Gil Kirkpatrick

In the healthcare industry, cybersecurity issues have consequences that go well beyond the loss of data. Recently, the FBI and other federal agencies warned of a credible threat of “increased and imminent cybercrime” to U.S. hospitals and healthcare providers. Criminal groups target the healthcare sector to carry out “data theft and disruption of healthcare services.” 

Earlier this year, a ransomware attack against a hospital in Germany showed just how dangerous cyberattacks really are. According to news reports, a patient at University Hospital Düsseldorf died after a ransomware attack that crippled the hospital’s IT systems and forced doctors to transfer her to another facility. 

In the U.S., Universal Health Services (UHS) confirmed on Oct. 3 that a ransomware attack in late September affected all of its U.S. care sites and hospitals, forcing it to disconnect systems and shut down its network temporarily. Though there is evidence that the number of data breaches in the industry declined during the first half of 2020 compared to the latter half of 2019, ransomware events in healthcare increased dramatically. Managing cybersecurity for health institutions is not getting easier. With that prognosis, the healthcare industry needs to rethink security by focusing on access and identity. 

So, what action can defenders take to avoid becoming a victim of ransomware? I had the privilege of joining Scott Breece, CISO at Community Health Systems, Thursday, November 19, for a candid discussion and audience Q&A. We’covered the NIST Cybersecurity Framework, managing multiple identity systems in healthcare IT environments, and of course, ransomware. You’re welcome to tune in.  

The case for Zero Trust 

Even before the COVID-19 pandemic increased the strain on hospitals and medical clinics, managing security in the healthcare industry was complex. Maintaining compliance with regulatory requirements like HIPAA, HITECH, SOX, PCI, and others is just one challenge for IT. Another less cited challenge is the amount of staff turnover, accompanied by the reality that incoming replacements will have to be on-boarded and trained. Then there is the relatively high number of mergers and acquisitions (M&A) to account for, which IT organizations have to incorporate into the existing IT infrastructure.

Adding to the mix, the growing adoption of telehealth services presents a new attack vector. According to a report from Security Scorecard and DarkOwl, as telehealth use has grown, targeted attacks against telehealth vendors have skyrocketed as well. Some of the more prominent issues uncovered in the report were endpoint security and FTP and RDP issues. Additionally, research from DarkOwl revealed the emergence of threat actors selling electronic healthcare records (EHR) and malware toolkits specifically designed to target telehealth technologies and ransomware configured to take down healthcare infrastructure. 

This reality has led many organizations to look toward Zero Trust architectures as a solution. Trust is a precious commodity in IT, too precious to grant blindly in an environment where many endpoints are unpatched and unmanaged. Many of these are personal and mobile devices that must share data to serve patients effectively. Yet, due to the prospect of phishing, ransomware, and other attacks, it cannot simply be assumed that a device is safe just because it is behind the firewall. Each operation from each device needs to be assessed and appropriately authenticated and authorized.  

When implemented properly, Zero Trust reduces the scope of compromise after a successful breach. It does this by requiring a distinct authorization step for each application transaction, with additional authentication of the user and device as determined by the operation’s sensitivity and context. Implementation of these additional steps can occur within the application itself, within the underlying software infrastructure, e.g., the identity platform, or even within the networking fabric via micro-segmentation. The challenge with Zero Trust is ensuring sufficient authorization and authentication while not destroying the application’s performance or usability. 

Focus on securing Active Directory 

For almost all enterprises, the underlying “source of truth” for legacy and Zero Trust authentication and authorization is still Active Directory. Active Directory holds user and machine identity and credentials and policies and permissions used across most if not all on-premises systems. And finally, Active Directory feeds data to external cloud identity services too. 

Keeping Active Directory secure is vital to limit the impact of ransomware and other integrity attacks on enterprise systems. Ransomware attacks evolve rapidly and have grown more sophisticated even in just the last six months. Threat actors try to steal data and exploit Active Directory to maintain persistence and spread ransomware throughout the environment. Hardening Active Directory and making it more resilient to attacks is a significant undertaking, but dividing the problem into before, during, and after the attack improvements can simplify the process. 

As the Zerologon vulnerability demonstrates, Active Directory is susceptible to threat actors looking to escalate privileges. Timely patching and continuous assessment of Active Directory configuration and monitoring of object and attribute changes at the directory level helps reduce threat actors’ ability to get an initial foothold inside your network. 

If an attacker does get an initial presence in your network, it’s imperative that you have systems in place to detect malicious activity and reverse any changes to Active Directory that the attacker might make. For instance, attackers will often grant elevated privileges to compromised user accounts by modifying group memberships or the SIDHistory attribute. Detecting these changes and automatically reverting them reduces an attacker’s ability to move laterally and compromise additional systems. 

In the event that an attacker does manage to completely compromise your Active Directory through ransomware or wiperware, you must have the ability to recover from backup quickly and reliably. The recovery process should be highly automated and be capable of restoring Active Directory to only cleanly installed Windows servers known not to have malware infecting the system binaries. 

Cure for the common compromise 

There may not be a cure for the common cold, but there is a way to defend against the types of attacks targeting the healthcare vertical. By leveraging a Zero Trust approach and protecting Active Directory, organizations can improve their security posture and reduce their risk level.

Scott Breece, CISO at Community Health Systems, and I recently chatted over the unique challenges that healthcare CISOs and others securing on the frontline face every day. 

Watch the session at, https://bit.ly/3mBYC5x.