In late October 2020, the FBI and US-CERT issued a joint statement detailing an imminent ransomware threat targeting hospitals and the US healthcare system.
The threat was first uncovered by security researchers from Hold Security, which found that over 400 hospitals were the likely targets of a Russia-based organized crime group with a strong track record of success.
So far, a string of attacks have been uncovered - but it's not entirely clear if these attacks are connected to the effort that prompted the warning. Either way hospital executives should be on edge. A coordinated cyber-attack could not come at a worse time, and individual attacks have shown just how disruptive they can be.
With that in mind, I think it’s worth highlighting some new statistics about cybersecurity in the healthcare industry that underscore just how dire the situation is - and how it is getting better.
The statistics come from the well-regarded researchers at the Cyentia Institute, using data from Kenna Security. They paint a picture of an industry that is far behind others in its cybersecurity efforts, but working hard to catch up.
The data shows that IT assets in a healthcare organization - that’s everything from PCs and laptops to servers and routers - have approximately 34 open vulnerabilities. In other industries, that average is just seven.
And new vulnerabilities are added every day. Healthcare organizations are able to patch about 50 vulnerabilities in 50 days. That’s slower than other industries, but still remarkable given the large number of vulnerabilities on their systems.
In theory these numbers might be manageable. Hospitals don’t necessarily need to patch every vulnerability on their systems, because there tends to be a small number of high risk vulnerabilities that tend to be exploited by organized criminal groups. On average, they tend to close about 75% of them. Of the 14 sectors that Cyentia analyzed, that’s about middle of the pack, behind perennially lagging sectors like education.
To a certain extent, there are few surprises in these statistics. Just about every company struggles to patch vulnerabilities. Healthcare just happens to be an extreme example.
So, how did it get in this position?
The source of the healthcare industry’s troubles lies in the very features that used to insulate it from cybersecurity threats. Financial institutions tend to have very robust cybersecurity teams - mostly because when it came to hacking, that’s where the money is. Stealing credit card numbers and banking information can be quite lucrative.
To a cyber-criminal, there hasn’t historically been much value in your MRI reading and lab results. Sure, there are shady brokers that will buy this information, but that market is significantly smaller. Because of this, hospitals haven’t felt the extreme pressure to institute major information security programs that financial institutions have.
A second driver of cybersecurity risk at healthcare organizations is the IT asset mix. Hospitals and pharmacies use a lot of PCs and other general purpose business machines. These are the very types of machines that the handful of cyber-criminals capable of developing new exploits tend to target.
So what can healthcare organizations do?
First, patch vulnerabilities according to their actual risk. Vulnerabilities with publicly available exploits or that allow remote code execution tend to be highly dangerous for example. Consider looking beyond common ranking systems like the Common Vulnerability Scoring System (CVSS). While many companies patch every vulnerability with a high CVSS score, this practice can often lead organizations to miss risky vulnerabilities and end up wasting effort on not so dangerous security holes. It’s best to find a data-driven approach to guide these decisions, because there is a lot of room for error.
Also remember there’s more than one way to lower the risk of a vulnerability. Upstream controls can be your friend. And, if you aren’t using the service, turn it off. Additionally, placing controls at the application and network layer may prevent those vulnerabilities from being remotely accessible. This isn’t the core problem for healthcare, but it is a significant one. There are a lot of bespoke applications running on old desktops and Windows 7 machines that are mission critical. At the same time, some of these applications are no longer supported by their publishers. To the extent that your organization has these types of assets, keep them away from the internet.
The good news is that some healthcare organizations are catching up. Cyentia’s review of the industry found that healthcare organizations can make meaningful improvements in improving their security posture and reducing risk. That’s a remarkable feat considering the size of the vulnerability debt many hospitals and other healthcare organizations have traditionally faced.