Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Attack Surface Growing for Healthcare Industry

Attack Surface for Healthcare Firms is Pivoting and Scaling to Considerable Proportions, Report Finds

Attack Surface for Healthcare Firms is Pivoting and Scaling to Considerable Proportions, Report Finds

Despite the well-documented increase in attacks against the healthcare industry during the COVID-19 pandemic, the industry is largely coping well against the cyber criminals. Nevertheless, the necessary and dramatic migration to cloud-based tele-health services will undoubtedly leave the industry more exposed in the future.

Vectra AI, a San Jose, Calif-based network threat detection and response firm, has analyzed the network behavior of 363 opt-in enterprises in healthcare and eight other industries. It has detected the mass movement of data out of data centers and into the cloud — far more so with healthcare than other industries. This data movement, however, is more consistent with an enterprise-driven migration to the cloud than to criminal activity.

Although Vectra has detected an increase in ‘smash-and-grab’ behavior, where a large volume of data is sent to an external address in a short period of time, this is consistent with a medical device quickly sending large amounts of data to a hosted cloud site. Similarly, there has been an increase in ‘data smuggler’ behavior. This occurs when an internal device consolidates data from multiple sources and then sends it out of the network.

Vectra does not believe that these behaviors are indicative of internal compromise. “Data smuggling behaviors,” notes Vectra in its 2020 Spotlight Report on Healthcare (PDF), “can occur when patient medical records are transferred to cloud storage offerings like Microsoft OneDrive, which is a common requirement for collaborating healthcare professionals.”

In the UK, the National Health Service (NHS) has recently shifted to Microsoft cloud where before it kept all data in house. David Willis, head of cyber, governance and assurance at the Greater Manchester Health and Social Care Partnership, commented, “This year we observed a stark and sudden growth in data movement outside of our organization’s traditional boundaries. That growth is most likely due to how the National Health Service has traditionally worked in siloed data centers behind a firewall and has now shifted to the COVID-19 world of cloud-based collaboration.”

Lateral movement, a more consistent and reliable indication of compromise, is actually trending down within healthcare. “Lateral movement detections,” Says Vectra, “the strongest indicator that threats are spreading inside a compromised infrastructure and propagating across internal devices, remain relatively flat with a slight decrease in May.” The slight reduction could be caused by the migration to the cloud. Much lateral movement in healthcare is not actually criminal — it is caused by administrative activity as organizations deal with lean staff, old controls, and unsecured protocols like FTP.

These indicators lead Vectra to conclude that Healthcare is now transforming itself as far as possible into an online service, with massive dependence on the cloud. And it is doing so at pace. “Remote access and timely collaboration between clinical administrators, healthcare professionals and researchers,” says Vectra, “could mean the difference between life and death. Cloud benefits, such as scalability and redundancy, are vital in supporting these tools. This trend will mostly likely persist after the pandemic as we can expect the increased level of remote work to continue.”

The picture painted by Vectra is remarkably upbeat for an industry that has suffered a huge increase in attacks triggered by the pandemic. The World Health Organization (WHO) has reported a five-fold increase in attacks against its staff. Google has said it has detected more than a dozen groups using COVID-19 themes as bait in phishing and malware traps, and that it has seen attacks launched by the Iran-linked threat group named Charming Kitten against medical and healthcare professionals, including employees of the WHO. The DHS and the UK’s NCSC issued a joint statement that APT groups were targeting healthcare’s response supply chain.

Despite this increase in attack activity, Vectra’s research has not detected any corresponding increase in healthcare compromises, suggesting that healthcare’s current security posture is quite strong. The future, however, might not be quite so rosy. “What we are saying,” Vectra’s head of security analytics, Chris Morales, told SecurityWeek, “is that the number of attacks has not had an increase due to COVID-19. But what has increased is the attack surface of unmanaged cloud services in a short period of time.”

This is a concern. Healthcare’s response to the pandemic is a mass migration to cloud services at a speed not conducive to best planning. Mistakes are likely to be made. “The adoption of cloud technology today very well could lead to a data compromise tomorrow,” said Morales. “This is the risk we should be concerned about, and the feedback I have received from my discussions with the security practitioners in healthcare is the same sentiment.”

Vectra was founded in 2010 by James Harlacher, Marc Rogers, and Mark Abene. It raised $100 million in a Series E funding round in June 2019, bringing the total funds raised to date to $222.5 million.

Related: Misconfigured Public Cloud Databases Attacked Within Hours of Deployment 

Related: NSA Shares Guidance on Mitigating Cloud Vulnerabilities 

Related: Reconnaissance, Lateral Movement Soar in Manufacturing Industry 

Related: Salesforce Ventures Investment Values Tanium at $9 Billion

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.