Attack Surface for Healthcare Firms is Pivoting and Scaling to Considerable Proportions, Report Finds
Despite the well-documented increase in attacks against the healthcare industry during the COVID-19 pandemic, the industry is largely coping well against the cyber criminals. Nevertheless, the necessary and dramatic migration to cloud-based tele-health services will undoubtedly leave the industry more exposed in the future.
Vectra AI, a San Jose, Calif-based network threat detection and response firm, has analyzed the network behavior of 363 opt-in enterprises in healthcare and eight other industries. It has detected the mass movement of data out of data centers and into the cloud — far more so with healthcare than other industries. This data movement, however, is more consistent with an enterprise-driven migration to the cloud than to criminal activity.
Although Vectra has detected an increase in ‘smash-and-grab’ behavior, where a large volume of data is sent to an external address in a short period of time, this is consistent with a medical device quickly sending large amounts of data to a hosted cloud site. Similarly, there has been an increase in ‘data smuggler’ behavior. This occurs when an internal device consolidates data from multiple sources and then sends it out of the network.
Vectra does not believe that these behaviors are indicative of internal compromise. “Data smuggling behaviors,” notes Vectra in its 2020 Spotlight Report on Healthcare (PDF), “can occur when patient medical records are transferred to cloud storage offerings like Microsoft OneDrive, which is a common requirement for collaborating healthcare professionals.”
In the UK, the National Health Service (NHS) has recently shifted to Microsoft cloud where before it kept all data in house. David Willis, head of cyber, governance and assurance at the Greater Manchester Health and Social Care Partnership, commented, “This year we observed a stark and sudden growth in data movement outside of our organization’s traditional boundaries. That growth is most likely due to how the National Health Service has traditionally worked in siloed data centers behind a firewall and has now shifted to the COVID-19 world of cloud-based collaboration.”
Lateral movement, a more consistent and reliable indication of compromise, is actually trending down within healthcare. “Lateral movement detections,” Says Vectra, “the strongest indicator that threats are spreading inside a compromised infrastructure and propagating across internal devices, remain relatively flat with a slight decrease in May.” The slight reduction could be caused by the migration to the cloud. Much lateral movement in healthcare is not actually criminal — it is caused by administrative activity as organizations deal with lean staff, old controls, and unsecured protocols like FTP.
These indicators lead Vectra to conclude that Healthcare is now transforming itself as far as possible into an online service, with massive dependence on the cloud. And it is doing so at pace. “Remote access and timely collaboration between clinical administrators, healthcare professionals and researchers,” says Vectra, “could mean the difference between life and death. Cloud benefits, such as scalability and redundancy, are vital in supporting these tools. This trend will mostly likely persist after the pandemic as we can expect the increased level of remote work to continue.”
The picture painted by Vectra is remarkably upbeat for an industry that has suffered a huge increase in attacks triggered by the pandemic. The World Health Organization (WHO) has reported a five-fold increase in attacks against its staff. Google has said it has detected more than a dozen groups using COVID-19 themes as bait in phishing and malware traps, and that it has seen attacks launched by the Iran-linked threat group named Charming Kitten against medical and healthcare professionals, including employees of the WHO. The DHS and the UK’s NCSC issued a joint statement that APT groups were targeting healthcare’s response supply chain.
Despite this increase in attack activity, Vectra’s research has not detected any corresponding increase in healthcare compromises, suggesting that healthcare’s current security posture is quite strong. The future, however, might not be quite so rosy. “What we are saying,” Vectra’s head of security analytics, Chris Morales, told SecurityWeek, “is that the number of attacks has not had an increase due to COVID-19. But what has increased is the attack surface of unmanaged cloud services in a short period of time.”
This is a concern. Healthcare’s response to the pandemic is a mass migration to cloud services at a speed not conducive to best planning. Mistakes are likely to be made. “The adoption of cloud technology today very well could lead to a data compromise tomorrow,” said Morales. “This is the risk we should be concerned about, and the feedback I have received from my discussions with the security practitioners in healthcare is the same sentiment.”
Vectra was founded in 2010 by James Harlacher, Marc Rogers, and Mark Abene. It raised $100 million in a Series E funding round in June 2019, bringing the total funds raised to date to $222.5 million.