A common adage that has consistently been a part of the Healthcare sector is “Prevention is better than the cure”. While healthcare professionals strive to ensure we apply this philosophy across our field of expertise, they often lose sight of the broader picture of our increasingly interconnected world.
In any medium-large healthcare organization today, patients who visit a treatment facility can get their tests and diagnoses cross-examined and leave with a detailed diagnosis and treatment plan from any other facility or branch.
Similarly, doctors can connect with their colleagues across the industry to seek clarification on a scan, study, or test to ensure we have the best possible diagnosis for a problem. The same interconnectedness that enables this sharing of information and knowledge in near real-time is the element that makes Healthcare as an industry vulnerable to cyber threat actors.
Initially, it may seem like the two are different concepts. After all, hackers tend to go after financial data, sensitive research, and state secrets. Once we establish that Healthcare data, whether patient data or proprietary research, is just as valuable to nefarious threat actors as it is to industry and our patients, the parallel becomes clearer.
So, the question remains: Why is healthcare data so valuable and, more importantly, so vulnerable to cyber threats in today’s threat landscape?
Data is the Currency of This Age
It’s often said that to appreciate a work of art, one has to stand further away. In the Healthcare space, we are entirely devoted to the result – a satisfactory diagnosis and treatment of the issue for our patients and clientele. This creates some degree of myopia to the sheer value of the data that we handle.
Whether it’s sensitive patient data or proprietary research, threat actors in the current cyber threat landscape highly prioritize our work and data for targeting – and with good reason. The same data in the wrong hands can lead to a chain reaction of negative consequences – none of them good for the healthcare industry or the patients we serve.
Today, data has become its currency, and healthcare data is a target for hackers. The COVID-19 pandemic required us, as a species, to adapt to a new world – seemingly overnight. On a macro level, that required us to rapidly digitize our services, ensuring constant, reliable access to data at a moment’s notice.
While these systems were created or refined, the focus was on ease of use and accessibility because the enemy at the point was time.
It is fair to say that cybersecurity wasn’t the primary consideration of the Healthcare industry at that time, as evidenced by multiple breaches and attacks that were aimed at healthcare and other industries, often leveraging legacy systems or poorly optimized platforms that proved easier for threat actors to breach than anyone had expected.
The New Pandemic – Addressing Data and Cybersecurity
As the pandemic was contained, the healthcare industry woke up to a new threat – a vulnerable ecosystem that hackers were keen to exploit. Sobering news of major healthcare entities falling victim to attacks started to surface, with some alarming statistics.
In 2022, an estimated 20% of all cyberattacks were specifically directed at the healthcare sector, higher than any other sector that year, indicating that there was, indeed, a target on our backs.
While we had established why this data was so valuable, it remained a mystery at the point exactly how hackers were able to compromise healthcare systems with seemingly relative ease. The answer to this is a little more complicated, with various factors involved.
Firstly, the very interconnectedness that healthcare organizations had worked so hard to inculcate during and even before the pandemic was weaponized against them. The various platforms, apps, and portals that had been created for easier communication between doctors, patients, and administrative staff ended up vastly expanding our digital risk footprint, giving hackers a broader surface to target with increasingly sophisticated and often customized methods.
Ransomware groups, who were already adept at securing and encrypting data, turned their focus towards the healthcare industry in force. More worryingly, patterns such as Ransomware-as-a-service (RaaS) emerged where even threat actors with limited technical ability suddenly had devastatingly effective tools at their disposal with which to target the industry.
Another worrying development was the shifting focus to supply chain attacks. No singular Healthcare vendor operates in a vacuum. The vast network of vendors, partners, and supply chain entities that had worked in tandem to provide world-class healthcare services was suddenly a chink in our armor.
Any individual healthcare organization could secure their own their threat footprint end to end yet still be reliant on third parties who may not necessarily be as secure, leaving the door open to third-party compromise for the entire supply chain.
