Security experts already know that healthcare is a soft target for hackers. New data shows that ransomware is the vector of choice, and VPNs are the target.
It’s a known fact that the healthcare industry is a soft target for bad actors and nation states. It is also known that the most-used vector of attack in healthcare is ransomware. The most common way ransomware is injected into a business network is via phishing, when an unsuspecting employee clicks a bad link in an email allowing the implantation of malware. Often when attacks happen, we hear about those things but not about what the malware is designed to attack. Recently, 18-year old cybersecurity company Tenable wrote their 2020 Threat Landscape Retrospective, which showcased some (somewhat) startling information. Almost half of all healthcare data breaches are due to ransomware, and one of the key methods to gain hospital access is exploiting VPN vulnerabilities.
In the past, a VPN vulnerability may not have caused a lot of concern for a hospital. Most of their employees are in-house and don’t log in through the VPN. However, in 2020, the entire threat landscape changed with the arrival of COVID-19 and the shift to remote work. The VPN vulnerabilities mentioned in the report can be found on the Citrix ADC controller, which affects Gateway hosts (CVE-2019-19781), and Pulse Connect Secure (CVE-2019-11510).
Take note of those CVE numbers, they were known issues discovered in 2019. Which means that the facilities which use those VPNs had already been told about the issues. There were also already patches for those vulnerabilities, which means that those facilities had the fix in their hands and never took care of it. That’s not a hit at those facilities per se, but it should be a giant wake-up call. Not fixing those vulnerabilities has allowed threat actors to exploit those areas, something they will continue to do until the fix is applied.
According to the Tenable report, the healthcare industry was responsible for over 24% of all breaches in 2020, followed by technology (15.5%), education (13%) and government (12.5%). There were 11 industries included in their reporting, yet these four account for over 65% of all breaches in 2020.
Still, the primary focus seems to be on healthcare, largely because it is one of the easiest industries to target. As stated above, 46% of all healthcare breaches are due to ransomware, and the next closest cause is email compromise (nearly 25%). So there are three takeaways for those in healthcare:
- Security patching must happen as soon as the information is received.
- All facilities need to review cybersecurity and cyber-hygiene best practices with employees
- InfoSec budgets must be adjusted
“As the attack surface expands, vulnerability management has a central role to play in modern cybersecurity strategies. Unpatched vulnerabilities leave sensitive data and critical business systems exposed, and represent lucrative opportunities for ransomware actors. Modern vulnerability management requires identifying unnecessary services and software, limiting third-party code, implementing a secure software development lifecycle and practicing accurate asset detection across your entire attack surface, including information technology, operational technology and internet of things, regardless of whether they reside in the cloud or on premises,” said Renaud Deraison, co-founder and chief technology officer at Tenable.
It is incredibly important for the softer industries like healthcare and education to take a serious look at their InfoSec budgets. Funds are limited in these two industries, so allocation can be difficult. But no business can function in these industries without security because compliance guidelines that are broken end up costing a lot more money in fines than just having the security in the first place. With healthcare being responsible for over 8 million records being exposed, it is even more imperative for those facilities to buckle down.
The first step is to make those patches. More employees will continue to work from home, even after the pandemic, simply because it is more convenient for everyone. Those VPNs are vital to the security of your facility, but if they have a vulnerability, they pose an inherent risk. Apply the patches. While that is happening, re-train all employees and bring them up to speed on cybersecurity. Teach them their role and how everyone carries the responsibility on their shoulders. Plan regular training updates, too. While those things are happening, crunch the numbers and see where you can pull more funds for your InfoSec team in 2021.
Don’t fall prey to the next onslaught of ransomware. There will definitely be more of the old strains floating around looking for those vulnerabilities, and there will be new ones developed as those vulnerabilities change. Apply your patches immediately, every time. Security cannot wait until later!