key findings to provide recommendations to network defenders and software vendors to improve the cybersecurity of organizations and customers.
“The threat is greater than ever,” said Tamer Baker, cybersecurity specialist and healthcare chief technology officer at Zscaler, headquartered in San Jose, California. In 2023 alone, breaches affected more than 100 million people and 500 hospitals in the United States, he said.
IT security is synonymous with patient safety, said Baker. According to Baker, the average financial impact of a healthcare breach is now $11 million, far exceeding the expenses required for proper security. “The recommendation is long overdue, but it is still not enough,” he said. “What is needed will be more in line with what New York State has been pushing to date. Not only will they introduce more regulations and requirements and provide some enforcement, but they will also provide resources to help health systems achieve these goals.”
Impact on patient care
Cyberattacks significantly impact patient care and are associated with longer hospital stays and increased mortality. “According to a national study by the Ponemon Institute, these cyberattacks have resulted in a 56% longer hospital stay and a 53% increase in mortality rates,” said Baker, who supports healthcare organizations, state and local governments and educational institutions in their digital transformation efforts. In the last 12 months alone, cyberattacks have resulted in thousands of patients being transferred or redirected to other facilities. The attacks were linked to delays in procedures and testing, increased complications and poor outcomes.
From a user credentials perspective, Baker says MFA is a good first step, but not enough. Criminals have found multiple ways to get through MFA, using vectors such as MFA bombing as an example. This is a social engineering cyberattack strategy in which attackers repeatedly send second-factor authentication requests to the target victim’s email address, phone, or registered devices. “We need to prevent users from ever reaching phishing sites,” he said. “A big step will be to put security measures in place that block phishing attempts regardless of whether the user is on the network or off the network (working from anywhere).”
CISA encourages healthcare providers using on-premise software and software vendors to apply the recommendations in the Remedies section of the CSA in the new advisory. It is hoped that these recommendations can harden networks against malicious activity and reduce the likelihood of domain compromise.
Offline security systems
“One way to stop attacks directly on applications and infrastructure is to simply remove them from the internet,” Baker said. “Hide these applications and infrastructure behind a security cloud so criminals can’t even find them on the internet. The same security cloud can securely connect your users to the applications.”
In addition to applying the newly listed mitigations, CISA recommends trying, testing, and validating an organization’s security program against the threat behaviors outlined in the advisory.
Frank Nydam, CEO of Tausight, the first AI-powered healthcare data security company, said healthcare providers continue to be a prime target for cybercriminals and there is no sign of this trend slowing down. In the first six months of 2023 alone, 325 affected companies reported data breaches to the Office for Civil Rights (OCR) of the US Department of Health and Human Services. This represents an 86% increase over the same period in 2022. “Cyberattacks have not only become more common, but they have also become more costly, both from a financial perspective and from a patient outcomes perspective,” Nydam said.
Mostly basic cyber hygiene
Many healthcare providers may think they need multiple layers of advanced tools, but Nydam said mostly just the basics: “Basic cyber hygiene and understanding where your data is. That’s critical and often overlooked.” These strategies include regular vulnerability patch updates, basic device encryption, monitoring business partner access to your data, and adhering to strict access management practices such as MFA. One of the most common mistakes is failing to establish a cyber response playbook,” said Nydam.
Other common failures include failing to encrypt and patch machines and not having appropriate data recovery systems in place. The most important points of a to-do list can be easily summarized. “Start cleaning up your house,” he said. This includes a data assessment to understand where your sensitive data is stored, Nydam said. “Such cleaning measures can significantly reduce the attack surface, so that significantly fewer patients are affected in the event of a cyber attack.”
This article originally appeared in Renal and Urology News