The advent of Artificial Intelligence was a big leap for humanity as a whole, with widespread adoption across multiple sectors to help index data faster, search for patterns in massive datasets, and provide co-relations in near real-time. What we had not anticipated, however, was how quickly these same tools would be weaponized to create even more potent cyber threats.
Fortunately, the cybersecurity industry has taken note of this and implemented AI and ML defensively to pre-empt or mitigate the risk of these attacks while helping target firms identify patterns, parse through large amounts of data, and provide actionable intelligence in real-time.
Identifying Infection Vectors
If the terms “viruses”, “infection vectors”, “diagnosis,” and others were not obvious enough indicators, it is clear that cybersecurity as a field borrowed these terms from healthcare for a good reason. Both deal with an invasive, unwanted specimen entering an otherwise healthy body or entity.
Both have to factor in the potential spread of said specimen through patients/systems and the collateral impact. In both cases, the solution chain is almost always – Diagnosed, Contained, and treated – with a strong emphasis on early detection and prevention as the preferred outcome.
With that shared philosophy towards threats, let us take a look at the cyber factor from the perspective of identifying infection vectors in the healthcare industry, specifically in Indian markets.
Remote work saw a massive, necessary surge during the pandemic but has remained well after as a popular WFH/Hybrid model. This is especially prevalent in India, which has one of the largest workforces in the world, a large portion of which are now working from their devices. This leads to an increase in the amount of Endpoints that a hacker may target, such as personal laptops, smartphones, tablets, etc.
If a cyberattack compromises these devices, they may, in turn, compromise the entire work ecosystem they are affiliated with through the lateral movement of viruses and malware.
Cybercriminals have identified this weakness and have altered their methodologies to target these specific endpoints via phishing attacks, trojans, malware, and other potent cyber attack vectors.
These attacks, alongside other large-scale attacks against state-owned entities and critical infrastructure, have spurred the Indian Government to roll out initiatives such as the National Cybersecurity Policy and regulatory measures that firms must now comply with. The end goal is to foster a more cyber-aware (and thus, cyber-resilient) workforce that is compliant with nationwide cybersecurity standards and regulations.
In the face of sophisticated, often state-sponsored cyberattacks aiming to cripple critical infrastructure or deface government portals, the Indian government has also taken steps to address rising instances of hacktivism, which is a growing concern amongst the cybersecurity community due to the scale of these campaigns.
Not all of these threats will affect each entity equally. However, there is a strong preference on the part of Threat Actors to favor certain attack vectors over others based on the target.
For example, Government and Military infrastructure may have a different degree of cyber resilience than other industries due to their criticality to national security.
Similarly, sectors that have recently had to undergo rapid digitization in a short period due to external factors such as the COVID-19 pandemic – such as EdTech and Healthcare – may not have had a similar focus on cybersecurity when the primary need was to digitize to meet market conditions and other factors, thus leaving them relatively more vulnerable to cyberattacks.
I’ll try to encapsulate the broad categories of threats that face the nation at a sectoral level before we jump back to the Healthcare industry specifically.
Industry-specific Threats
Government entities are crucial to the proper functioning of a nation’s economy, trade, defense, and day-to-day operations. It comes as no surprise, then, that these are often the primary targets for state-sponsored or politically motivated hackers (often called Advanced Persistent Threats or APTs).
The other primary threat to any government entity from cyberspace is Insider Threats. Whether by design or by accident, an employee enabling or allowing a cyberattack to compromise a government entity can have catastrophic consequences. Cybersecurity training to avoid cases of negligence errors and proper screening at the time of hiring are essential to prevent such attacks.
The Manufacturing/ Critical Infrastructure sector has also seen a massive increase in attacks over the past few years. Manufacturers are particularly vulnerable to incidents of industrial espionage that aim to compromise their proprietary technology/techniques.
Since the perpetrators of these attacks will aim to sell this data to their competitors and nation-states, the attacks are particularly sophisticated. Implementing a zero-trust architecture is essential to achieve a cyber-resilient ecosystem in this sector.
