By Ryan Witt, Healthcare Cybersecurity Leader, Proofpoint
The healthcare industry has long been under attack. Masses of valuable, sensitive data, an often-imperative need for uninterrupted service, and a patchwork of legacy systems make the sector an attractive target for cybercriminals.
Healthcare data is valuable for two reasons. First, because Personally Identifiable Information (PII) or Protected Health Information (PHI) provide cybercriminals with a treasure trove for data identity theft making healthcare data arguably more lucrative than financial data.
Secondly, healthcare data is valuable because it can be monetised: people are prepared to pay good money to intercept prescriptions for controlled substances or access intellectual property in the form of clinical research.
Whether through phishing, email compromise, ransomware or any other manner of attack, threat actors are penetrating healthcare’s defences to elicit ransoms, expose personal data, and disrupt infrastructure.
Hospitals and healthcare providers are far from the only ones under attack. Cybercriminals are focusing their efforts on pharmaceutical companies, insurers, training centres, and any other institution likely to hold highly valued sensitive information.
According to Mohamed al-Kuwaiti, head of UAE Government Cyber Security, the country has seen a 250% increase in cyberattacks in 2020, mostly from phishing and ransomware incidents. Furthermore, Proofpoint’s UAE CISO Report also pointed out that while organisations in the UAE are aware of the cyber risks, many are not fully prepared. In fact, 59% of respondents cited outdated or insufficient cybersecurity solutions and technology as being one of the biggest cyber risks, and 55% believe that human error and lack of security awareness was a risk factor for their organisation. .
Understanding the attackers
Threat actors take a scattergun approach, sending high volumes of attacks to a broad range of organisations. Earlier this year, one such large-scale attacker, TA505, waged an extensive campaign against the healthcare industry, targeting 200,000 malicious messages at pharmaceutical companies. Attacks of this size are not uncommon, TA505 once distributed 50 million malicious attachments in one day.
On the contrary, small-scale threat attackers do not take a blanket approach, focusing instead on smaller subsectors and verticals. But while their campaigns are less frequent and lower volume, they tend to be more sophisticated.
Attacks on this scale leverage rich healthcare data for greater customisation to the target, incorporating a level of social engineering to trick unwitting victims. Once the mark is convinced, these types of attacks often rely on typo-squatting and key-loggers to collect and sell personal information or credentials.
Understanding the attacked
Building a people-centric cyber strategy starts by identifying those most under attack, the Very Attacked People (VAPs).
With the VAPs identified, CISOs can set about equipping them with the tools and information required to protect your organisation.
This starts with company-wide security awareness training, covering the latest threats, methods, and motives. As well as the ability to spot malicious links and suspicious email asevery member of the team should be acutely aware of their role in keeping their organisation safe.
Training should be in-depth, ongoing, and reflect the threats your users will encounter in the wild.
Keeping pace with an evolving threat
It is not enough to secure cloud environments, implement the latest authentication controls, and teach the end users what a phishing email looks like. CISOs must continue to monitor the threat landscape to ensure any protections they put in place remain fit for purpose long into tomorrow.