The next section in the crosshairs of Threat Actors is the BFSI sector. With online and mobile banking becoming increasingly popular with an extremely digitized population, the surface area to secure has become increasingly large for BFSI firms across various apps, platforms, portals, etc.
One of the primary threats they face is Credential Stuffing. While it seems mundane on the surface, involving the use of random credentials till they work, it can be surprisingly effective due to poor password hygiene and lack of awareness.
The final sector we’ll discuss before we jump back to Healthcare is, ironically, the very sector behind the internet – the Technology sector.
Technology firms, particularly those with a public-facing platform, are particularly susceptible to the dreaded Dedicated Denial of Service (DDoS) attacks. These can render an online service, marketplace, or forum inaccessible to users, damaging the revenue, client base, and, most importantly, the reputation of a Tech firm.
Since DDoS attacks and defacement also fit the Modus Operandi of hacktivists globally, tech firms are rapidly taking steps to secure themselves from this threat to whatever degree possible.
Cybersecurity Threats to Healthcare – cause for Concern
Healthcare firms should have a healthy sense of concern for the various cyber threats and hackers whose sole aim is to compromise the integrity of their systems and data. One of the most potent threats to the sector is Ransomware.
While Ransomware has been around for decades, relying on encrypting and stealing a user or organization’s data in return for a “ransom”, it is a particularly potent threat to Healthcare given the large volumes of sensitive health information and financial data that the sector handles daily.
In 2022, ransomware attacks on healthcare firms increased by a staggering 74%, a trend expected to continue into this year and beyond. Healthcare firms should protect their organization and the entire supply chain ecosystem (including third parties and vendors) from this threat.
The growing sophistication and interconnected nature of Medical Devices leave them vulnerable to IoT device hijacking. This common tactic was previously only aimed at smart homes and other IoT gadgets.
It has now grown to target medical devices, wearables, trackers, etc., to harvest user information from them, ostensibly to sell in dark web marketplaces. A 2022 report highlighted that over half the medical devices in use as of 2022 were vulnerable to at least one critical, exploitable vulnerability.
Healthcare firms that manufacture and use these products should ensure that they are secure and that the end-users are appraised of best practices regarding cyber hygiene for the same.
The final threat to healthcare firms may seem obvious and, on the surface, benign, but it has proven extremely effective in the last few years alone – I’m talking about Social Engineering. A 2022 report found that phishing attacks were the most common type of attack carried out against healthcare firms.
Social engineering is a time-tested attack vector that has been in use since the inception of the internet. Phishing scams can trick staff into providing access credentials, leading to unauthorized data access.
Threat Actors try to leverage social engineering in scenarios where they deem their target audiences vulnerable to these types of attacks due to a lack of awareness or training.
A growing reliance on Cloud infrastructure may foster more efficient data sharing and accessibility. However, it has also proved to be a vulnerability that hackers are more than willing to exploit. Around 61% of healthcare respondents experienced attacks on their cloud-based infrastructure in 2022 through vectors such as phishing, ransomware, and other malware.
Closing Thoughts
Cybersecurity is in a state of perpetual flux with every technological leap or geopolitical event. It is often characterized by the emergence of increasingly sophisticated threats and more robust defense mechanisms.
The onus for this is not solely on healthcare providers either. Given the large number of stakeholders involved in the healthcare industries, ranging from patients/caretakers, medical personnel, administrative staff, assorted vendors, and third parties, the industry’s attack surface tends to be much larger than others, creating more threat vectors and increased risk.
Once we factor in the high demand for sensitive medical data and the new tactics and techniques being deployed by Threat Actors, it further complicates an already tricky landscape.
Whether globally or in India, these shifts in the threat landscape demand that we remain vigilant and agile, adapting our cybersecurity strategies to fit the changing landscape. Industries like Government, Manufacturing, BFSI, Technology, and Healthcare each face their own unique set of challenges. However, armed with knowledge and an unwavering commitment to adapt, we can foster a more secure digital environment for everyone.